Skip to content

Instantly share code, notes, and snippets.

View D00MFist's full-sized avatar

Leo Pitt D00MFist

212 followers · 34 following
View GitHub Profile
@nikolay-n
nikolay-n / xpc_info.pl
Created December 13, 2022 17:24
xpc pid path
$dump = `launchctl dumpstate`;
%services = ();
%endpoints = ();
$service = "";
$current_service = "";
$endpoints_block = 0;
for(split("\n", $dump)){
$service = $1 if /^([^\s]+)\s=/;
if ($service and ($service ne $current_service)){
$current_service = $service;
@r3ggi
r3ggi / macos-keylogger.m
Last active February 14, 2024 16:11
Universal macOS app keylogger that tracks input locations
// Info:
// Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission
// Compilation:
// gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64
// Usage:
// DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App
#import <Foundation/Foundation.h>
@nikolay-n
nikolay-n / entitlements.yara
Last active September 5, 2024 14:02
Yara entitlements hunting
private rule MachO
{
meta:
description = "Mach-O executable"
category = "macho"
condition:
(uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe
or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe
or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe)
@theevilbit
theevilbit / _obs_tcc.md
Last active August 3, 2021 22:14
[StreamLabs OBS macOS TCC bypass]

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)
@djhohnstein
djhohnstein / _notes.md
Created March 12, 2020 02:34
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@ykoster
ykoster / Invoke-ExploitAnyConnectPathTraversal.psm1
Last active May 5, 2021 23:19
Proof of concept for CVE-2020-3153 - Cisco AnyConnect elevation of privileges due to insecure handling of path names - https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
<#
.Synopsis
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows
.Description
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows.
When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll.
This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen.
Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges.
@rvrsh3ll
rvrsh3ll / blockdlls_gadget2jscript.cs
Last active January 24, 2022 14:45
using System;
using System.IO;
using System.Net;
using System.Diagnostics;
using System.IO.Compression;
using System.Runtime.InteropServices;
public class Payload
{
public Payload()
@TheWover
TheWover / Find-Assemblies.ps1
Last active June 6, 2022 17:53
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@rasta-mouse
rasta-mouse / PPID Spoof & BlockDLLs
Last active April 1, 2025 22:39
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@Omar-Ikram
Omar-Ikram / EndpointSecurityDemo.m
Last active April 4, 2025 15:29
A demo of using Apple's EndpointSecurity framework - tested on macOS Monterey 12.2.1 (21D62)
//
// main.m
// EndpointSecurityDemo
//
// Created by Omar Ikram on 17/06/2019 - macOS Catalina 10.15 Beta 1 (19A471t)
// Updated by Omar Ikram on 15/08/2019 - macOS Catalina 10.15 Beta 5 (19A526h)
// Updated by Omar Ikram on 01/12/2019 - macOS Catalina 10.15 (19A583)
// Updated by Omar Ikram on 31/01/2021 - macOS Big Sur 11.1 (20C69)
// Updated by Omar Ikram on 07/05/2021 - macOS Big Sur 11.3.1 (20E241)
// Updated by Omar Ikram on 04/07/2021 - macOS Monterey 12 Beta 2 (21A5268h)