-
macOS cfprefsd Arbitrary File Write Local Privilege Escalation
Disclosure Date: 2020-03-18First seen: 2020-09-04exploit/osx/local/cfprefsd_race_conditionThis module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in order to run a payload as root. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login a user can then login as root with the `login root` command without a password. Authors: - Yonghwi Jin <jinmoteam@gmail.com> - Jungwon Lim <setuid0@protonmail.com> - Insu Yun <insu@gatech.edu> - Taesoo Kim <taesoo@gatech.edu> - timwr -
Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation
Disclosure Date: 2019-04-13First seen: 2020-04-26exploit/osx/local/timemachine_cmd_injectionThis module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root priviledges. Authors: - CodeColorist - timwr -
Mac OS X Feedback Assistant Race Condition
Disclosure Date: 2019-04-13First seen: 2020-04-26exploit/osx/local/feedback_assistant_rootThis module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root. Authors: - CodeColorist - timwr -
Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
Disclosure Date: 2018-05-08First seen: 2020-04-26exploit/windows/local/mov_ssThis module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for #DB excpetions that are deferred by MOV SS or POP SS. This module will upload the pre-compiled exploit and use it to execute the final payload in order to gain remote code execution. -
Mac OS X libxpc MITM Privilege Escalation
Disclosure Date: 2018-03-15First seen: 2020-04-26exploit/osx/local/libxpc_mitm_ssudoThis module exploits a vulnerablity in libxpc on macOS <= 10.13.3 The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid. Authors: - saelo -
Safari Webkit JIT Exploit for iOS 7.1.2
Disclosure Date: 2016-08-25First seen: 2020-08-14exploit/apple_ios/browser/safari_jitThis module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4. Authors: - kudima - Ian Beer - WanderingGlitch - timwr -
Safari User-Assisted Applescript Exec Attack
Disclosure Date: 2015-10-16First seen: 2020-04-26exploit/osx/browser/safari_user_assisted_applescript_execIn versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security & Privacy in order to avoid the unidentified Developer prompt. Authors: - joev <joev@metasploit.com> -
Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
Disclosure Date: 2015-10-01First seen: 2020-04-26exploit/osx/local/rsh_libmallocThis module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11). Authors: - rebel - shandelman116 -
Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation
Disclosure Date: 2015-07-21First seen: 2020-04-26exploit/osx/local/dyld_print_to_file_rootIn Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries. Authors: - Stefan Esser - joev <joev@metasploit.com> -
Apple OS X Entitlements Rootpipe Privilege Escalation
Disclosure Date: 2015-07-01First seen: 2020-04-26exploit/osx/local/rootpipe_entitlementsThis module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement. Authors: - Emil Kvarnhammar - joev <joev@metasploit.com> -
Apple OS X Rootpipe Privilege Escalation
Disclosure Date: 2015-04-09First seen: 2020-04-26exploit/osx/local/rootpipeThis module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe." This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root. Authors: - Emil Kvarnhammar - joev <joev@metasploit.com> - wvu <wvu@metasploit.com> -
Exim GHOST (glibc gethostbyname) Buffer Overflow
Disclosure Date: 2015-01-27First seen: 2020-04-26exploit/linux/smtp/exim_gethostbyname_bofThis module remotely exploits CVE-2015-0235, aka GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Authors: - Unknown -
SSL/TLS Version Detection
Disclosure Date: 2014-10-14First seen: 2022-12-23auxiliary/scanner/ssl/ssl_versionCheck if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die -
SSL/TLS Version Detection
Disclosure Date: 2014-10-14First seen: 2022-12-23auxiliary/scanner/ssl/ssl_versionCheck if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die -
Mac OS X Sudo Password Bypass
Disclosure Date: 2013-02-28First seen: 2020-04-26exploit/osx/local/sudo_password_bypassThis module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin, if the user has never run the sudo command, or if the admin has locked the Date/Time preferences. Note: If the user has locked the Date/Time preferences, requests to overwrite the system clock will be ignored, and the module will silently fail. However, if the "Require an administrator password to access locked preferences" setting is not enabled, the Date/Time preferences are often unlocked every time the admin logs in, so you can install persistence and wait for a chance later. Authors: - Todd C. Miller - joev <joev@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> -
WordPress XMLRPC GHOST Vulnerability Scanner
First seen: 2020-04-26auxiliary/scanner/http/wordpress_ghost_scannerThis module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned. Authors: - Robert Rowley - Christophe De La Fuente - Chaim Sanders - Felipe Costa - Jonathan Claudius - Karl Sigler - Christian Mehlmauer <FireFart@gmail.com>
16 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details