mirror of
https://github.com/carlospolop/hacktricks
synced 2025-02-20 16:08:27 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
This commit is contained in:
parent
52b6f9230f
commit
8c69a3e77b
1 changed files with 44 additions and 35 deletions
|
@ -1,8 +1,8 @@
|
|||
# macOS Dirty NIB
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -15,66 +15,75 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
|
|||
</details>
|
||||
{% endhint %}
|
||||
|
||||
**Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho asilia kutoka: [https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/).** Hapa kuna muhtasari:
|
||||
**Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho la asili kutoka:** [**https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/) na chapisho linalofuata kutoka [**https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/**](https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/)**.** Hapa kuna muhtasari:
|
||||
|
||||
Faili za NIB, sehemu ya mfumo wa maendeleo wa Apple, zinakusudia kufafanua **vipengele vya UI** na mwingiliano wao katika programu. Zinajumuisha vitu vilivyopangwa kama vile madirisha na vifungo, na hupakiwa wakati wa utendaji. Licha ya matumizi yao yaendelea, Apple sasa inapendekeza Storyboards kwa ajili ya uonyeshaji wa mtiririko wa UI wa kina zaidi.
|
||||
### Nini Nib files
|
||||
|
||||
### Wasiwasi wa Usalama na Faili za NIB
|
||||
Ni muhimu kutambua kwamba **faili za NIB zinaweza kuwa hatari za usalama**. Zina uwezo wa **kutekeleza amri zisizo na mipaka**, na mabadiliko kwenye faili za NIB ndani ya programu hayazuia Gatekeeper kutekeleza programu hiyo, na kuleta tishio kubwa.
|
||||
Nib (fupi kwa NeXT Interface Builder) files, sehemu ya mfumo wa maendeleo wa Apple, zinakusudia kufafanua **vipengele vya UI** na mwingiliano wao katika programu. Zinajumuisha vitu vilivyopangwa kama vile madirisha na vifungo, na hupakuliwa wakati wa wakati wa kutekeleza. Licha ya matumizi yao yaendelea, Apple sasa inashauri Storyboards kwa ajili ya uonyeshaji wa mtiririko wa UI wa kina zaidi.
|
||||
|
||||
Faili kuu ya Nib inarejelea katika thamani **`NSMainNibFile`** ndani ya faili ya `Info.plist` ya programu na inapakuliwa na kazi **`NSApplicationMain`** inayotekelezwa katika kazi ya `main` ya programu.
|
||||
|
||||
### Mchakato wa Uingizaji wa Dirty Nib
|
||||
|
||||
### Mchakato wa Uingizaji wa Dirty NIB
|
||||
#### Kuunda na Kuweka Faili ya NIB
|
||||
|
||||
1. **Mipangilio ya Awali**:
|
||||
- Unda faili mpya ya NIB kwa kutumia XCode.
|
||||
- Ongeza Kitu kwenye kiolesura, ukipanga darasa lake kuwa `NSAppleScript`.
|
||||
- Sanidi mali ya awali ya `source` kupitia Sifa za Wakati wa Uendeshaji Zilizofafanuliwa na Mtumiaji.
|
||||
|
||||
2. **Kifaa cha Kutekeleza Msimbo**:
|
||||
- Mipangilio hii inaruhusu kuendesha AppleScript kwa mahitaji.
|
||||
- Jumuisha kifungo ili kuamsha kitu cha `Apple Script`, hasa kuanzisha mteule wa `executeAndReturnError:`.
|
||||
|
||||
* Unda faili mpya ya NIB kwa kutumia XCode.
|
||||
* Ongeza Kitu kwenye interface, ukipanga darasa lake kuwa `NSAppleScript`.
|
||||
* Sanidi mali ya awali ya `source` kupitia Sifa za Wakati wa Uendeshaji Zilizofanywa na Mtumiaji.
|
||||
2. **Gadget ya Kutekeleza Msimbo**:
|
||||
* Mipangilio inarahisisha kuendesha AppleScript kwa mahitaji.
|
||||
* Jumuisha kifungo ili kuamsha kitu cha `Apple Script`, hasa kuanzisha mteule wa `executeAndReturnError:`.
|
||||
3. **Kujaribu**:
|
||||
- Msimbo rahisi wa Apple Script kwa ajili ya majaribio:
|
||||
* Msimbo rahisi wa Apple Script kwa ajili ya majaribio:
|
||||
|
||||
```bash
|
||||
set theDialogText to "PWND"
|
||||
display dialog theDialogText
|
||||
```
|
||||
- Jaribu kwa kuendesha kwenye debugger ya XCode na kubofya kifungo.
|
||||
* Jaribu kwa kuendesha katika debugger ya XCode na kubofya kifungo.
|
||||
|
||||
#### Kulenga Programu (Mfano: Pages)
|
||||
|
||||
1. **Maandalizi**:
|
||||
- Nakili programu lengwa (mfano, Pages) kwenye saraka tofauti (mfano, `/tmp/`).
|
||||
- Anzisha programu ili kuepuka matatizo ya Gatekeeper na kuikadiria.
|
||||
|
||||
* Nakili programu lengwa (mfano, Pages) kwenye directory tofauti (mfano, `/tmp/`).
|
||||
* Anzisha programu ili kuepuka matatizo ya Gatekeeper na kuikadiria.
|
||||
2. **Kufuta Faili ya NIB**:
|
||||
- Badilisha faili ya NIB iliyopo (mfano, About Panel NIB) kwa faili ya DirtyNIB iliyoundwa.
|
||||
|
||||
* Badilisha faili ya NIB iliyopo (mfano, About Panel NIB) na faili ya DirtyNIB iliyoundwa.
|
||||
3. **Utekelezaji**:
|
||||
- Amsha utekelezaji kwa kuingiliana na programu (mfano, kuchagua kipengee cha menyu `About`).
|
||||
* Amsha utekelezaji kwa kuingiliana na programu (mfano, kuchagua kipengee cha menyu `About`).
|
||||
|
||||
#### Ushahidi wa Dhihirisho: Kupata Takwimu za Mtumiaji
|
||||
- Badilisha AppleScript ili kufikia na kutoa takwimu za mtumiaji, kama picha, bila idhini ya mtumiaji.
|
||||
|
||||
* Badilisha AppleScript ili kufikia na kutoa takwimu za mtumiaji, kama picha, bila idhini ya mtumiaji.
|
||||
|
||||
### Mfano wa Msimbo: Faili ya .xib Mbaya
|
||||
- Fikia na angalia [**mfano wa faili mbaya ya .xib**](https://gist.github.com/xpn/16bfbe5a3f64fedfcc1822d0562636b4) inayodhihirisha kutekeleza msimbo usio na mipaka.
|
||||
|
||||
### Kukabiliana na Vikwazo vya Uzinduzi
|
||||
- Vikwazo vya Uzinduzi vinakwamisha utekelezaji wa programu kutoka maeneo yasiyotarajiwa (mfano, `/tmp`).
|
||||
- Inawezekana kubaini programu ambazo hazijalindwa na Vikwazo vya Uzinduzi na kuzilenga kwa uingizaji wa faili za NIB.
|
||||
* Fikia na kagua [**mfano wa faili mbaya ya .xib**](https://gist.github.com/xpn/16bfbe5a3f64fedfcc1822d0562636b4) inayodhihirisha kutekeleza msimbo wa kiholela.
|
||||
|
||||
### Mfano Mwingine
|
||||
|
||||
Katika chapisho [https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/](https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/) unaweza kupata mafunzo juu ya jinsi ya kuunda nib mbaya. 
|
||||
|
||||
### Kushughulikia Vikwazo vya Uzinduzi
|
||||
|
||||
* Vikwazo vya Uzinduzi vinakwamisha utekelezaji wa programu kutoka maeneo yasiyotarajiwa (mfano, `/tmp`).
|
||||
* Inawezekana kubaini programu ambazo hazijalindwa na Vikwazo vya Uzinduzi na kuzilenga kwa ajili ya uingizaji wa faili ya NIB.
|
||||
|
||||
### Ulinzi wa ziada wa macOS
|
||||
Kuanzia macOS Sonoma, mabadiliko ndani ya vifurushi vya Programu yamezuiliwa. Hata hivyo, mbinu za awali zilihusisha:
|
||||
|
||||
Kuanzia macOS Sonoma kuendelea, mabadiliko ndani ya vifurushi vya Programu yamezuiliwa. Hata hivyo, mbinu za awali zilihusisha:
|
||||
|
||||
1. Nakala ya programu kwenye eneo tofauti (mfano, `/tmp/`).
|
||||
2. Kubadilisha majina ya saraka ndani ya kifurushi cha programu ili kupita ulinzi wa awali.
|
||||
2. Kubadilisha majina ya directories ndani ya kifurushi cha programu ili kupita ulinzi wa awali.
|
||||
3. Baada ya kuendesha programu ili kujiandikisha na Gatekeeper, kubadilisha kifurushi cha programu (mfano, kubadilisha MainMenu.nib na Dirty.nib).
|
||||
4. Kubadilisha majina ya saraka nyuma na kuendesha tena programu ili kutekeleza faili ya NIB iliyounganishwa.
|
||||
|
||||
**Kumbuka**: Sasisho za hivi karibuni za macOS zimepunguza exploit hii kwa kuzuia mabadiliko ya faili ndani ya vifurushi vya programu baada ya caching ya Gatekeeper, na kufanya exploit hiyo isifanye kazi.
|
||||
4. Kubadilisha majina ya directories nyuma na kuendesha tena programu ili kutekeleza faili ya NIB iliyowekwa.
|
||||
|
||||
**Kumbuka**: Sasisho za hivi karibuni za macOS zimepunguza exploit hii kwa kuzuia mabadiliko ya faili ndani ya vifurushi vya programu baada ya caching ya Gatekeeper, na kufanya exploit hiyo isifanye kazi.
|
||||
|
||||
{% hint style="success" %}
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue