Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

86 KiB

macOS Privilege Escalation & Post-Exploitation

Table of Contents

Begin Unsorted Section

macOS sort bf7fe45e89/Library/Homebrew/cask/quarantine.rb * Disclosure: Another macOS privacy protections bypass - Jeff Johnson(2020) Slides Talks * * CVE-2019-5514 is a cool RCE in VMware Fusion 11, abusing an unauthenticated REST endpoint running on localhost * Offensive MacOS * This is a collection of macOS specific tooling, blogs, and other related information for offensive macOS assessments Stuff * XcodeGhost - Wikipedia * XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits - Trend Micro(2020) 3rd Party DruvaSync APFS Carbon Cred Attacks * Articles * Tools * KeytabParser * Python script to parse macOS's Heimdal Keytab file (typically /etc/krb5.keytab) Code Injection * insert_dylib * Command line utility for inserting a dylib load command into a Mach-O binary Collection * Articles/Blogposts/Writeups * Tools Defense Evasion * * Exploiting XPC in AntiVirus - Csaba Fitz(NullCon2021) * In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services. * [Mojave’s security “hardening”

User protections could be bypassed - Phil Stokes(2018)] * Apple Events are blocked depending on origination, could be bypassed using SSH. Disco * Articles/Blogposts/Writeups * Always Watching: macOS Eavesdropping – Justin Bui (SO-CON 2020) * As macOS becomes more prevalent in modern enterprise environments, red teamers have had to adapt their tradecraft. Input monitoring and screenshots can provide a wealth of information for attacker on any operating system. In this talk, we’ll discuss macOS internals and dive into the various API calls necessary for keylogging, clipboard monitoring, and screenshots. The accompanying source code will be released to GitHub! * Tools DMG DylibHijack * Dylib-Hijack-Scanner * JavaScript for Automation (JXA) version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities DYLD Entitlements Evasion * Articles/Blogposts/Writeups * Tools Execution * 101 * Articles/Blogposts/Writeups * Talks/Presentations/Videos * Tools * Bring-Your-Own-* Gatekeeper Hooking * subhook * SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit). * Function Hooking for Mac OSX and Linux - * Slides Injection * InjectCheck * The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities JAMF * An Attacker's Perpsective on JAMF Configurations - Luke Roberts, Calum Hall(ObjectiveByTheSeav3) * Jamfing for Joy: Attacking macOS in Enterprise - Calum Hall, Luke Roberts(2020) JXA * PersistentJXA * Collection of macOS persistence methods and miscellaneous tools in JXA LoLbins Mach-O * So You Want To Be A Mach-O Man? - symbolcrash(2019) * Mach-O Universal / Fat Binaries - symbolcrash(2019) Malware Objective-C Payloads Persistence * Persistent JXA - Leo Pitt(2020) * Operationalising Calendar Alerts: Persistence on macOS - Luke Roberts(2020) * Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC (, this post takes deeper look into weaponising the feature for use in offensive operations. This includes reversing to find an undocumented API that enables the technique. * Hey, I'm Still In Here: An Overview of macOS Persistence Techniques – Leo Pitt (SO-CON 2020) * There is more to macOS persistence than Launch Agents. This talk goes over some lesser utilized macOS persistence methods. We will walk through how these methods work, how automation can be leveraged to quickly execute these from an offensive perspective, and how defenders can leverage indicators of these methods to assist in detection efforts. * Finder plugins * Tools * CalendarPersist * JXA script to allow programmatic persistence via macOS alerts. plist Pkgs Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws - Andy Grant PkgInfo PopUps PostEx * macos_execute_from_memory Privileged Helper Tools PrivEsc * Unauthd - Logic bugs FTW - A2nkF(2020) * [Privilege Escalation

macOS Malware & The Path to Root Part 2 - Phil Stokes(2019)]( Shellcode * 101 * Creating OSX shellcodes - theevilbit(2015) * Shellcode: Mac OSX amd64 - odzhan(2017) * Techniques * Talks/Presentations/Videos * Tools * Samples * OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) * OSX/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) TCC URL Schemes * Custom_URL_Scheme Workflows XPC

End Unsorted Section

macOS Post-Exploitation General Notes

  • F

AppleScript, Objective-C & Swift

  • F

Post-Exploitation OS X

macOS Technologies

macOS Code Injection

  • 101
  • General Information
  • Articles/Blogposts/Writeups
  • Techniques