Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (ppc)
#!/usr/bin/perl
#
# http://www.digitalmunition.com/FailureToLaunch-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# Much appreciation goes to John H for all kindsa random shit like exploiting Veritas and other random things in the past
#
# core... where the hell are you fool.
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a saved return addy with our shellcode address.
# This code currently overwrites a saved return addy with the stack location of our seteuid() / execve() shellcode.
#
# This exploit will create a malicious .plist file for you to use with launchctl
# kevin-finisterres-mac-mini:~ kfinisterre$ launchctl load ./com.pwnage.plist
#
# In theory I guess you could also drop this in ~/Library/LaunchAgents
#
# This was tested against OSX 10.4.6 8l127 on a 1.25GHz PowerPC G4 and a
# 500mhz PowerPC G3 running 10.4 8A428
#
# kevin-finisterres-mac-mini:~ kfinisterre$ ls -al /sbin/launchd
# -rwsr-sr-x 1 root wheel 80328 Feb 19 04:09 /sbin/launchd
# kevin-finisterres-mac-mini:~ kfinisterre$ file /sbin/launchd
# /sbin/launchd: setuid setgid Mach-O executable ppc
#
# ./src/SystemStarter.c:374: syslog(level, buf);
#
# http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html
# "Because launchd is a critical system component, it receives a lot of peer review by in-house developers at Apple.
# It is less likely to contain security vulnerabilities than most production code."
#