question on Apple Quicktime RTSP bind/attach process

[adrian at inetb.com (base)]

The payload in question is a standard bindshell, meaning it listens on 
the victims machine for an incoming connection.  Only the initial 
exploitation process involves the target connecting to the host machine.

If these facts were not terribly obvious to you, you've gotten far ahead 
of yourself and should read up on the basics like suggested earlier in 
this thread. 

you will find a wealth of information from older projects and papers 
detailing basic shellcode and exploitation. 

Aleph 1s paper, 'smashing the stack for fun & profit' is still helpful 
for a beginner even though it is over a decade old.

Jeffs wrote:
> Are you sure the payload opens a listening socket on the *victim's* 
> machine? *  The way I understand that sploit to work is it allows the 
> attacker to listen for a connection whilst at the same time listening 
> on another port (4444) for a connection from the victims machine.  The 
> sploit creates an RTSP server that waits for a connection, then sends 
> code to the victim having them contact the attacher's machine. 
>
> Kurt Grutzmacher wrote:
> > You should learn more about buffer overflows before you get too deep
> > into any code. There are a ton of resources on the web that a quick
> > google will direct you towards.
> >
> > But to quickly answer your question, the payload shellcode provides the
> > instructions to open a listener socket on port 4444 on the victim's
> > machine that you connect to with netcat. It's assembly code because the
> > overflow allowed us to execute it.
> >
> > The script you linked to just uses the shellcode generated by metasploit.
> > It doesn't integrate within the framework. An exploit has been written
> > and is available in the current svn trunk.
> >
> > On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
> >   
> > > Regarding
> > >
> > > http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py
> > >
> > > which is the Apple QuickTime RTSP Response Header Remote Stack Based Buffer 
> > > Overflow Vulnerability -- as a newbie I have a simple question.
> > >
> > > I understand the code behind the exploit in theory, but am confused about 
> > > how one would successfully attach or bind to the process that is sitting at 
> > > port 4444 (assuming you used that value as per the code) to get the reverse 
> > > shell?  Netcat wouldn't do it because there is no netcat process being sent 
> > > to the attacking machine.  If you could integrate it into metasploit then I 
> > > understand you would have a "session".  But this is a python script.  How 
> > > does one integrate it into metasploit if at all.  If not, how does the 
> > > attacking machine attach to the bind process coming in on port 4444?
> > >
> > > Thank you from a newbie
> > >     
> >
> >