Apple QuickTime 7.2/7.3 - RSTP Response Universal Exploit

2007-11-27T00:00:00
ID EDB-ID:4664
Type exploitdb
Reporter YAG KOHHA
Modified 2007-11-27T00:00:00

Description

Apple QuickTime 7.2/7.3 RSTP Response Universal Exploit (cool). Remote exploit for windows platform

                                        
                                                  ___             Everyone Loves
    O|0_+|O           the Hypnotoad...
     |...|
      | |
=o0O=====O0o===============================
| QuickTime RTSP Response Content-type    |
| remote stack rewrite exploit for IE 6/7 |
| by Yag Kohha (skyhole [at] gmail.com)   |
===========================================
			      
Exploit tested on:
 - Windows Vista
 - Windows XP SP2
 - IE 6.0/ 7.0
 - QT 7.2/ 7.3

Exploit requirements:
 Target: Windows Vista/ XP SP2 , IE 6.0/7.0, QT 7.2/7.3
 Server: Linux, Perl, Apache web- server

Whats inside:
 index.html 	- hypertext document with heap spray javascript and QT plugin call with playlist.mov (place to public web-folder)
 server 	- rtsp- server emulator (run in your linux shell in background mode "./server&")
 playlist.mov 	- play list with rtsp server link (edit "_server_emulator_ip" with address of rtsp-server emulator started and place to public web-folder)
Try to load index.html in your browser from remote web- server with installed exploit.

Greetz 2:
    - str0ke & milw0rm
    - shinnai
    - h07 for bug publication
    - muts & InTel for code play'ng ( but guyz, U`rs releases coded with SEH overwrite... It's so many problems
				    with shellcode modification and stable exploitation on different systems...
				    for whats? 
				    We can overwrite EIP with buffer generation like 65535 bytes. In this release EIP -> 0x0c0c0c0c )

Fuckz 2:
    - wslabi.com (too stupid resource for selling shit)
    - ICEPACK and MPACK coderz (Fucking javascript kidd0z and code thiefz)

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4664.tar.gz (11272007-qt_public.tar.gz)

# milw0rm.com [2007-11-27]