Advanced macOS Control Bypasses (OSMR)

Explore macOS exploit development. Learn privilege escalation, bypass security controls, and earn the OSMR certification.

Course Thumbnail

Essential Skills Gained

Checkmark

Obtain a strong understanding of macOS internals.

Checkmark

Learn the basics of Mach messaging.

Checkmark

Learn how to bypass Transparency, Content and Control (TCC) protections.

Checkmark

Learn how to escape the Sandbox.

Format

  • Instructor-led
  • 5 days with lectures and hands-on labs.

Audience

  • Exploit Developers
  • Security Researchers
  • macOS Defenders
  • macOS Application Developers

Description

Calendar icon

Upcoming Course Dates

No upcoming dates. Please check back later.

Course Outline

Download PDF

1. macOS Control Bypasses: General Course Information

  • About The EXP-312 Course

  • Provided Materials

  • Overall Strategies for Approaching the Course

  • About the EXP-312 VPN Labs

  • About the OSMR Exam

  • Wrapping Up

2. Virtual Machine Setup Guide

  • Creating VMs on Apple Silicon

  • Installing Xcode

  • Homebrew

  • Old and Other Software

  • Third-Party Software

  • General System Settings

  • Specific VM Instructions

3. Introduction to macOS

  • macOS System Overview

  • High-Level OS Architecture

  • The Mach-O File Format

  • Objective-C Primer

  • Wrapping Up

4. macOS Binary Analysis Tools

  • Command Line Static Analysis Tools

  • Static Analysis with Hopper

  • Dynamic Analysis

  • The LLDB Debugger

  • Debugging with Hopper

  • Tracing Applications with DTrace

  • Wrapping Up

5. The Art of Crafting Shellcodes

  • Writing Shellcode in ASM

  • Custom Shell Command Execution in Assembly

  • Making a Bind Shell in Assembly

  • Writing Shellcode in C

  • Wrapping Up

6. Dylib Injection & Egghunters

  • DYLD_INSERT_LIBRARIES Injection in macOS

  • DYLIB Hijacking

  • Wrapping Up

7. The Mach Microkernel

  • Mach Inter Process Communication (IPC) Concepts

  • Mach Special Ports

  • Injection via Mach Task Ports

  • BlockBlock Case Study - Injecting execv Shellcode

  • Injecting a Dylib

  • Wrapping Up

8. Function Hooking on macOS

  • Function Interposing

  • Objective-C Method Swizzling

  • Wrapping Up

9. XPC Attacks

  • About XPC

  • The Low-Level C API: XPC Services

  • The Foundation Framework API

  • Attacking XPC Services

  • Apple’s EvenBetterAuthorizationSample

  • CVE-2019-20057 - Proxyman Change Proxy Privileged Action Vulnerability

  • CVE-2020-0984 - Microsoft Auto Update Privilege Escalation Vulnerability

  • CVE-2019-8805 - Apple EndpointSecurity Framework Local Privilege Escalation

  • CVE-2020-9714 - Adobe Reader Update Local Privilege Escalation

  • Wrapping Up

10. The macOS Sandbox

  • Sandbox Internals

  • The Sandbox Profile Language (SBPL)

  • Sandbox Escapes

  • Case Study: QuickLook Plugin SB Escape

  • Case Study: Microsoft Word Sandbox Escape

  • Wrapping Up

11. Bypassing Transparency, Consent, and Control (Privacy)

  • TCC Internals

  • CVE-2020-29621 - Full TCC Bypass via coreaudiod

  • Bypass TCC via Spotlight Importer Plugins

  • CVE-2020-24259 - Bypass TCC with Signal to Access Microphone

  • Gain Full Disk Access via Terminal

  • Wrapping Up

12. GateKeeper Internals

  • File Quarantine

  • XProtect

  • GateKeeper

  • Wrapping Up

13. Bypassing GateKeeper

  • CVE-2022-42821 GateKeeper Bypass Using AppleDouble Files

  • CVE-2021-30990 GateKeeper Bypass using Symbolic Links

  • Wrapping Up

14. Symlink and Hardlink Attacks

  • The Filesystem Permission Model

  • Finding Bugs

  • CVE-2020-3855 - macOS DiagnosticMessages File Overwrite Vulnerability

  • CVE-2020-3762 - Adobe Reader macOS Installer Local Privilege Escalation

  • CVE-2019-8802 - macOS Manpages Local Privilege Escalation

  • Wrapping Up

15. Getting Kernel Code Execution

  • KEXT Loading Restrictions

  • Sample KEXT

  • The KEXT Loading Process

  • CVE-2020-9939 - Unsigned KEXT Load Vulnerability

  • CVE-2021-1779 - Unsigned KEXT Load Vulnerability

  • Changes in Big Sur

  • Wrapping Up

16. Injecting Code into Electron Applications

  • Setting up an Electron Development Environment

  • Creating a Simple Electron App

  • The Application

  • Environment Variable Injection

  • Debug Port Injection

  • Source Code Modification

  • Protecting Electron Applications

  • Wrapping Up

17. Mount(ain) of Bugs (Archived)

  • The MAC Framework

  • The mount System Call

  • Disk Arbitration Service

  • CVE-2021-1784 - TCC Bypass Via Mounting Over com.apple.TCC

  • CVE-2021-30782 - TCC Bypass Via AppTranslocation Service

  • CVE-2021-26089 - Fortinet FortiClient Installer Local Privilege Escalation

  • Wrapping Up

18. The Art of Crafting Shellcodes (Apple Silicon Edition)

  • Writing Shellcode in ASM

  • Executing Custom Shell Commands in Assembly

  • Making a Bind Shell in Assembly

  • Writing Shellcode in C

  • Wrapping Up

19. Mach IPC Exploitation

  • The Mach Interface Generator (MIG)

  • CVE-2022-22639 Exploitation Case Study

  • Wrapping Up

20. Chaining Exploits on macOS Ventura

  • macOS Ventura Mitigations

  • Exploit Chain on macOS Ventura

  • Wrapping Up

21. macOS Penetration Testing

  • Small Step For Man

  • The Jail

  • I am (g)root

  • CVE-2020-26893 - I Like To Move It, Move It

  • Private Documents - We Wants It, We Needs It

  • The Core

  • Wrapping Up

Your Team has Unique Training Needs.

Your team deserves training as unique as they are.

Let us tailor the course to your needs at no extra cost.