Via Metasploit Blog -
In part one of "Cracking the iPhone", I described the libtiff vulnerability. In part two, I walked through the process of exploiting it. In part two point one, I covered a new exploit approach that resulted in reliable code execution. The one piece still missing is what to do once code execution is obtained. An unmodified iPhone does not include an interactive shell, nor any of the standard Unix tools. In order to make this exploit useful, the user needs a payload that can install arbitrary executables onto the iPhone's file system.
...
To demonstrate some of the options available and to assist with the 1.1.1 jailbreaking process, I created a modified version of vlad902's Impurity Shell Demo for the iPhone. This code was used in version 2.7 of the Metasploit Framework to provide an in-memory shell on Linux using the Impurity stager. Although the Impurity stager was not ported to Metasploit 3, the Shell Demo code was a perfect fit for the iPhone. This is a custom, standalone shell that provides a variety of useful Unix commands, as well as functions for in-process resource management. For example, using this shell, it is possible to enumerate all open file handles, read from those handles, and write to those handles.
The iPhone version of this shell, named ipwn, includes a few new features. The first is an internal implementation of "ps" command. The second is the "download" command, which can be used to download a file from a web server directly to disk. This makes jailbreaking and further binary installation simple. The third and fourth features, the cd (change directory), and cp (copy file), commands were added to make file management easier. Additionally, the ipwn binary will delete itself by default, unless the -k parameter is passed. This removes the need for manual cleanup when used with the Metasploit Framework. The source code to ipwn and an iPhone compatible binary are available in the Metasploit Framework development tree.
...
This concludes the "Cracking the iPhone" series. Any significant updates will still get posted to the blog, but the best way to follow development is by tracking the Metasploit Framework development tree. The latest code will always be available in the trunk tree of Metasploit and patches (especially those that add features to ipwn) are welcome and encouraged. If you have any questions about iPhone-specific hackery, feel free to email me at hdm[at]metasploit.com. If you have a Metasploit-specific question, you may want to join the mailing list or email the development team at msfdev[at]metasploit.com. Thanks for reading!
---------------
Thanks to HD for the preview....
I have placed it on Digg.com, get to dig'in.
No comments:
Post a Comment