As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to
illusionofchaos
steven-michaud
/ ThirdPartyKexts.md
Last active
May 16, 2024 09:19
Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs
tothi
/ ms-msdt.MD
Last active
April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
infernalheaven
/ poc.c
Created
September 16, 2021 02:18
macOS 11.5.2/iOS 14.7.1 Kernel Race Condition poc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Written By Pan ZhenPeng(@peterpan980927) of Alibaba Security Pandora Lab | |
| use it on macOS: cc poc.c -o poc while True; do ./poc ; done | |
| */ | |
| #include <errno.h> | |
| #include <signal.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> |
saagarjha
/ library_injector.cpp
Last active
April 5, 2024 19:53
Load a library into newly spawned processes (using DYLD_INSERT_LIBRARIES and EndpointSecurity)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector, | |
| // then codesign with com.apple.developer.endpoint-security.client and run the | |
| // program as root. | |
| #include <EndpointSecurity/EndpointSecurity.h> | |
| #include <algorithm> | |
| #include <array> | |
| #include <bsm/libbsm.h> | |
| #include <cstdint> | |
| #include <cstdlib> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Connect to device using adb | |
| adb connect <@IP> | |
| # Start su shell (works out of the box - no need to root device) | |
| adb shell | |
| su | |
| # We need to remount the system file-system in order to modify the start-up script | |
| mount -o remount,rw /system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <mach/mach.h> | |
| #include <CommonCrypto/CommonCrypto.h> | |
| #include <ctype.h> | |
| void hexdump(void *ptr, int buflen) { | |
| unsigned char *buf = (unsigned char*)ptr; | |
| int i, j; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Bugs by NSO Group / Ian Beer. | |
| // Exploit by Siguza & tihmstar. | |
| // Thanks also to Max Bazaliy. | |
| #include <stdint.h> // uint32_t, uint64_t | |
| #include <stdio.h> // fprintf, stderr | |
| #include <string.h> // memcpy, memset, strncmp | |
| #include <unistd.h> // getpid | |
| #include <mach/mach.h> | |
| #include <stdlib.h> |
bazad
/ arm64_sysregs_ios.py
Created
July 17, 2020 19:58
Label iOS arm64 system registers in IDA Pro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # arm64_sysregs_ios.py | |
| # Brandon Azad | |
| # | |
| # Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre. | |
| # | |
| import idautils | |
| import idc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| set -e; | |
| set +m; # Job control would've been nice, but manual round robin it is, sigh. | |
| if [ -z "${ZSH_VERSION+x}" ]; then | |
| echo 'Try again with zsh.'; | |
| exit 1; | |
| fi; |
sarimarton
/ crossover-howtocompile.md
Last active
May 2, 2024 08:16
— forked from Alex4386/crossover-howtocompile.md
CodeWeavers CrossOver - How to compile from source! for macOS
UPDATE 2023-01-22 21:34:33
This guide was last tested on an Intel MacBook 2017. Since then it's unmaintained and won't be updated (I quit the game and bought a life-time crossover licence).
This has been forked from https://gist.github.com/Alex4386/4cce275760367e9f5e90e2553d655309
For the latest discussion, see the comments there.
NewerOlder