Explore macOS exploit development. Learn privilege escalation, bypass security controls, and earn the OSMR certification.
Obtain a strong understanding of macOS internals.
Learn the basics of Mach messaging.
Learn how to bypass Transparency, Content and Control (TCC) protections.
Learn how to escape the Sandbox.
No upcoming dates. Please check back later.
About The EXP-312 Course
Provided Materials
Overall Strategies for Approaching the Course
About the EXP-312 VPN Labs
About the OSMR Exam
Wrapping Up
Creating VMs on Apple Silicon
Installing Xcode
Homebrew
Old and Other Software
Third-Party Software
General System Settings
Specific VM Instructions
macOS System Overview
High-Level OS Architecture
The Mach-O File Format
Objective-C Primer
Wrapping Up
Command Line Static Analysis Tools
Static Analysis with Hopper
Dynamic Analysis
The LLDB Debugger
Debugging with Hopper
Tracing Applications with DTrace
Wrapping Up
Writing Shellcode in ASM
Custom Shell Command Execution in Assembly
Making a Bind Shell in Assembly
Writing Shellcode in C
Wrapping Up
DYLD_INSERT_LIBRARIES Injection in macOS
DYLIB Hijacking
Wrapping Up
Mach Inter Process Communication (IPC) Concepts
Mach Special Ports
Injection via Mach Task Ports
BlockBlock Case Study - Injecting execv Shellcode
Injecting a Dylib
Wrapping Up
Function Interposing
Objective-C Method Swizzling
Wrapping Up
About XPC
The Low-Level C API: XPC Services
The Foundation Framework API
Attacking XPC Services
Apple’s EvenBetterAuthorizationSample
CVE-2019-20057 - Proxyman Change Proxy Privileged Action Vulnerability
CVE-2020-0984 - Microsoft Auto Update Privilege Escalation Vulnerability
CVE-2019-8805 - Apple EndpointSecurity Framework Local Privilege Escalation
CVE-2020-9714 - Adobe Reader Update Local Privilege Escalation
Wrapping Up
Sandbox Internals
The Sandbox Profile Language (SBPL)
Sandbox Escapes
Case Study: QuickLook Plugin SB Escape
Case Study: Microsoft Word Sandbox Escape
Wrapping Up
TCC Internals
CVE-2020-29621 - Full TCC Bypass via coreaudiod
Bypass TCC via Spotlight Importer Plugins
CVE-2020-24259 - Bypass TCC with Signal to Access Microphone
Gain Full Disk Access via Terminal
Wrapping Up
File Quarantine
XProtect
GateKeeper
Wrapping Up
CVE-2022-42821 GateKeeper Bypass Using AppleDouble Files
CVE-2021-30990 GateKeeper Bypass using Symbolic Links
Wrapping Up
The Filesystem Permission Model
Finding Bugs
CVE-2020-3855 - macOS DiagnosticMessages File Overwrite Vulnerability
CVE-2020-3762 - Adobe Reader macOS Installer Local Privilege Escalation
CVE-2019-8802 - macOS Manpages Local Privilege Escalation
Wrapping Up
KEXT Loading Restrictions
Sample KEXT
The KEXT Loading Process
CVE-2020-9939 - Unsigned KEXT Load Vulnerability
CVE-2021-1779 - Unsigned KEXT Load Vulnerability
Changes in Big Sur
Wrapping Up
Setting up an Electron Development Environment
Creating a Simple Electron App
The Application
Environment Variable Injection
Debug Port Injection
Source Code Modification
Protecting Electron Applications
Wrapping Up
The MAC Framework
The mount System Call
Disk Arbitration Service
CVE-2021-1784 - TCC Bypass Via Mounting Over com.apple.TCC
CVE-2021-30782 - TCC Bypass Via AppTranslocation Service
CVE-2021-26089 - Fortinet FortiClient Installer Local Privilege Escalation
Wrapping Up
Writing Shellcode in ASM
Executing Custom Shell Commands in Assembly
Making a Bind Shell in Assembly
Writing Shellcode in C
Wrapping Up
The Mach Interface Generator (MIG)
CVE-2022-22639 Exploitation Case Study
Wrapping Up
macOS Ventura Mitigations
Exploit Chain on macOS Ventura
Wrapping Up
Small Step For Man
The Jail
I am (g)root
CVE-2020-26893 - I Like To Move It, Move It
Private Documents - We Wants It, We Needs It
The Core
Wrapping Up
Your team deserves training as unique as they are.
Let us tailor the course to your needs at no extra cost.
Trusted by Engineers at:
and more...
Aaron Steele
Casey Pense
Chris Tsantiris
Javier Martin
Justin Gilley
Kathy Le
Kelson Smith
Oussama Azzam
Pascal Rodmacq
Randall Granier
Aaron Steele
Casey Pense
Chris Tsantiris
Javier Martin
Justin Gilley
Kathy Le
Kelson Smith
Oussama Azzam
Pascal Rodmacq
Randall Granier