Subscribe via feed.

Safari User-Assisted Download / Run Attack

Posted by deepcore on March 8, 2014 – 6:31 am

This Metasploit module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper’s prompt: “APP_NAME” is an application downloaded from the internet. Are you sure you want to open it? If the user clicks “Open”, the app and its payload are executed. If the user has the “Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing “can’t be opened because it is from an unidentified developer.” To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called “openurl”. You can put newlines and unicode in your APP_NAME, although you must be careful not to

Tags: , ,
This post is under “Apple” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.