Earlier this year I reported a stack overflow vulnerability affecting QuickTime versions < 7.7.3 (CVE-2013-1017) via the iDefense Vulnerability Contributor program. Unfortunately, this bug had already been reported via by Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP’s Zero Day Initiative.

The Apple Advisory regarding this vulnerability can be found here.

As this bug was patched in version 7.7.4, I forwarded the details and a proof of concept over to Metasploit Exploit Developer, Wei Chen (@_sinn3r) who was kind enough to convert my proof of concept into a Metasploit exploit module. This module is now included as part of the Metasploit Framework. The individual module and source code can be found here.

Huge thanks to sinn3r for kindly helping me with my Ruby “handicap” and implementing this for me!