Description
This module exploits a vulnerability found in Apple Safari on OS X platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user.
In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a file format that OS X might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information.
Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/osx/browser/safari_file_policymsf undefined(safari_file_policy) > show actions ...actions...msf undefined(safari_file_policy) > set ACTION < action-name >msf undefined(safari_file_policy) > show options ...show and set options...msf undefined(safari_file_policy) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub