Warning
This is patched as of iOS/iPadOS 18.1 DevBeta 5. If you want to follow this, stay on Beta 4.
As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
| /* | |
| Written By Pan ZhenPeng(@peterpan980927) of Alibaba Security Pandora Lab | |
| use it on macOS: cc poc.c -o poc while True; do ./poc ; done | |
| */ | |
| #include <errno.h> | |
| #include <signal.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> |
| // To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector, | |
| // then codesign with com.apple.developer.endpoint-security.client and run the | |
| // program as root. | |
| #include <EndpointSecurity/EndpointSecurity.h> | |
| #include <algorithm> | |
| #include <array> | |
| #include <bsm/libbsm.h> | |
| #include <cstddef> | |
| #include <cstdint> |
| #!/bin/bash | |
| ########### | |
| # A script which will help to decode crashes, spindumps, and samples | |
| ########### | |
| # Helper functions | |
| function do_jq { | |
| _J="$(which jq 2>/dev/null)" || { | |
| echo "You must install jq (brew install jq) to use the script" >&2; return 1; | |
| }; "${_J}" "$@" |
| # Connect to device using adb | |
| adb connect <@IP> | |
| # Start su shell (works out of the box - no need to root device) | |
| adb shell | |
| su | |
| # We need to remount the system file-system in order to modify the start-up script | |
| mount -o remount,rw /system |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <mach/mach.h> | |
| #include <CommonCrypto/CommonCrypto.h> | |
| #include <ctype.h> | |
| void hexdump(void *ptr, int buflen) { | |
| unsigned char *buf = (unsigned char*)ptr; | |
| int i, j; |
| // Bugs by NSO Group / Ian Beer. | |
| // Exploit by Siguza & tihmstar. | |
| // Thanks also to Max Bazaliy. | |
| #include <stdint.h> // uint32_t, uint64_t | |
| #include <stdio.h> // fprintf, stderr | |
| #include <string.h> // memcpy, memset, strncmp | |
| #include <unistd.h> // getpid | |
| #include <mach/mach.h> | |
| #include <stdlib.h> |
| # | |
| # arm64_sysregs_ios.py | |
| # Brandon Azad | |
| # | |
| # Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre. | |
| # | |
| import idautils | |
| import idc |
