Last active
July 26, 2023 08:08
-
-
Save D00MFist/feca65673d78a0bc0333f826eeb80956 to your computer and use it in GitHub Desktop.
Entitlement checker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for file in /Applications/* | |
| do | |
| echo "--------------" >>results.out | |
| echo "$file" >>results.out | |
| codesign -d --entitlements - "$file" >> results.out | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| search_dir=/Applications/ | |
| for entry in "$search_dir"/* | |
| do | |
| echo "$entry" | |
| echo "------------" >> results.out | |
| codesign -d --entitlements - "$entry" >> results.out | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If the application doesn’t have the hardened runtime turned on -> try DYLD_INSERT_LIBRARIES
If the application has the hardened runtime turned on:
--look also for the com.apple.security.get-task-allow entitlement. If it’s set to true then inject via task_for_pid (libinject in poseidon)
--look also for the pair of com.apple.security.cs.allow-dyld-environment-variables & com.apple.security.cs.disable-library-validation entitlements. If they are both set to true use the DYLD_INSERT_LIBRARIES
--find an older version of the application without the hardened runtime and use the DYLD_INSERT_LIBRARIES
--find another app signed by the same developer without the hardened runtime and use the DYLD_INSERT_LIBRARIES
https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
https://knight.sc/malware/2019/03/15/code-injection-on-macos.html