Vulnerability & Exploit Database

Back to search

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • Ruben Santemarta
  • jduck <jduck [at]>



  • Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3


  • windows



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/apple_quicktime_marshaled_punk msf exploit(apple_quicktime_marshaled_punk) > show targets ...targets... msf exploit(apple_quicktime_marshaled_punk) > set TARGET <target-id> msf exploit(apple_quicktime_marshaled_punk) > show options and set options... msf exploit(apple_quicktime_marshaled_punk) > exploit

Related Vulnerabilities