Safari User-Assisted Download and Run Attack
This module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APP_NAME" is an application downloaded from the internet. Are you sure you want to open it? If the user clicks "Open", the app and its payload are executed. If the user has the "Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing "can't be opened because it is from an unidentified developer." To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called "openurl". You can put newlines and unicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the user will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent process.
- joev <joev [at] metasploit.com>
- Mac OS X x86 (Native Payload)
- Mac OS X x64 (Native Payload)
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/osx/browser/safari_user_assisted_download_launch msf exploit(safari_user_assisted_download_launch) > show targets ...targets... msf exploit(safari_user_assisted_download_launch) > set TARGET <target-id> msf exploit(safari_user_assisted_download_launch) > show options ...show and set options... msf exploit(safari_user_assisted_download_launch) > exploit