mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 19:13:39 +00:00
179 lines
8.4 KiB
Markdown
179 lines
8.4 KiB
Markdown
# Depuração do Sandbox Padrão do macOS
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|
|
|
|
Nesta página, você pode aprender como criar um aplicativo para executar comandos arbitrários de dentro do sandbox padrão do macOS:
|
|
|
|
1. Compile o aplicativo:
|
|
|
|
{% code title="main.m" %}
|
|
```objectivec
|
|
#include <Foundation/Foundation.h>
|
|
|
|
int main(int argc, const char * argv[]) {
|
|
@autoreleasepool {
|
|
while (true) {
|
|
char input[512];
|
|
|
|
printf("Enter command to run (or 'exit' to quit): ");
|
|
if (fgets(input, sizeof(input), stdin) == NULL) {
|
|
break;
|
|
}
|
|
|
|
// Remove newline character
|
|
size_t len = strlen(input);
|
|
if (len > 0 && input[len - 1] == '\n') {
|
|
input[len - 1] = '\0';
|
|
}
|
|
|
|
if (strcmp(input, "exit") == 0) {
|
|
break;
|
|
}
|
|
|
|
system(input);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
```
|
|
{% endcode %}
|
|
|
|
Compile-o executando: `clang -framework Foundation -o SandboxedShellApp main.m`
|
|
|
|
2. Construa o pacote `.app`
|
|
```bash
|
|
mkdir -p SandboxedShellApp.app/Contents/MacOS
|
|
mv SandboxedShellApp SandboxedShellApp.app/Contents/MacOS/
|
|
|
|
cat << EOF > SandboxedShellApp.app/Contents/Info.plist
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>CFBundleIdentifier</key>
|
|
<string>com.example.SandboxedShellApp</string>
|
|
<key>CFBundleName</key>
|
|
<string>SandboxedShellApp</string>
|
|
<key>CFBundleVersion</key>
|
|
<string>1.0</string>
|
|
<key>CFBundleExecutable</key>
|
|
<string>SandboxedShellApp</string>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
```
|
|
3. Definir as permissões
|
|
|
|
{% tabs %}
|
|
{% tab title="sandbox" %}
|
|
```bash
|
|
cat << EOF > entitlements.plist
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>com.apple.security.app-sandbox</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
```
|
|
{% tab title="sandbox + downloads" %}
|
|
|
|
# macOS Sandbox + Downloads
|
|
|
|
## Introduction
|
|
|
|
The macOS Sandbox is a security feature that restricts the actions of applications, preventing them from accessing sensitive resources or performing malicious activities. This helps to protect the system and user data from potential threats.
|
|
|
|
One area where the macOS Sandbox is commonly used is in handling file downloads. By default, applications running in the sandbox are not allowed to write files to the user's Downloads folder. This prevents downloaded files from being automatically saved to a location where they could potentially cause harm.
|
|
|
|
## Sandbox Entitlements
|
|
|
|
To enable an application to write files to the Downloads folder, specific entitlements need to be added to its sandbox profile. These entitlements grant the necessary permissions for the application to access and modify the Downloads folder.
|
|
|
|
## Modifying the Sandbox Profile
|
|
|
|
To modify the sandbox profile of an application, you can use the `sandbox-exec` command-line tool. This tool allows you to specify a custom sandbox profile for an application, overriding the default restrictions.
|
|
|
|
To allow an application to write files to the Downloads folder, you need to create a custom sandbox profile that includes the necessary entitlements. This profile can then be applied to the application using the `sandbox-exec` command.
|
|
|
|
## Creating a Custom Sandbox Profile
|
|
|
|
To create a custom sandbox profile, you can use the `sandbox-simplify` tool. This tool simplifies an existing sandbox profile by removing unnecessary restrictions, making it easier to understand and modify.
|
|
|
|
Once you have a simplified sandbox profile, you can add the necessary entitlements to allow file writing to the Downloads folder. This can be done by modifying the profile using a text editor.
|
|
|
|
## Adding Entitlements
|
|
|
|
To allow an application to write files to the Downloads folder, you need to add the following entitlements to its sandbox profile:
|
|
|
|
```plaintext
|
|
(version 1)
|
|
(deny default)
|
|
(allow file-write* (subpath "/Users/<username>/Downloads"))
|
|
```
|
|
|
|
Replace `<username>` with the actual username of the user account.
|
|
|
|
## Applying the Custom Sandbox Profile
|
|
|
|
To apply the custom sandbox profile to an application, you can use the `sandbox-exec` command-line tool. The following command applies the custom profile to the specified application:
|
|
|
|
```plaintext
|
|
sandbox-exec -f <path-to-profile> <path-to-application>
|
|
```
|
|
|
|
Replace `<path-to-profile>` with the path to the custom sandbox profile, and `<path-to-application>` with the path to the application.
|
|
|
|
## Conclusion
|
|
|
|
By modifying the sandbox profile of an application, you can enable it to write files to the user's Downloads folder. This allows for more flexibility in handling file downloads while still maintaining the security benefits of the macOS Sandbox.
|
|
|
|
{% endtab %}
|
|
```bash
|
|
cat << EOF > entitlements.plist
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>com.apple.security.app-sandbox</key>
|
|
<true/>
|
|
<key>com.apple.security.files.downloads.read-write</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
```
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
4. Assine o aplicativo (você precisa criar um certificado no keychain)
|
|
```bash
|
|
codesign --entitlements entitlements.plist -s "YourIdentity" SandboxedShellApp.app
|
|
./SandboxedShellApp.app/Contents/MacOS/SandboxedShellApp
|
|
|
|
# An d in case you need this in the future
|
|
codesign --remove-signature SandboxedShellApp.app
|
|
```
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|