question on Apple Quicktime RTSP bind/attach process

[pusscat at metasploit.com (Pusscat)]

Your misunderstanding here is in the fact that the attack vector and payload
operations are separate and distinct.

 

Yes, the attack vector works by opening a listening port and waiting for a
vulnerable client to connect, however, once the victim is compromised the
attacker can instruct it to do anything.

 

That's the beauty of a well written exploit.  It executes arbitrary code.
If you're using a bindshell payload then yes, it opens a listening port on
the victim.  If you're using a connect back payload, then the victim will
send a shell back to a listening port. The 4444 portion of this pertains to
your payload.  

 

For this bug, your scenario is generally that your attacking machine is
accessible universally across the internet - the client must connect to you.
However, the client is likely behind a router or firewall denying you direct
access to it.  Because this attack vector requires the client to connect out
to you,the host does not have to be open to the world. You can instruct the
compromised host to send the shell back to you (with a connectback payload),
instead of requiring that you connect to it (which may be impossible due to
network topology).

 

~ Puss

 

From: Jeffs [mailto:jeffs at speakeasy.net] 
Sent: Tuesday, November 27, 2007 12:52 PM
To: framework at metasploit.com
Subject: Re: [framework] question on Apple Quicktime RTSP bind/attach
process

 

Are you sure the payload opens a listening socket on the *victim's* machine?
*  The way I understand that sploit to work is it allows the attacker to
listen for a connection whilst at the same time listening on another port
(4444) for a connection from the victims machine.  The sploit creates an
RTSP server that waits for a connection, then sends code to the victim
having them contact the attacher's machine.  

Kurt Grutzmacher wrote: 

You should learn more about buffer overflows before you get too deep
into any code. There are a ton of resources on the web that a quick
google will direct you towards.
 
But to quickly answer your question, the payload shellcode provides the
instructions to open a listener socket on port 4444 on the victim's
machine that you connect to with netcat. It's assembly code because the
overflow allowed us to execute it.
 
The script you linked to just uses the shellcode generated by metasploit.
It doesn't integrate within the framework. An exploit has been written
and is available in the current svn trunk.
 
On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
  

Regarding
 
http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py
 
which is the Apple QuickTime RTSP Response Header Remote Stack Based Buffer 
Overflow Vulnerability -- as a newbie I have a simple question.
 
I understand the code behind the exploit in theory, but am confused about 
how one would successfully attach or bind to the process that is sitting at 
port 4444 (assuming you used that value as per the code) to get the reverse 
shell?  Netcat wouldn't do it because there is no netcat process being sent 
to the attacking machine.  If you could integrate it into metasploit then I 
understand you would have a "session".  But this is a python script.  How 
does one integrate it into metasploit if at all.  If not, how does the 
attacking machine attach to the bind process coming in on port 4444?
 
Thank you from a newbie
    

 
  

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071127/3f87be39/attachment.htm>