applescript injection POC

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

applescript injection POC

Postby adam81 » Mon Nov 06, 2017 4:24 pm

I am trying to make a POC of code injection using applescript injection technic which is used in GitHub project EasySIMBL.

The method also described here. (It's basically a huge article, just search for AppleScript at bundle injection, and you’ll get there)

The steps I've done :

I made a bundle suffix osax file that creates a file at /tmp/test.txt. The bundle contains the following items:
1.1 Info.plist:

Code: Select all
<?xml version=“1.0” encoding=“UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” ““>
<plist version=“1.0”>

1.2 The code to be injected (osax bundle):

Code: Select all
//  main.m
//  OsaxLoaded

#import <Foundation/Foundation.h>

OSErr InjectEventHandler(const AppleEvent *ev, AppleEvent *reply, long refcon)
    OSErr resultCode = noErr;
    [[NSFileManager defaultManager] createFileAtPath:@“/tmp/test.txt” contents:nil attributes:nil];
    return resultCode;

Here's the structure of my osax bundle :

Code: Select all
sh-3.2# ls /Library/ScriptingAdditions/OsaxLoaded.osax/Contents/
Info.plist    MacOS        _CodeSignature

Now I put the osax bundle at /Library/ScriptingAdditions/

Then I wrote a templated Cocoa App (injection target) that does nothing (didn't add any additional code)

In addition I wrote a Mach-o that should make the app I wrote previously to load the script addition (osax bundle). After that it sends the event that corresponds to the event in info.plist and should execute the handler I wrote in the osax bundle Mach-o.

The injector code:

Code: Select all
//  main.m
//  OsaxInjector

#import <Foundation/Foundation.h>
#import <Carbon/Carbon.h>
#import <ScriptingBridge/ScriptingBridge.h>

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        if (argc != 2)
            printf(“USAGE: injector pid\n”);
            return 1;
        TEST *test = [[TEST alloc] init];
        pid_t pid = atoi(argv[1]);
        SBApplication* sbApp = [SBApplication applicationWithProcessIdentifier:pid];
        [sbApp setSendMode:kAENoReply | kAENeverInteract | kAEDontRecord];
        [sbApp sendEvent:kASAppleScriptSuite id:kGetAEUT parameters:0];

        // Inject!
        [sbApp setSendMode:kAENoReply | kAENeverInteract | kAEDontRecord];
        id injectReply = [sbApp sendEvent:‘OPNe’ id:‘open’ parameters:0];
        if (injectReply != nil) {
            NSLog(@“unexpected injectReply: %@“, injectReply);
        [[NSProcessInfo processInfo]disableSuddenTermination];
    return 0;

When tested using the pid provided by lsappinfo info “ToInjectApp”, it seems like the code wasn't injected and /tmp/test.txt wasn't created.

any idea what I am doing wrong?

OS Version: Sierra
Posts: 26
Joined: Mon Jan 25, 2016 9:26 am

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests