As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Written By Pan ZhenPeng(@peterpan980927) of Alibaba Security Pandora Lab | |
use it on macOS: cc poc.c -o poc while True; do ./poc ; done | |
*/ | |
#include <errno.h> | |
#include <signal.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector, | |
// then codesign with com.apple.developer.endpoint-security.client and run the | |
// program as root. | |
#include <EndpointSecurity/EndpointSecurity.h> | |
#include <algorithm> | |
#include <array> | |
#include <bsm/libbsm.h> | |
#include <cstdint> | |
#include <cstdlib> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Connect to device using adb | |
adb connect <@IP> | |
# Start su shell (works out of the box - no need to root device) | |
adb shell | |
su | |
# We need to remount the system file-system in order to modify the start-up script | |
mount -o remount,rw /system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdint.h> | |
#include <stdlib.h> | |
#include <mach/mach.h> | |
#include <CommonCrypto/CommonCrypto.h> | |
#include <ctype.h> | |
void hexdump(void *ptr, int buflen) { | |
unsigned char *buf = (unsigned char*)ptr; | |
int i, j; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Bugs by NSO Group / Ian Beer. | |
// Exploit by Siguza & tihmstar. | |
// Thanks also to Max Bazaliy. | |
#include <stdint.h> // uint32_t, uint64_t | |
#include <stdio.h> // fprintf, stderr | |
#include <string.h> // memcpy, memset, strncmp | |
#include <unistd.h> // getpid | |
#include <mach/mach.h> | |
#include <stdlib.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# arm64_sysregs_ios.py | |
# Brandon Azad | |
# | |
# Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre. | |
# | |
import idautils | |
import idc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env zsh | |
set -e; | |
set +m; # Job control would've been nice, but manual round robin it is, sigh. | |
if [ -z "${ZSH_VERSION+x}" ]; then | |
echo 'Try again with zsh.'; | |
exit 1; | |
fi; |
UPDATE 2023-01-22 21:34:33
This guide was last tested on an Intel MacBook 2017. Since then it's unmaintained and won't be updated (I quit the game and bought a life-time crossover licence).
This has been forked from https://gist.github.com/Alex4386/4cce275760367e9f5e90e2553d655309
For the latest discussion, see the comments there.
NewerOlder