[framework] question on Apple Quicktime RTSP bind/attach process
Jeffs
jeffs at speakeasy.net
Tue Nov 27 11:51:56 CST 2007
Are you sure the payload opens a listening socket on the *victim's*
machine? * The way I understand that sploit to work is it allows the
attacker to listen for a connection whilst at the same time listening on
another port (4444) for a connection from the victims machine. The
sploit creates an RTSP server that waits for a connection, then sends
code to the victim having them contact the attacher's machine.
Kurt Grutzmacher wrote:
> You should learn more about buffer overflows before you get too deep
> into any code. There are a ton of resources on the web that a quick
> google will direct you towards.
>
> But to quickly answer your question, the payload shellcode provides the
> instructions to open a listener socket on port 4444 on the victim's
> machine that you connect to with netcat. It's assembly code because the
> overflow allowed us to execute it.
>
> The script you linked to just uses the shellcode generated by metasploit.
> It doesn't integrate within the framework. An exploit has been written
> and is available in the current svn trunk.
>
> On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
>
>> Regarding
>>
>> http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py
>>
>> which is the Apple QuickTime RTSP Response Header Remote Stack Based Buffer
>> Overflow Vulnerability -- as a newbie I have a simple question.
>>
>> I understand the code behind the exploit in theory, but am confused about
>> how one would successfully attach or bind to the process that is sitting at
>> port 4444 (assuming you used that value as per the code) to get the reverse
>> shell? Netcat wouldn't do it because there is no netcat process being sent
>> to the attacking machine. If you could integrate it into metasploit then I
>> understand you would have a "session". But this is a python script. How
>> does one integrate it into metasploit if at all. If not, how does the
>> attacking machine attach to the bind process coming in on port 4444?
>>
>> Thank you from a newbie
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20071127/b2d65081/attachment.htm
More information about the framework
mailing list