v2.0.36

fixing an issue with `ps`

Payload_Type/poseidon/poseidon/agent_code/CHANGELOG.MD

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 2.0.36 - 2024-04-24
+
+### Changed
+
+- Fixed an issue with `ps` on new macOS machines that would cause the plist parsing to crash Poseidon
+
 ## 2.0.35 - 2024-04-11
 
 ### Changed

Payload_Type/poseidon/poseidon/agent_code/go.mod

@@ -1,6 +1,8 @@
 module github.com/MythicAgents/poseidon/Payload_Type/poseidon/agent_code
 
-go 1.19
+go 1.21
+
+toolchain go1.22.2
 
 require (
 	github.com/creack/pty v1.1.21

Payload_Type/poseidon/poseidon/agent_code/ps/launchdXPC_darwin.m

@@ -148,7 +148,6 @@ int getSubmittedPid(int pid) {
 
     //get number of bytes written (to shared memory)
     bytesWritten = xpc_dictionary_get_uint64(response, "bytes-written");
-
     //parse
     processInfo = parse([[NSString alloc] initWithBytes:(const void *)processInfoBuffer length:bytesWritten encoding:NSUTF8StringEncoding]);
 
@@ -161,138 +160,24 @@ int getSubmittedPid(int pid) {
         vm_deallocate(mach_task_self(), processInfoBuffer, processInfoLength);
         processInfoBuffer = 0;
     }
+    if (processInfo){
+        return processInfo[@"path"];
+    }
+    return @"";
 
-    return processInfo[@"path"];
     //return processInfo;
 }
 
 
 //parse proc info
 NSMutableDictionary* parse(NSString* data)
 {
-    //parsed proc info
-    NSMutableDictionary* procInfo = nil;
-
-    //lines
-    NSArray* lines = nil;
-
-    //dictionaries
-    NSMutableArray* dictionaries = nil;
-
-    //alloc
-    procInfo = [[NSMutableDictionary alloc] init];
-
     //pool
     @autoreleasepool {
-
-    //alloc
-    dictionaries = [NSMutableArray array];
-
-    //split
-    lines = [data componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
-
-    //start w/ top level
-    [dictionaries addObject:procInfo];
-
-    //process 'dictionary'
-    [lines enumerateObjectsUsingBlock:^(id  _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) {
-
-        //key
-        NSString* key = nil;
-
-        //tokens
-        NSArray* tokens = nil;
-
-        //obj should be a string
-        if(YES != [obj isKindOfClass:[NSString class]]) return;
-
-        //skip first line
-        if(0 == idx) return;
-
-        //trim object
-        obj = [obj stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceCharacterSet]];
-
-        //skip empty/blank lines
-        if(0 == [obj length]) return;
-
-        //key line? (line: "key = {")
-        // extract key and add new dictionary
-        if(YES == [obj hasSuffix:@"{"])
-        {
-            //tokenize
-            tokens = [obj componentsSeparatedByString:@"="];
-
-            //extract key
-            // everything before '='
-            key = tokens.firstObject;
-            if(0 == key.length) return;
-
-            //init new dictionary
-            dictionaries.lastObject[key] = [NSMutableDictionary dictionary];
-
-            //'save' new dictionary
-            [dictionaries addObject:dictionaries.lastObject[key]];
-
-            return;
-        }
-
-        //end key line? (line: "}")
-        // remove dictionary, as it's no longer needed
-        if(YES == [obj hasSuffix:@"}"])
-        {
-            //remove
-            [dictionaries removeLastObject];
-
-            return;
-        }
-
-        //line w/ '=>' separator?
-        // (line: "key => value")
-        if(NSNotFound != [obj rangeOfString:@" => "].location)
-        {
-            //tokenize
-            tokens = [obj componentsSeparatedByString:@" => "];
-
-            //key is first value
-            key = tokens.firstObject;
-            if(0 == key.length) return;
-
-            //add key/value pair
-            dictionaries.lastObject[key] = tokens.lastObject;
-
-            return;
-        }
-
-        //line w/ '=' separator?
-        // (line: "key = value")
-        if(NSNotFound != [obj rangeOfString:@" = "].location)
-        {
-            //tokenize
-            tokens = [obj componentsSeparatedByString:@" = "];
-
-            //key is first value
-            key = tokens.firstObject;
-            if(0 == key.length) return;
-
-            //add key/value pair
-            dictionaries.lastObject[key] = tokens.lastObject;
-
-            return;
-        }
-
-        //non-key:value line in embedded dictionary?
-        if( (dictionaries.lastObject != procInfo) &&
-            (NSNotFound == [obj rangeOfString:@" = "].location) )
-        {
-            //add key/value pair
-            dictionaries.lastObject[[NSNumber numberWithInteger:[dictionaries.lastObject count]]] = obj;
-
-            return;
-        }
-
-    }];
-
-    } //pool
-
-    return procInfo;
+        NSData* plistData = [data dataUsingEncoding:NSUTF8StringEncoding];
+        NSString *error;
+        NSPropertyListFormat format = NSPropertyListOpenStepFormat;
+        NSDictionary* plist = [NSPropertyListSerialization propertyListWithData:plistData options:NSPropertyListImmutable format:&format error:&error];
+        return plist;
+    }
 }

Payload_Type/poseidon/poseidon/agentfunctions/builder.go

@@ -19,7 +19,7 @@ import (
 	"strings"
 )
 
-const version = "2.0.35"
+const version = "2.0.36"
 
 var payloadDefinition = agentstructs.PayloadType{
 	Name:                                   "poseidon",

agent_capabilities.json

@@ -9,7 +9,7 @@
   "payload_output": ["macho", "elf", "dylib", "so"],
   "architectures": ["x86_64", "arm_64"],
   "c2": ["http", "websocket", "dynamichttp", "poseidon_tcp"],
-  "mythic_version": "3.2.20-rc7",
-  "agent_version": "2.0.35",
+  "mythic_version": "3.2.20-rc11",
+  "agent_version": "2.0.36",
   "supported_wrappers": []
 }