diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 00000000..e70bceed Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png index e70bceed..2173ed0a 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png index 2173ed0a..53e9f7c1 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png index 53e9f7c1..0ea1b858 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png index 0ea1b858..b38f1e7c 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png index b38f1e7c..0e554c19 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png index 0e554c19..a8cfa5b7 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png index a8cfa5b7..33c23d55 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png index 33c23d55..bedca8e1 100644 Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png index bedca8e1..a0a303a2 100644 Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png index a0a303a2..f9a051e2 100644 Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 00000000..eaa792ed Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png index eaa792ed..eb7611c9 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png index eb7611c9..4ede9266 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png index 4ede9266..d7789e60 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png index d7789e60..ca4b6651 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png index ca4b6651..0330f840 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png index 0330f840..8190e06a 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png index 8190e06a..0c49287b 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png index 0c49287b..bedca8e1 100644 Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png index bedca8e1..61170210 100644 Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png index 61170210..f0efd5eb 100644 Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index f0efd5eb..0b96b38e 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/README.md b/README.md index 358f9238..4b1f90d8 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm ### [Intigriti](https://www.intigriti.com) -
+
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.** diff --git a/backdoors/salseo.md b/backdoors/salseo.md index 453450c7..1a4205ed 100644 --- a/backdoors/salseo.md +++ b/backdoors/salseo.md @@ -99,7 +99,7 @@ Open the SalseoLoader project using Visual Studio. ### Add before the main function: \[DllExport] -![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) +![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) ### Install DllExport for this project diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index 64995552..02aff9eb 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py * [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/) - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md index 613da411..b3aa25f1 100644 --- a/macos-hardening/macos-auto-start-locations.md +++ b/macos-hardening/macos-auto-start-locations.md @@ -449,7 +449,7 @@ The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2 This setting can be configured in the iTerm2 settings: -
+
And the command is reflected in the preferences: @@ -774,7 +774,7 @@ mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts" Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp): -
+
Now, if you open that folder with **Finder**, your script will be executed. @@ -972,7 +972,7 @@ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://p * `~/Library/Screen Savers` * **Trigger**: Select the screen saver -
+
#### Description & Exploit diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md index 2a7e3e5e..503d24c8 100644 --- a/macos-hardening/macos-red-teaming/README.md +++ b/macos-hardening/macos-red-teaming/README.md @@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe #### JAMF device Authentication -
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\ Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`** diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md index 00dc88c4..9d56f95a 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md @@ -1144,6 +1144,343 @@ static void customConstructor(int argc, const char **argv) } ``` +## MIG - Mach Interface Generator + +MIG was created to **simplify the process of Mach IPC** code creation. It basically **generates the needed code** for server and client to communicate with a given definition. Even if the generated code is ugly, a developer will just need to import it and his code will be much simpler than before. + +### Example + +Create a definition file, in this case with a very simple function: + +{% code title="myipc.defs" %} +```cpp +subsystem myipc 500; // Arbitrary name and id + +userprefix USERPREF; // Prefix for created functions in the client +serverprefix SERVERPREF; // Prefix for created functions in the server + +#include +#include + +simpleroutine Subtract( + server_port : mach_port_t; + n1 : uint32_t; + n2 : uint32_t); +``` +{% endcode %} + +Now use mig to generate the server and client code that will be able to comunicate within each other to call the Subtract function: + +```bash +mig -header myipcUser.h -sheader myipcServer.h myipc.defs +``` + +Several new files will be created in the current directory. + +In the files **`myipcServer.c`** and **`myipcServer.h`** you can find the declaration and definition of the struct **`SERVERPREFmyipc_subsystem`**, which basically defines the function to call based on the received message ID (we indicated a starting number of 500): + +{% tabs %} +{% tab title="myipcServer.c" %} +```c +/* Description of this subsystem, for use in direct RPC */ +const struct SERVERPREFmyipc_subsystem SERVERPREFmyipc_subsystem = { + myipc_server_routine, + 500, // start ID + 501, // end ID + (mach_msg_size_t)sizeof(union __ReplyUnion__SERVERPREFmyipc_subsystem), + (vm_address_t)0, + { + { (mig_impl_routine_t) 0, + // Function to call + (mig_stub_routine_t) _XSubtract, 3, 0, (routine_arg_descriptor_t)0, (mach_msg_size_t)sizeof(__Reply__Subtract_t)}, + } +}; +``` +{% endtab %} + +{% tab title="myipcServer.h" %} +```c +/* Description of this subsystem, for use in direct RPC */ +extern const struct SERVERPREFmyipc_subsystem { + mig_server_routine_t server; /* Server routine */ + mach_msg_id_t start; /* Min routine number */ + mach_msg_id_t end; /* Max routine number + 1 */ + unsigned int maxsize; /* Max msg size */ + vm_address_t reserved; /* Reserved */ + struct routine_descriptor /* Array of routine descriptors */ + routine[1]; +} SERVERPREFmyipc_subsystem; +``` +{% endtab %} +{% endtabs %} + +Based on the previous struct the function **`myipc_server_routine`** will get the **message ID** and return the proper function to call: + +```c +mig_external mig_routine_t myipc_server_routine + (mach_msg_header_t *InHeadP) +{ + int msgh_id; + + msgh_id = InHeadP->msgh_id - 500; + + if ((msgh_id > 0) || (msgh_id < 0)) + return 0; + + return SERVERPREFmyipc_subsystem.routine[msgh_id].stub_routine; +} +``` + +In this example we only defined 1 function in the definitions, but if we would have defined more, the would have been inside the array of **`SERVERPREFmyipc_subsystem`** and the first one will be assigned to the ID **500**, the second one to the ID **501**... + +Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`**: + +```c +#ifndef subsystem_to_name_map_myipc +#define subsystem_to_name_map_myipc \ + { "Subtract", 500 } +#endif +``` + +Finally, another important function to make the server work will be **`myipc_server`**, which is the one that will actually **call the function** related to the received id: + +
mig_external boolean_t myipc_server
+	(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)
+{
+	/*
+	 * typedef struct {
+	 * 	mach_msg_header_t Head;
+	 * 	NDR_record_t NDR;
+	 * 	kern_return_t RetCode;
+	 * } mig_reply_error_t;
+	 */
+
+	mig_routine_t routine;
+
+	OutHeadP->msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REPLY(InHeadP->msgh_bits), 0);
+	OutHeadP->msgh_remote_port = InHeadP->msgh_reply_port;
+	/* Minimal size: routine() will update it if different */
+	OutHeadP->msgh_size = (mach_msg_size_t)sizeof(mig_reply_error_t);
+	OutHeadP->msgh_local_port = MACH_PORT_NULL;
+	OutHeadP->msgh_id = InHeadP->msgh_id + 100;
+	OutHeadP->msgh_reserved = 0;
+
+	if ((InHeadP->msgh_id > 500) || (InHeadP->msgh_id < 500) ||
+	    ((routine = SERVERPREFmyipc_subsystem.routine[InHeadP->msgh_id - 500].stub_routine) == 0)) {
+		((mig_reply_error_t *)OutHeadP)->NDR = NDR_record;
+		((mig_reply_error_t *)OutHeadP)->RetCode = MIG_BAD_ID;
+		return FALSE;
+	}
+	(*routine) (InHeadP, OutHeadP);
+	return TRUE;
+}
+
+ +Check the following code to use the generated code to create a simple server and client where the client can call the functions Subtract from the server: + +{% tabs %} +{% tab title="myipc_server.c" %} +```c +// gcc myipc_server.c myipcServer.c -o myipc_server + +#include +#include +#include +#include "myipcServer.h" + +kern_return_t SERVERPREFSubtract(mach_port_t server_port, uint32_t n1, uint32_t n2) +{ + printf("Received: %d - %d = %d\n", n1, n2, n1 - n2); + return KERN_SUCCESS; +} + +int main() { + + mach_port_t port; + kern_return_t kr; + + // Register the mach service + kr = bootstrap_check_in(bootstrap_port, "xyz.hacktricks.mig", &port); + if (kr != KERN_SUCCESS) { + printf("bootstrap_check_in() failed with code 0x%x\n", kr); + return 1; + } + + // myipc_server is the function that handles incoming messages (check previous exlpanation) + mach_msg_server(myipc_server, sizeof(union __RequestUnion__SERVERPREFmyipc_subsystem), port, MACH_MSG_TIMEOUT_NONE); +} +``` +{% endtab %} + +{% tab title="myipc_client.c" %} +```c +// gcc myipc_client.c myipcUser.c -o myipc_client + +#include +#include +#include + +#include +#include +#include "myipcUser.h" + +int main() { + + // Lookup the receiver port using the bootstrap server. + mach_port_t port; + kern_return_t kr = bootstrap_look_up(bootstrap_port, "xyz.hacktricks.mig", &port); + if (kr != KERN_SUCCESS) { + printf("bootstrap_look_up() failed with code 0x%x\n", kr); + return 1; + } + printf("Port right name %d\n", port); + USERPREFSubtract(port, 40, 2); +} +``` +{% endtab %} +{% endtabs %} + +## Binary Analysis + +As many binaries now use MIG to expose mach ports, it's interesting to know how to **identify that MIG was used** and the **functions that MIG executes** with each message ID. + +[**jtool2**](../../macos-apps-inspecting-debugging-and-fuzzing/#jtool2) can parse MIG information from a Mach-O binary indicating the message ID and identifying the function to execute: + +```bash +jtool2 -d __DATA.__const myipc_server | grep MIG +``` + +It was previously mentioned that the function that will take care of **calling the correct function depending on the received message ID** was `myipc_server`. However, you usually won't have the symbols of the binary (no functions names), so it's interesting to **check how it looks like decompiled** as it will always be very similar (the code of this function is independent from the functions exposed): + + + +{% tabs %} +{% tab title="myipc_server decompiled 1" %} +
int _myipc_server(int arg0, int arg1) {
+    var_10 = arg0;
+    var_18 = arg1;
+    // Initial instructions to find the proper function ponters
+    *(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f;
+    *(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
+    *(int32_t *)(var_18 + 0x4) = 0x24;
+    *(int32_t *)(var_18 + 0xc) = 0x0;
+    *(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
+    *(int32_t *)(var_18 + 0x10) = 0x0;
+    if (*(int32_t *)(var_10 + 0x14) <= 0x1f4 && *(int32_t *)(var_10 + 0x14) >= 0x1f4) {
+            rax = *(int32_t *)(var_10 + 0x14);
+            // Call to sign_extend_64 that can help to identifyf this function
+            // This stores in rax the pointer to the call that needs to be called
+            // Check the used of the address 0x100004040 (functions addresses array)
+            // 0x1f4 = 500 (the strating ID)
+            rax = *(sign_extend_64(rax - 0x1f4) * 0x28 + 0x100004040);
+            var_20 = rax;
+            // If - else, the if returns false, while the else call the correct function and returns true
+            if (rax == 0x0) {
+                    *(var_18 + 0x18) = **_NDR_record;
+                    *(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
+                    var_4 = 0x0;
+            }
+            else {
+                    // Calculated address that calls the proper function with 2 arguments
+                    (var_20)(var_10, var_18);
+                    var_4 = 0x1;
+            }
+    }
+    else {
+            *(var_18 + 0x18) = **_NDR_record;
+            *(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
+            var_4 = 0x0;
+    }
+    rax = var_4;
+    return rax;
+}
+
+{% endtab %} + +{% tab title="myipc_server decompiled 2" %} +This is the same function decompiled in a difefrent Hopper free version: + +
int _myipc_server(int arg0, int arg1) {
+    r31 = r31 - 0x40;
+    saved_fp = r29;
+    stack[-8] = r30;
+    var_10 = arg0;
+    var_18 = arg1;
+    // Initial instructions to find the proper function ponters
+    *(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f | 0x0;
+    *(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
+    *(int32_t *)(var_18 + 0x4) = 0x24;
+    *(int32_t *)(var_18 + 0xc) = 0x0;
+    *(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
+    *(int32_t *)(var_18 + 0x10) = 0x0;
+    r8 = *(int32_t *)(var_10 + 0x14);
+    r8 = r8 - 0x1f4;
+    if (r8 > 0x0) {
+            if (CPU_FLAGS & G) {
+                    r8 = 0x1;
+            }
+    }
+    if ((r8 & 0x1) == 0x0) {
+            r8 = *(int32_t *)(var_10 + 0x14);
+            r8 = r8 - 0x1f4;
+            if (r8 < 0x0) {
+                    if (CPU_FLAGS & L) {
+                            r8 = 0x1;
+                    }
+            }
+            if ((r8 & 0x1) == 0x0) {
+                    r8 = *(int32_t *)(var_10 + 0x14);
+                    // 0x1f4 = 500 (the strating ID)
+                    r8 = r8 - 0x1f4;
+                    asm { smaddl     x8, w8, w9, x10 };
+                    r8 = *(r8 + 0x8);
+                    var_20 = r8;
+                    r8 = r8 - 0x0;
+                    if (r8 != 0x0) {
+                            if (CPU_FLAGS & NE) {
+                                    r8 = 0x1;
+                            }
+                    }
+                    // Same if else as in the previous version
+                    // Check the used of the address 0x100004040 (functions addresses array)
+                    if ((r8 & 0x1) == 0x0) {
+                            *(var_18 + 0x18) = **0x100004000;
+                            *(int32_t *)(var_18 + 0x20) = 0xfffffed1;
+                            var_4 = 0x0;
+                    }
+                    else {
+                            // Call to the calculated address where the function should be
+                            (var_20)(var_10, var_18);
+                            var_4 = 0x1;
+                    }
+            }
+            else {
+                    *(var_18 + 0x18) = **0x100004000;
+                    *(int32_t *)(var_18 + 0x20) = 0xfffffed1;
+                    var_4 = 0x0;
+            }
+    }
+    else {
+            *(var_18 + 0x18) = **0x100004000;
+            *(int32_t *)(var_18 + 0x20) = 0xfffffed1;
+            var_4 = 0x0;
+    }
+    r0 = var_4;
+    return r0;
+}
+
+
+{% endtab %} +{% endtabs %} + +Actually if you go to the function **`0x100004000`** you will find the array of **`routine_descriptor`** structs, the first element of the struct is the address where the function is implemented and the **struct takes 0x28 bytes**, so each 0x28 bytes (starting from byte 0) you can get 8 bytes and that be the **address of the function** that will be called: + +
+ +
+ +This data can be extracted [**using this Hopper script**](https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py). + ## References * [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html) diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md index aec494f7..5e21dcea 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md @@ -302,7 +302,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization: -
+
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154). diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md index bd716271..552a1bef 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md @@ -22,7 +22,7 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern * Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**: -
+
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita. * La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md index 4e8f3516..4eb636c0 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md @@ -50,6 +50,9 @@ jtool2 -D /bin/ls # Decompile binary # Get signature information ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator + +# Get MIG information +jtool2 -d __DATA.__const myipc_server | grep MIG ``` ### Codesign diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md index a66440c1..742c6448 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md @@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127] So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications: -
+
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger. diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md index c6e385d5..003786ea 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md @@ -12,7 +12,7 @@ -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md). -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md index 1254d388..fbc71528 100644 --- a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md +++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md @@ -52,15 +52,15 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n 1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate` -
+
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER` -
+
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone: -
+
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md index 9659b002..d42051cc 100644 --- a/mobile-pentesting/xamarin-apps.md +++ b/mobile-pentesting/xamarin-apps.md @@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top The below-given diagram depicts this architecture: -
+
### What is .Net Runtime and Mono Framework? @@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory: -
+
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress). diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md index 1b872f86..bb0ba65d 100644 --- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md +++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -60,7 +60,7 @@ Content-Length: 267 * `port:15672 http` - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md index 0ff1e1ce..9f4efeb5 100644 --- a/network-services-pentesting/pentesting-ssh.md +++ b/network-services-pentesting/pentesting-ssh.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -313,7 +313,7 @@ id_rsa * You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html) * [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide) - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md index 6e79ec29..0b1070b1 100644 --- a/network-services-pentesting/pentesting-web/jboss.md +++ b/network-services-pentesting/pentesting-web/jboss.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep inurl:status EJInvokerServlet ``` - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md index 208b8176..02f91577 100644 --- a/network-services-pentesting/pentesting-web/moodle.md +++ b/network-services-pentesting/pentesting-web/moodle.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php" /usr/local/bin/mysql -u --password= -e "use moodle; select email,username,password from mdl_user; exit" ``` - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md index e9c58814..45a03fc1 100644 --- a/pentesting-web/crlf-0d-0a.md +++ b/pentesting-web/crlf-0d-0a.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -249,7 +249,7 @@ The best prevention technique is to not use users input directly inside response * [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/) * [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning) - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index cabeb410..cbf55396 100644 --- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -237,7 +237,7 @@ out of band request with the current username * [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) * [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets) - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md index 155ec0d8..7c4f6857 100644 --- a/pentesting-web/file-inclusion/phar-deserialization.md +++ b/pentesting-web/file-inclusion/phar-deserialization.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -89,7 +89,7 @@ php vuln.php {% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %} - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md index 68464443..a5c442b8 100644 --- a/pentesting-web/race-condition.md +++ b/pentesting-web/race-condition.md @@ -52,7 +52,7 @@ Note that It **doesn't work for static files** on certain servers but as static Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter: -
+
**Adapting to the target architecture** @@ -72,7 +72,7 @@ If connection warming doesn't make any difference, there are various solutions t Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set. -
+
Instead, you may be able to solve this problem by abusing a common security feature. @@ -141,7 +141,7 @@ Content-Length: 0 * For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests. * For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**. -
+
### Raw BF @@ -238,7 +238,7 @@ Operations that edit existing data (such as changing an account's primary email Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations: -
+
2. **Probe for clues** diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md index bb31da38..b049f13c 100644 --- a/windows-hardening/active-directory-methodology/silver-ticket.md +++ b/windows-hardening/active-directory-methodology/silver-ticket.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc [dcsync.md](dcsync.md) {% endcontent-ref %} - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md index f1ca230e..303df5d0 100644 --- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md +++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -243,7 +243,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser } ``` - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md index 9ff685f4..10c31577 100644 --- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md +++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md @@ -12,7 +12,7 @@ - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -351,7 +351,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic * [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/) * [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2) - + If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).