The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
81acf0e43a571e81418379cca28b84a9
34 bytes small NULL byte free OS X x64 /bin/sh shellcode.
a3acc83e3c82166d8beeb36642e5f233
Mac OS X 10.10.4 (Yosemite) suffers from a keychain-related denial of service vulnerability.
bb693ce448af1ed7afa742b3e85b3867
OS X version 10.10 DYLD_PRINT_TO_FILE local privilege escalation proof of concept exploit.
756dd5d0ac3ee01ba77776f95053f131
Mac OS X rootpipe local proof of concept privilege escalation exploit.
b7341fe08ad8c839629b376ef02a5820
OS X 10.9.5 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
1ae0774711afbf121c80129584461b87
OS X 10.10 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
5101afae5f6148ea15c0034a88d441ce
OS X networkd "effective_audit_token" XPC type confusion sandbox escape proof of concept exploit.
4050c0d6e9c3910083759e7b718c3818
Viscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.
310eead57ed8a1879d25cfaf62404d5b
Universal OS X dyld ROP shellcode that spawns a shell on port 4444.
889e668c6fc7ae93dedcdf6e543ad687
131 bytes small Mac OS X / Intel reverse TCP shell shellcode for x86_64.
01de685f8e9a7ce64746376e0578c5f0
This Metasploit module exploits a buffer overflow in the IRC client component of UFO: Alien Invasion 2.2.1.
3bde84ff63ca733f53ee374ec82205a3
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.
e4ea02c3338a460353153d443eaff685
Small write up called finding sysent on OS X 10.6.1. Good information for Mac OS X rootkit writers.
1f7a894ac48ac1a38127b27394425867
MacOSX/PowerPC 32 byte shellcode for sync(), reboot().
4f8a4be79a035ea123122a72c15f8a98
MacOSX/PowerPC 72 byte shellcode for execve /bin/sh.
d59a0b83447393e784d3ee17aef8bc3b
The Apple OSX 10.4 Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability in itself as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in sudo command and execute arbitrary functions with full administrative privileges.
49f0141d32fe29e4e0a2957f4b811a09
NetSec Security Advisory - Due to multiple vulnerabilities resulting from the use of Apple OSX HFS+, remote users may be able to view arbitrary file data, including the source code of server side documents, such as PHP JSP documents.
5ac862db7ec3d451b2a8350382d2c5cc
MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86.
fb00af86ece2ed6422cdbc89c50c5b4c
MAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
4d88ce2a44718703f5de06a26c26349a