Add CVE-2022-46689 macOS dirty cow #17415
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
|
Just a heads up this will need to be rebased to make the checks pass due to issues discussed in #17419 |
| @@ -0,0 +1,359 @@ | |||
| // from https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c | |||
There was a problem hiding this comment.
Just wanted to say this PR is awesome, thanks so much for the contribution! Glad to see this exploit is open source :)
There was a problem hiding this comment.
Should we add the related license to the main LICENSE file?
It is an Apple license and it looks like modifications are allowed under certain conditions, so I think we're fine. That said, I'm not familiar with this kind of license and it would be a good idea to double check.
There was a problem hiding this comment.
Hey @cdelafuente-r7 I've added the related license to the LICENSE file. This is my first addition to the LICENSE file so please let me know if you think I've done it correctly or if any improvements could be made 🙏
|
Hey @timwr, thanks again for the module. When testing I wasn't able to get the module to return a meterpreter root shell, not exactly sure why - though a Were you able to run the module successfully with a meterpreter payload? Meterpreter attempts:
|
| payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" | ||
| binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) | ||
| upload_and_chmodx payload_file, binary_payload | ||
| register_file_for_cleanup payload_file |
There was a problem hiding this comment.
@jheysel-r7 can you test again without this line please? I vaguely remember their being some issues with payloads being run after they have been deleted on the latest macOS.
There was a problem hiding this comment.
Fyi I only tested this on Catalina, and it worked with meterpeter
There was a problem hiding this comment.
I removed this line and unfortunately did not work while testing on Ventura. I'm going to check in with some colleagues that are a bit more familiar with the inner working of the osx meterpreter today 🤞
There was a problem hiding this comment.
You could also try this payload: #13262 on ventura
There was a problem hiding this comment.
There was a problem hiding this comment.
I've changed the default payload to osx/x64/shell_reverse_tcp just because it works on all versions of MacOS I've tested with no issue. Python is unfortunately not installed by default on MacOS so I think we should avoid setting that as the default. Let me know if you have any concerns with this approach.
There was a problem hiding this comment.
Perfect I was going to suggest exactly the same thing. I'll be reunited with my MacBook in about a month so maybe I can fix it then in a separate pull request
LICENSE
Outdated
| @@ -135,6 +135,13 @@ Purpose: The built result is used in: | |||
| payloads/stages/windows/vncinject.rb | |||
| payloads/stages/windows/x64/vncinject.rb | |||
|
|
|||
| Files: external/source/exploits/CVE-2022-22942/cve-2022-22942-dc.c | |||
There was a problem hiding this comment.
Just confirming - does this name aligns with the file is on this PR?
|
Thanks for landing this @jheysel-r7 ! |
Release NotesThis module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root |
Verification
msfconsole