question on Apple Quicktime RTSP bind/attach process

[jeffs at speakeasy.net (Jeffs)]

Thanks for making that clear.

base wrote:
> The payload in question is a standard bindshell, meaning it listens on 
> the victims machine for an incoming connection.  Only the initial 
> exploitation process involves the target connecting to the host machine.
>
> If these facts were not terribly obvious to you, you've gotten far 
> ahead of yourself and should read up on the basics like suggested 
> earlier in this thread.
> you will find a wealth of information from older projects and papers 
> detailing basic shellcode and exploitation.
> Aleph 1s paper, 'smashing the stack for fun & profit' is still helpful 
> for a beginner even though it is over a decade old.
>
> Jeffs wrote:
> > Are you sure the payload opens a listening socket on the *victim's* 
> > machine? *  The way I understand that sploit to work is it allows the 
> > attacker to listen for a connection whilst at the same time listening 
> > on another port (4444) for a connection from the victims machine.  
> > The sploit creates an RTSP server that waits for a connection, then 
> > sends code to the victim having them contact the attacher's machine.
> > Kurt Grutzmacher wrote:
> > > You should learn more about buffer overflows before you get too deep
> > > into any code. There are a ton of resources on the web that a quick
> > > google will direct you towards.
> > >
> > > But to quickly answer your question, the payload shellcode provides the
> > > instructions to open a listener socket on port 4444 on the victim's
> > > machine that you connect to with netcat. It's assembly code because the
> > > overflow allowed us to execute it.
> > >
> > > The script you linked to just uses the shellcode generated by 
> > > metasploit.
> > > It doesn't integrate within the framework. An exploit has been written
> > > and is available in the current svn trunk.
> > >
> > > On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
> > >  
> > > > Regarding
> > > >
> > > > http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py 
> > > >
> > > >
> > > > which is the Apple QuickTime RTSP Response Header Remote Stack 
> > > > Based Buffer Overflow Vulnerability -- as a newbie I have a simple 
> > > > question.
> > > >
> > > > I understand the code behind the exploit in theory, but am confused 
> > > > about how one would successfully attach or bind to the process that 
> > > > is sitting at port 4444 (assuming you used that value as per the 
> > > > code) to get the reverse shell?  Netcat wouldn't do it because 
> > > > there is no netcat process being sent to the attacking machine.  If 
> > > > you could integrate it into metasploit then I understand you would 
> > > > have a "session".  But this is a python script.  How does one 
> > > > integrate it into metasploit if at all.  If not, how does the 
> > > > attacking machine attach to the bind process coming in on port 4444?
> > > >
> > > > Thank you from a newbie
> > > >     
> > >
> > >