This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060Apple Security Advisory 2017-12-13-6 - iOS 11.2 addresses issues relating to interception, memory corruption, and more. This advisory provides additional information for APPLE-SA-2017-12-6-2.
0700b7d62c4bc3fe36c2ec7cfeb5c1c5e6e09967ad7b4c1009f717451ef3dc57Apple Security Advisory 2017-12-13-7 - tvOS 11.2 addresses memory corruption vulnerabilities.
2b4f5f9ff4324ef548c1e5b149e7f26f705e7b7e1f5dcdb9d45134d78de7be30macOS and iOS suffer from a kernel double free vulnerability due to IOSurfaceRootUserClient not respecting MIG ownership rules.
4314c9b3d4d919fbf8280f16f7d8de49f26550f782ad1c352b5a319dee587e69Apple Security Advisory 2017-12-6-3 - watchOS 4.2 addresses memory corruption and various other vulnerabilities.
1d248c021d39ae9c7b6928536d017910adbe6e9dd43ff80b723442cefb1c8839Apple Security Advisory 2017-12-6-4 - tvOS 11.2 addresses memory corruption, code execution, and various other vulnerabilities.
6acaabad9dd09acdf30aa5ab4ee7f76f38d3b68a7dffe645cecd1d5f521c528bApple Security Advisory 2017-12-6-2 - iOS 11.2 addresses issues relating to interception, memory corruption, and more.
580cabcbdb420192d01e95f5a55e5c891d08bcd35c13922c2719f3e870e19e94
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed