module
Safari User-Assisted Download and Run Attack
| Disclosed | Created |
|---|---|
| 2014-03-10 | 2018-05-30 |
Disclosed
2014-03-10
Created
2018-05-30
Description
This module abuses some Safari functionality to force the download of a
zipped .app OSX application containing our payload. The app is then
invoked using a custom URL scheme. At this point, the user is presented
with Gatekeeper's prompt:
"APP_NAME" is an application downloaded from the internet. Are you sure you
want to open it?
If the user clicks "Open", the app and its payload are executed.
If the user has the "Only allow applications downloaded from Mac App Store
and identified developers (on by default on OS 10.8+), the user will see
an error dialog containing "can't be opened because it is from an unidentified
developer." To work around this issue, you will need to manually build and sign
an OSX app containing your payload with a custom URL handler called "openurl".
You can put newlines and unicode in your APP_NAME, although you must be careful not
to create a prompt that is too tall, or the user will not be able to click
the buttons, and will have to either logout or kill the CoreServicesUIAgent
process.
zipped .app OSX application containing our payload. The app is then
invoked using a custom URL scheme. At this point, the user is presented
with Gatekeeper's prompt:
"APP_NAME" is an application downloaded from the internet. Are you sure you
want to open it?
If the user clicks "Open", the app and its payload are executed.
If the user has the "Only allow applications downloaded from Mac App Store
and identified developers (on by default on OS 10.8+), the user will see
an error dialog containing "can't be opened because it is from an unidentified
developer." To work around this issue, you will need to manually build and sign
an OSX app containing your payload with a custom URL handler called "openurl".
You can put newlines and unicode in your APP_NAME, although you must be careful not
to create a prompt that is too tall, or the user will not be able to click
the buttons, and will have to either logout or kill the CoreServicesUIAgent
process.
Author
joev joev@metasploit.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.