Wed, 28 Nov 2007

Quicktime RTSP Redux released

While we wouldn't release exploit code under normal circumstances, we are pretty much emerging and wanted to show an example of our work. Since this vulnerability was already public, and the Apple security people are most probably working on an imminent update to Quicktime, potential attackers have a limited time-span to abuse it.

Hopefully Apple will speed up on this one and release an update to fix the vulnerability. We enjoy the versatility of Mac OS X on daily basis, and want it to be as more secure as possible.

Thanks to Kevin Finisterre for the testing environment and proofing of the exploit on PowerPC. Thanks to HD Moore for suggestions and the Metasploit project.

The exploit code is available at: static.subreption.com/public/exploits/qtimertsp_redux.rb

Some improvements that might be released:

Some screenshots might illustrate the functionality included in the exploit a bit better:

Mac OS X Targets...

Exploit against Mac OS X Tiger Quicktime 7.3

Microsoft Windows Targets...

Memory dump of the payload for Microsoft Windows Executing the exploit from a Microsoft Windows Vista host Finally, it worked! Connected to a XP SP2 vulnerable host from Microsoft Windows Vista

Finally it worked, thanks to the target information from MC in his Metasploit module.

IDA Pro debugging Quicktime after we exit the shell IDA Pro debugging Quicktime right before shellcode is executed IDA Pro debugging Quicktime after shellcode runs

Published on: Wed, 28 Nov 2007. | Path: /security/exploits | Permalink

Navigation

Archives

Syndication

Subscribe to our feed

Links

Meta

Powered by Python
Powered by (modified) Pybloxsom 100% free of PHP
Valid CSS!
Valid XHTML 1.0 Strict

License

Creative Commons License
Subreption blog by Subreption LLC is Licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.