This file can now be copied to ~/Library/Application Support/Sublime Text 3/Installed Packages/ or %APPDATA%\Sublime Text 3\Installed Packages\ where Sublime will automatically pick it up and run your code. It can be any Python code, but if you want to play nice with Sublime, the following template will work.Ĭat > ~/Library/Application Support/Sublime Text 3/Packages/legitimate.py Create Package > legitimate > DefaultĪnd your new package file will be at ~/Desktop/test.sublime-package. In the Packages directory, create a file package-control.py or other innocuously named file. ![]() If you can write to %APPDATA%\Sublime Text 3\Packages\ or $HOME/Library/Application Support/Sublime Text 3/Packages/ you can create a plugin to help you out. If Sublime is already running, you can call c:\Program Files\Sublime Text 3\subl.exe and it will reload those files.īut maybe you can’t write to C:\Program Files or want to keep things a bit more covert. When Sublime next starts, your code will run. If you have the permissions to edit files in C:\Program Files\, you can simply edit sublime.py or sublime_plugin.py for your persistence needs. Sublime leverages Python for its plugin ecosystem. That post also covers some good detection method as well. Leo Pitt also outlined its usage with JXA and Apfell here. Prior art by theevilbit is worth a quick read and that post goes into persisting in Python imports and others applications. ![]() I’m certainly not the first to leverage Sublime for persistence. Feel free to skip to the end if you’re not interested in the Sublime Plugin aspect. ![]() There are likely a plethora of creative options but having Sublime Text installed I found a nice option for escaping the Office sandbox. Recent patches have precluded directly writing to LaunchAgents or Application Scripts but files can still be written to other user writable paths as long as they start with ~$. The Sublime Text editor automatically loads (outside the sandbox) Python plugins from a user writable file pathĪfter reading Patrick Wardle’s Office Drama on macOS which outlined a persistence method leveraging a sandbox escaped discovered by Adam Chester (see Escaping the Microsoft Office Sandbox), I did some rudimentary experimenting.The MS Office sandbox allows writing files to arbitrary locations as long as they begin with ~$, with some exceptions.If an unwitting user runs a malicious macro-enabled document on a macOS system that has Sublime Text installed, an attacker can seamlessly escape the Office sandbox. A Sublime Office Sandbox Bypass Wed, Oct 21, 2020
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |