GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → A2nkF → Unauthd

A2nkF / Unauthd

A local privilege escalation chain from user to kernel for MacOS < 10.15.5. CVE-2020–9854

Labels

macosexploit

Projects that are alternatives of or similar to Unauthd

Exploit Discord Cache System Poc
Exploit Discord's cache system to remote upload payloads on Discord users machines
Stars: ✭ 51 (-35.44%)
Mutual labels:  exploit
Unlockdown
Disabling kernel lockdown on Ubuntu without physical access
Stars: ✭ 62 (-21.52%)
Mutual labels:  exploit
Kernel Exploits
My proof-of-concept exploits for the Linux kernel
Stars: ✭ 1,173 (+1384.81%)
Mutual labels:  exploit
Slowloris
Asynchronous Python implementation of SlowLoris DoS attack
Stars: ✭ 51 (-35.44%)
Mutual labels:  exploit
Sap exploit
Here you can get full exploit for SAP NetWeaver AS JAVA
Stars: ✭ 60 (-24.05%)
Mutual labels:  exploit
Chimay Red
Mikrotik RouterOS (6.x < 6.38.5) exploit kit. Reverse engineered from the "Vault 7" WikiLeaks publication.
Stars: ✭ 63 (-20.25%)
Mutual labels:  exploit
Scripting
PS / Bash / Python / Other scripts For FUN!
Stars: ✭ 47 (-40.51%)
Mutual labels:  exploit
Cve 2017 0781
Blueborne CVE-2017-0781 Android heap overflow vulnerability
Stars: ✭ 74 (-6.33%)
Mutual labels:  exploit
Azure password harvesting
Plaintext Password harvesting from Azure Windows VMs
Stars: ✭ 61 (-22.78%)
Mutual labels:  exploit
Ctf
Some of my CTF solutions
Stars: ✭ 70 (-11.39%)
Mutual labels:  exploit
Ntrghidra
Fully Featured Nintendo DS Loader for Ghidra
Stars: ✭ 56 (-29.11%)
Mutual labels:  exploit
Cve 2020 0796
CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
Stars: ✭ 1,102 (+1294.94%)
Mutual labels:  exploit
Poc Bank
Focus on cybersecurity | collection of PoC and Exploits
Stars: ✭ 68 (-13.92%)
Mutual labels:  exploit
Pythem
pentest framework
Stars: ✭ 1,060 (+1241.77%)
Mutual labels:  exploit
Hacker ezines
A collection of electronic hacker magazines carefully curated over the years from multiple sources
Stars: ✭ 72 (-8.86%)
Mutual labels:  exploit
Twitter Follow Exploit
Automated Twitter mass account creation and follow using Selenium and Tor VPN
Stars: ✭ 47 (-40.51%)
Mutual labels:  exploit
Slickermaster Rev4
NSA Hacking Tool Recreation UnitedRake
Stars: ✭ 62 (-21.52%)
Mutual labels:  exploit
Yookiterm Slides
Exploitation and Mitigation Slides
Stars: ✭ 74 (-6.33%)
Mutual labels:  exploit
Ciscoexploit
Cisco Exploit (CVE-2019-1821 Cisco Prime Infrastructure Remote Code Execution/CVE-2019-1653/Cisco SNMP RCE/Dump Cisco RV320 Password)
Stars: ✭ 73 (-7.59%)
Mutual labels:  exploit
M0b Tool
exploit
Stars: ✭ 68 (-13.92%)
Mutual labels:  exploit
View All Similar Projects ➔

Unauthd (CVE-2020–9854)

A local privilege escalation chain from user to kernel for MacOS < 10.15.5.

How does it work?

I wrote a blogpost explaining the vulnerabilities and exploitation methods I used. It can be found here.

How do I use it?

Build and run the unauthd target in the included xcode project. It will hijack the acfs.kext print a message to the kernel log and register the debug.A2nkF.pwned sysctl. Run sysctl debug.A2nkF.pwned to verify, that the exploit has worked. This is the expected output:

~$ sysctl debug.A2nkF.pwned
debug.A2nkF.pwned: --- Kernel pwned ---

And this is the expected exploit output:

[~] Fakesigning myself with entitlements...
[+] Done!
[+] Got authorization!
[~] Requesting rights...
[*] Copy rights returned 0
[+] Success!
[~] Preparing Stage2...
[+] Logger registerd!
[~] Installing Payload...
[+] Package created!
[~] Sending install request now!
[+] Logger started! Waiting for stage 2... 
[STAGE2] [*] Stage started!
[STAGE2] [+] Running as uid 0x0
[STAGE2] [+] SIP bypassed ;) Preparing Stage 3...
[STAGE2] [~] Getting kext!
[STAGE2] [1] Started kextutil...
[STAGE2] [2] Performed overwrite...
[STAGE2] [3] Loading kext...
[STAGE2] [3] Running kext...
[STAGE2] [+] Kernel pwned!
[STAGE2] [~] Cleaning up our mess... 
[FINAL] [+] Done!

The exploit has been tested on:

Darwin MacBookPro.local 19.3.0 Darwin Kernel Version 19.3.0: Thu Jan  9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64 x86_64

Hacking

You might have noticed, that the system preferences window pops up after the exploit has run. Just add a

while(1) {}

after the call to loadKext() in stage2/main.c to avoid that.

If you want to modify the exploit, here's what you need to know:

Building

The XCode project has three build targets: unauthd, kernel and stage2. After applying your changes:

  1. Build the kernel target and copy the binary over to /kernel on Disk.dmg
  2. Build the stage2 target and copy the binary over to /System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged on Disk.dmg
  3. Build and run the unauthd target

Payloads

Custom kernel payload: Add a custom payload to kernel/kernel.c. Note: You might need to change the VICTIM_KEXT variable in stage2/main.c to a kext that is linked with the symbols you require, or do the symbol resolving dynamically.

Custom SIPless root payload: Add a custom payload to stage2/main.c after the call to loadKext().

Custom authd payload: This part is a bit more tricky, you'll need to reverse engineer the framework implementing the APIs for a desired right, implement a client module in unauthd/modules/<yourmodule>.m and call it from unauthd/main.m.

Files

kernel: Kernel Payload

resources: Malicious DMG, entitlements and exploitable apple signed PKG

stage2: kextutil exploit + minimal mach logger client

unauthd: authd and system_installd exploit + minimal mach logger server

unauthd/modules: clients for private frameworks

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].