The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
57369dae3073aa171e586034196b70f67cf18695ca619dddcbe2f77bfce377a9This Metasploit module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS versions prior to 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload.
63462c2e64d7852458a439220123a2d9aea8f3c2506a1452879ec40fef583f4f34 bytes small NULL byte free OS X x64 /bin/sh shellcode.
62604cfda35d5ea48e784d6b5bfb83d4ce2aa61f09505d7ee7a39833737dc0efMac OS X 10.10.4 (Yosemite) suffers from a keychain-related denial of service vulnerability.
5e5264989ee711ea2cf1f4508b6d73169a2f88b72a97de4b2be4e77d5bfb3214OS X version 10.10 DYLD_PRINT_TO_FILE local privilege escalation proof of concept exploit.
54d151a0576992acbdfc4330c685be0f33834016156eaf6b60eb50e760abfc0cMac OS X rootpipe local proof of concept privilege escalation exploit.
146b64bdac5816f848302abe5d0ad8a8ac00a1ef2eb064fcfcdd3a63453c2ee0OS X 10.9.5 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
4eb96b629d8eab7927b29a5ec7a9f92753cd3f849943a9328dda80e152688d6aOS X 10.10 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
57e374097b155cf315fefccfe8009fda73846c7ab656b687d836fb54d450f253OS X networkd "effective_audit_token" XPC type confusion sandbox escape proof of concept exploit.
26000ca21e50478d63a5ca817398f053658a3693b62adac8eb4a3b8c6669b930Viscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.
bbed2f8bef6e98f9f906db21866f9556901fd2af1233ad2af5fa7f69e3f8af21Universal OS X dyld ROP shellcode that spawns a shell on port 4444.
f90145d57b30a93c3b8950bb79484eec09621902be1ae67433d853c948efbc0c131 bytes small Mac OS X / Intel reverse TCP shell shellcode for x86_64.
5bbb1086a1d5f4b19b20f5dc928fa031945f9bd33b9ca2d304044ad49918ddccThis Metasploit module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.
0efd72a52f0a3217a18642d2b292cb7590c04518e472422e8a05956140bcbe33This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.
0a81c70c55c5b626382aa3846753c3ac0bbcbc83db3ba6ea2a26b8367e01106cSmall write up called finding sysent on OS X 10.6.1. Good information for Mac OS X rootkit writers.
1a5b60643b2f08891db208c8e184461731b58a2d29562a6b083d3c69964404f4MacOSX/PowerPC 32 byte shellcode for sync(), reboot().
5351c8b944368ba099bd46cb47915aa7e0786ff4351bf5533f14b4df81c31cacMacOSX/PowerPC 72 byte shellcode for execve /bin/sh.
ac91044711def1684cd5a9b2453d14c329e8a338863ce7e44ec4589f10d91bdeThe Apple OSX 10.4 Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability in itself as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in sudo command and execute arbitrary functions with full administrative privileges.
a50c6951f75d23dfbeceb299ee744c63c29ccd29bc3eed02301998c3ff432d0dNetSec Security Advisory - Due to multiple vulnerabilities resulting from the use of Apple OSX HFS+, remote users may be able to view arbitrary file data, including the source code of server side documents, such as PHP JSP documents.
590bb7808f716931c412c8a8e612a7a356747b4be22319b4a1247d4f86744067MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86.
5a32e0e43ec0a91696cd2732619706797117d91a12166e0b705430b2a2d691a5MAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
21e6ef5bbf484ae909d8e4ab55e0e47d82f7478c4941f5cca236f04306b9f98e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed