-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LaunchDaemon Persistence to exploits/osx/local/persistence.rb #19360
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => [ "Marcin 'Icewall' Noga <marcin[at]icewall.pl>", 'joev' ], | ||
'Targets' => [ | ||
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ], | ||
[ 'Mac OS X x86 (Native Payload for 10.14 and earlier)', { 'Arch' => ARCH_X86, 'Platform' => [ 'osx' ] } ], | ||
['Mac OS X Apple Sillicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
['Mac OS X Apple Sillicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }], | |
['Mac OS X Apple Silicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }], |
Co-authored-by: dwelch-r7 <[email protected]>
Release notesAdds a new |
Super cool, thanks! |
According to The Art of Mac Malware Launch Items are able to persist as LaunchAgents or LaunchDaemons, this pull request adds LaunchDaemon persistence to
exploits/osx/local/persistence.rb
by writing a plist file to~/Library/LaunchDaemons
. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.As part of the testing I used BlockBlock to catch the plist entry being written. Note if you're using something like LuLu it needs to be turned off as it will catch and terminate meterpreter/shell connections.
I've tested both LaunchAgent and LaunchDaemon persistence with this module on an Apple Silicon device.
$ uname -a Darwin corey.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 arm64
We start by generating a meterpreter:
Start a listener and reload the module:
Run the meterpreter ->
10:48:22 ~/Desktop $ chmod +x payload && ./payload
background the session and start to configure the options for
persistence.rb
Test w LaunchAgent, note that exploit doesn't technically "complete" because RUN_NOW is false. The plist entry and executable are dropped on the system though as shown by the pictures below.
Now we test LaunchDaemons by setting `LaunchItem':