The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
81acf0e43a571e81418379cca28b84a934 bytes small NULL byte free OS X x64 /bin/sh shellcode.
a3acc83e3c82166d8beeb36642e5f233Mac OS X 10.10.4 (Yosemite) suffers from a keychain-related denial of service vulnerability.
bb693ce448af1ed7afa742b3e85b3867OS X version 10.10 DYLD_PRINT_TO_FILE local privilege escalation proof of concept exploit.
756dd5d0ac3ee01ba77776f95053f131Mac OS X rootpipe local proof of concept privilege escalation exploit.
b7341fe08ad8c839629b376ef02a5820OS X 10.9.5 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
1ae0774711afbf121c80129584461b87OS X 10.10 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
5101afae5f6148ea15c0034a88d441ceOS X networkd "effective_audit_token" XPC type confusion sandbox escape proof of concept exploit.
4050c0d6e9c3910083759e7b718c3818Viscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.
310eead57ed8a1879d25cfaf62404d5bUniversal OS X dyld ROP shellcode that spawns a shell on port 4444.
889e668c6fc7ae93dedcdf6e543ad687131 bytes small Mac OS X / Intel reverse TCP shell shellcode for x86_64.
01de685f8e9a7ce64746376e0578c5f0This Metasploit module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.
3bde84ff63ca733f53ee374ec82205a3This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.
e4ea02c3338a460353153d443eaff685Small write up called finding sysent on OS X 10.6.1. Good information for Mac OS X rootkit writers.
1f7a894ac48ac1a38127b27394425867MacOSX/PowerPC 32 byte shellcode for sync(), reboot().
4f8a4be79a035ea123122a72c15f8a98MacOSX/PowerPC 72 byte shellcode for execve /bin/sh.
d59a0b83447393e784d3ee17aef8bc3bThe Apple OSX 10.4 Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability in itself as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in sudo command and execute arbitrary functions with full administrative privileges.
49f0141d32fe29e4e0a2957f4b811a09NetSec Security Advisory - Due to multiple vulnerabilities resulting from the use of Apple OSX HFS+, remote users may be able to view arbitrary file data, including the source code of server side documents, such as PHP JSP documents.
5ac862db7ec3d451b2a8350382d2c5ccMMDF deliver local root exploit for SCO OpenServer 5.0.7 x86.
fb00af86ece2ed6422cdbc89c50c5b4cMAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
4d88ce2a44718703f5de06a26c26349a
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed