Safari User-Assisted Download and Run Attack
This module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APP_NAME" is an application downloaded from the internet. Are you sure you want to open it? If the user clicks "Open", the app and its payload are executed. If the user has the "Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing "can't be opened because it is from an unidentified developer." To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called "openurl". You can put newlines and unicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the user will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent process.
Module Name
exploit/osx/browser/safari_user_assisted_download_launch
Authors
- joev <joev [at] metasploit.com>
Targets
- Mac OS X x86 (Native Payload)
- Mac OS X x64 (Native Payload)
Platforms
- osx
Architectures
- x86
- x64
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/osx/browser/safari_user_assisted_download_launch
msf exploit(safari_user_assisted_download_launch) > show targets
...targets...
msf exploit(safari_user_assisted_download_launch) > set TARGET <target-id>
msf exploit(safari_user_assisted_download_launch) > show options
...show and set options...
msf exploit(safari_user_assisted_download_launch) > exploit
'Metasploit ' 카테고리의 다른 글
Firefox Exec Shellcode from Privileged Javascript Shell (0) | 2014.03.27 |
---|---|
Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow (0) | 2014.03.27 |
MS14-012 Internet Explorer TextRange Use-After-Free (0) | 2014.03.27 |
Loadbalancer.org 기업 VA SSH 개인 키 노출 (0) | 2014.03.27 |
Trojan.Tracur!gen8 (0) | 2014.03.27 |