New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement ARD auth and add remote CVE-2017-13872 (iamroot) module #9302
Conversation
|
Apologies for the previous rspec failures, this is my first experience with it. It looks correct now but let me know if I'm misunderstanding something. |
|
Thanks @jgor this looks good! The order of requires and other behaviors are often controlled by things like the order in which files are found in the filesystem, which can be OS-dependent. The system IIRC also tries to randomly order tests, which can also lead to some indeterminism. |
|
|
Looks good with test VMs |
|
Great work @jgor! I'm going to writeup some docs for these based on notes from testing and push them in next. |
Release NotesThis extends Rex::Proto::RFB to support usernames, implements authentication security type 30 ("Apple Remote Desktop" / ARD used by macOS), and uses that to add a module to remotely exploit CVE-2017-13872 over 5900/tcp on vulnerable macOS High Sierra hosts that have either Screen Sharing or Remote Management enabled. Besides the added module for vulnerable High Sierra hosts, this also lets scanner/vnc/vnc_login test credentials for any OSX host that has Screen Sharing or Remote Management enabled, and lays the groundwork for someone to add an OSX target to exploit/multi/vnc/vnc_keyboard_exec. |
|
5e71be7 for module docs |
This extends Rex::Proto::RFB to support usernames, implements authentication security type 30 ("Apple Remote Desktop" / ARD used by macOS), and uses that to add a module to remotely exploit CVE-2017-13872 over 5900/tcp on vulnerable macOS High Sierra hosts that have either Screen Sharing or Remote Management enabled.
Besides the added module for vulnerable High Sierra hosts, this lets scanner/vnc/vnc_login test credentials for any OSX host that has Screen Sharing or Remote Management enabled, and lays the groundwork for someone to add an OSX target to exploit/multi/vnc/vnc_keyboard_exec.
Verification
Note: 172.16.143.129 is a macOS High Sierra 10.13.1 vm, clean install, with System Preferences > Sharing > Screen Sharing enabled. Legitimate login is user:password.