This module exploits a format string vulnerability in CUPS lppasswd in Apple Mac OS X 10.5.6 that allows local users to get code execution with elevated privileges. Exploitation requires valid local user, with access to the lppasswd command. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the previous agent. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).
When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control of the process. Exception handlers however remain installed, and when some kind of hardware exception occurs, the exception handler can receive a new right to the task port as one of its arguments, and thus regain full control over the process. Interestingly, the code to reset the exception handlers (and hence thwart this attack) upon exec() of a setuid executable has been present in the kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.
This module exploits a null pointer vulnerability in the OpenLDAP service when parsing a malformed requests. The vulnerability is exploited remotely by sending a specially crafted packet to write an existing value with an empty one. The service will be automatically restarted after 1-2 minutes. To keep the service down set KEEP_TRYING parameter true
This module exploits a vulnerability in BIND 9 when parsing dynamic update messages containing a record of type "ANY" and where at least one RRset for this FQDN exists on the server, causing the service to exit.
Subscribe to Mac OS X