OS X Text to Speech Utility - Metasploit
This page contains detailed information about how to use the post/osx/admin/say metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: OS X Text to Speech Utility
Module: post/osx/admin/say
Source code: modules/post/osx/admin/say.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will speak whatever is in the 'TEXT' option on the victim machine.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/osx/admin/say
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/osx/admin/say
msf post(say) > show options
... show and set options ...
msf post(say) > set SESSION session-id
msf post(say) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/osx/admin/say")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module will speak whatever is in the 'TEXT' option on the victim machine.
Verification Steps
- Start msfconsole
- Get a shell, user level is fine
- Do:
use post/osx/admin/say
- Do:
run
- You should hear 'metasploit' through the speakers
Options
TEXT
The text that should be read. Default is meta-sploit!
.
VOICE
The voice to use. Default is alex
.
This can be obtained on the system by specifying -v ?
(example from 10.14.4):
say -v ?
Alex en_US # Most people recognize me by my voice.
Alice it_IT # Salve, mi chiamo Alice e sono una voce italiana.
Alva sv_SE # Hej, jag heter Alva. Jag är en svensk röst.
Amelie fr_CA # Bonjour, je m’appelle Amelie. Je suis une voix canadienne.
Anna de_DE # Hallo, ich heiße Anna und ich bin eine deutsche Stimme.
Carmit he_IL # שלום. קוראים לי כרמית, ואני קול בשפה העברית.
Damayanti id_ID # Halo, nama saya Damayanti. Saya berbahasa Indonesia.
Daniel en_GB # Hello, my name is Daniel. I am a British-English voice.
Diego es_AR # Hola, me llamo Diego y soy una voz española.
Ellen nl_BE # Hallo, mijn naam is Ellen. Ik ben een Belgische stem.
Fiona en-scotland # Hello, my name is Fiona. I am a Scottish-English voice.
Fred en_US # I sure like being inside this fancy computer
Ioana ro_RO # Bună, mă cheamă Ioana . Sunt o voce românească.
Joana pt_PT # Olá, chamo-me Joana e dou voz ao português falado em Portugal.
Jorge es_ES # Hola, me llamo Jorge y soy una voz española.
Juan es_MX # Hola, me llamo Juan y soy una voz mexicana.
Kanya th_TH # สวัสดีค่ะ ดิฉันชื่อKanya
Karen en_AU # Hello, my name is Karen. I am an Australian-English voice.
Kyoko ja_JP # こんにちは、私の名前はKyokoです。日本語の音声をお届けします。
Laura sk_SK # Ahoj. Volám sa Laura . Som hlas v slovenskom jazyku.
Lekha hi_IN # नमस्कार, मेरा नाम लेखा है. मैं हिन्दी में बोलने वाली आवाज़ हूँ.
Luca it_IT # Salve, mi chiamo Luca e sono una voce italiana.
Luciana pt_BR # Olá, o meu nome é Luciana e a minha voz corresponde ao português que é falado no Brasil
Maged ar_SA # مرحبًا اسمي Maged. أنا عربي من السعودية.
Mariska hu_HU # Üdvözlöm! Mariska vagyok. Én vagyok a magyar hang.
Mei-Jia zh_TW # 您好,我叫美佳。我說國語。
Melina el_GR # Γεια σας, ονομάζομαι Melina. Είμαι μια ελληνική φωνή.
Milena ru_RU # Здравствуйте, меня зовут Milena. Я – русский голос системы.
Moira en_IE # Hello, my name is Moira. I am an Irish-English voice.
Monica es_ES # Hola, me llamo Monica y soy una voz española.
Nora nb_NO # Hei, jeg heter Nora. Jeg er en norsk stemme.
Paulina es_MX # Hola, me llamo Paulina y soy una voz mexicana.
Samantha en_US # Hello, my name is Samantha. I am an American-English voice.
Sara da_DK # Hej, jeg hedder Sara. Jeg er en dansk stemme.
Satu fi_FI # Hei, minun nimeni on Satu. Olen suomalainen ääni.
Sin-ji zh_HK # 您好,我叫 Sin-ji。我講廣東話。
Tessa en_ZA # Hello, my name is Tessa. I am a South African-English voice.
Thomas fr_FR # Bonjour, je m’appelle Thomas. Je suis une voix française.
Ting-Ting zh_CN # 您好,我叫Ting-Ting。我讲中文普通话。
Veena en_IN # Hello, my name is Veena. I am an Indian-English voice.
Victoria en_US # Isn't it nice to have a computer that will talk to you?
Xander nl_NL # Hallo, mijn naam is Xander. Ik ben een Nederlandse stem.
Yelda tr_TR # Merhaba, benim adım Yelda. Ben Türkçe bir sesim.
Yuna ko_KR # 안녕하세요. 제 이름은 Yuna입니다. 저는 한국어 음성입니다.
Yuri ru_RU # Здравствуйте, меня зовут Yuri. Я – русский голос системы.
Zosia pl_PL # Witaj. Mam na imię Zosia, jestem głosem kobiecym dla języka polskiego.
Zuzana cs_CZ # Dobrý den, jmenuji se Zuzana. Jsem český hlas.
Scenarios
User level shell on OSX 10.14.4
msf5 auxiliary(scanner/ssh/ssh_login) > use post/osx/admin/say
msf5 post(osx/admin/say) > set session 1
session => 1
msf5 post(osx/admin/say) > run
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the osx/admin/say post exploitation module looks in the msfconsole:
msf6 > use post/osx/admin/say
msf6 post(osx/admin/say) > show info
Name: OS X Text to Speech Utility
Module: post/osx/admin/say
Platform: OSX
Arch:
Rank: Normal
Provided by:
sinn3r <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
TEXT meta-sploit! yes The text to say
VOICE alex yes The voice to use
Description:
This module will speak whatever is in the 'TEXT' option on the
victim machine.
References:
http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/
Module Options
This is a complete list of options available in the osx/admin/say post exploitation module:
msf6 post(osx/admin/say) > show options
Module options (post/osx/admin/say):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
TEXT meta-sploit! yes The text to say
VOICE alex yes The voice to use
Advanced Options
Here is a complete list of advanced options supported by the osx/admin/say post exploitation module:
msf6 post(osx/admin/say) > show advanced
Module advanced options (post/osx/admin/say):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the osx/admin/say module can do:
msf6 post(osx/admin/say) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the osx/admin/say post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(osx/admin/say) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - <E.MESSAGE> - retrying...
Here is a relevant code snippet related to the "<PEER> - <E.MESSAGE> - retrying..." error message:
34: begin
35: out = cmd_exec(cmd).chomp
36: rescue ::Timeout::Error => e
37: tries += 1
38: if tries < 3
39: vprint_error("#{@peer} - #{e.message} - retrying...")
40: retry
41: end
42: rescue EOFError => e
43: tries += 1
44: if tries < 3
<PEER> - <E.MESSAGE> - retrying...
Here is a relevant code snippet related to the "<PEER> - <E.MESSAGE> - retrying..." error message:
40: retry
41: end
42: rescue EOFError => e
43: tries += 1
44: if tries < 3
45: vprint_error("#{@peer} - #{e.message} - retrying...")
46: retry
47: end
48: end
49: end
50:
The remote machine does not have the 'say' command
Here is a relevant code snippet related to the "The remote machine does not have the 'say' command" error message:
54: voice = datastore['VOICE']
55:
56: # Say the text
57: out = cmd_exec("say -v \"#{voice}\" \"#{txt}\"")
58: if out =~ /command not found/
59: print_error("The remote machine does not have the \'say\' command")
60: elsif not out.empty?
61: print_status(out)
62: end
63: end
64: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5964 Merged Pull Request: Support meterpreter for OS X post modules
- #2525 Merged Pull Request: Change module boilerplate
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #693 Merged Pull Request: Correct OSX naming
- #407 Merged Pull Request: OSX Text-to-Speech tool
References
- CVE: Not available
- http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/
See Also
Check also the following modules related to this module:
- post/osx/capture/keylog_recorder
- post/osx/capture/screen
- post/osx/escalate/tccbypass
- post/osx/gather/apfs_encrypted_volume_passwd
- post/osx/gather/autologin_password
- post/osx/gather/enum_adium
- post/osx/gather/enum_airport
- post/osx/gather/enum_chicken_vnc_profile
- post/osx/gather/enum_colloquy
- post/osx/gather/enum_keychain
- post/osx/gather/enum_messages
- post/osx/gather/enum_osx
- post/osx/gather/gitignore
- post/osx/gather/hashdump
- post/osx/gather/password_prompt_spoof
- post/osx/gather/safari_lastsession
- post/osx/gather/vnc_password_osx
- post/osx/manage/mount_share
- post/osx/manage/record_mic
- post/osx/manage/sonic_pi
- post/osx/manage/vpn
- post/osx/manage/webcam
Authors
- sinn3r
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.