Rapid7 Vulnerability & Exploit Database

Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow

Back to Search

Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow



This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).


  • Arezou Hosseinzad-Amirkhizi
  • juan vazquez <juan.vazquez@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/apple_quicktime_texml_font_table
msf exploit(apple_quicktime_texml_font_table) > show targets
msf exploit(apple_quicktime_texml_font_table) > set TARGET < target-id >
msf exploit(apple_quicktime_texml_font_table) > show options
    ...show and set options...
msf exploit(apple_quicktime_texml_font_table) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security