boy1337 bb33bb

Analysing some PayPal phishing

Not long ago I tweeted about some PayPal phishing mails I got, which appeared to use hacked websites for their cause, and of which all traces were gone 24h after my initial recon.
Well, I got another such mail:

Sadly I don't have a dev device on iOS 10, but for anyone playing around with zIVA caring about the kernel task port:

Starting with iOS 10.3 (and macOS 10.12.4), Apple changed convert_port_to_locked_task (and a few other port-to-something conversion functions) to blacklist the kernel task by means of a direct check. As a result, you can still obtain the kernel task port, but almost all APIs will simply treat it like MACH_PORT_NULL, thus rendering it useless. The check is a simple pointer comparison though, so it can be circumvented by just remapping the task struct at an additional virtual address and creating a new port from that with a ROP equivalent of:

vm_map_remap(
    kernel_map,
    &remap_addr,
    sizeof(task_t),
    0,

VM_FLAGS_ANYWHERE | VM_FLAGS_RETURN_DATA_ADDR,

	Title : Revisiting Mac OS X Kernel Rootkits
	Author : fG!
	Date : April 18, 2014

	\|=----------------------------------------------------------------------------=\|
	\|=----------------=[ Revisiting Mac OS X Kernel Rootkits ]=-------------------=\|
	\|=----------------------------------------------------------------------------=\|
	\|=------------------------=[ fG! <[email protected]> ]=---------------------------=\|
	\|=----------------------------------------------------------------------------=\|

	Title : Revisiting Mac OS X Kernel Rootkits
	Author : fG!
	Date : April 18, 2014

	\|=----------------------------------------------------------------------------=\|
	\|=----------------=[ Revisiting Mac OS X Kernel Rootkits ]=-------------------=\|
	\|=----------------------------------------------------------------------------=\|
	\|=------------------------=[ fG! <[email protected]> ]=---------------------------=\|
	\|=----------------------------------------------------------------------------=\|

	#include <fcntl.h>
	#include <stdio.h>
	#include <sys/mman.h>
	#include <sys/stat.h>
	#include <mach-o/loader.h>
	#include <mach-o/nlist.h>

	int main(int argc, const char **argv)
	{
	if(argc != 2)

	#!/bin/zsh

	set -e;
	set -m;

	num_workers=64;

	incr=false;
	if [ "$1" = '-i' ]; then
	incr=true;

	// Bugs by NSO Group / Ian Beer.
	// Exploit by Siguza & tihmstar.
	// Thanks also to Max Bazaliy.

	#include <stdint.h> // uint32_t, uint64_t
	#include <stdio.h> // fprintf, stderr
	#include <string.h> // memcpy, memset, strncmp
	#include <unistd.h> // getpid
	#include <mach/mach.h>
	#include <stdlib.h>

	// This is a patch for the macOS version of Graveyard Keeper (might work for arbitrary apps, but zero guarantees).
	// The game completely fails to support fullscreen, yet runs beautifully with it if you force it to.
	// So this patch simply brings back the functionality of the little green button in the window's upper left corner.
	// I have sadly not found a way to automatically inject this by means of a Steam interface - if you do, please let me know!
	// For the rest, you should probably be an advanced user to use this. No support or warranty.
	// Compile and inject with:

	// clang -shared -o FullScreen.dylib FullScreen.m -Wall -O3 -framework AppKit
	// DYLD_INSERT_LIBRARIES=/path/to/FullScreen.dylib /path/to/Graveyard\ Keeper

	// Siguza
	// Treat as public domain.

	#include <ctype.h> // isspace
	#include <stdlib.h> // malloc, free,
	#include <string.h> // strlen, strncmp, strstr

	// Turn delimiter tokens into null terminators and
	// create array of pointers to each new string.
	static void destructive_split(char str, const char delim, char **out, size_t outlen)