1. macOS Control Bypasses: General Course Information
About The EXP-312 Course
Provided Materials
Overall Strategies for Approaching the Course
About the EXP-312 VPN Labs
About the OSMR Exam
Wrapping Up
2. Virtual Machine Setup Guide
Creating VMs on Apple Silicon
Installing Xcode
Homebrew
Old and Other Software
Third-Party Software
General System Settings
Specific VM Instructions
3. Introduction to macOS
macOS System Overview
High-Level OS Architecture
The Mach-O File Format
Objective-C Primer
Wrapping Up
4. macOS Binary Analysis Tools
Command Line Static Analysis Tools
Static Analysis with Hopper
Dynamic Analysis
The LLDB Debugger
Debugging with Hopper
Tracing Applications with DTrace
Wrapping Up
5. The Art of Crafting Shellcodes
Writing Shellcode in ASM
Custom Shell Command Execution in Assembly
Making a Bind Shell in Assembly
Writing Shellcode in C
Wrapping Up
6. Dylib Injection & Egghunters
DYLD_INSERT_LIBRARIES Injection in macOS
DYLIB Hijacking
Wrapping Up
7. The Mach Microkernel
Mach Inter Process Communication (IPC) Concepts
Mach Special Ports
Injection via Mach Task Ports
BlockBlock Case Study - Injecting execv Shellcode
Injecting a Dylib
Wrapping Up
8. Function Hooking on macOS
Function Interposing
Objective-C Method Swizzling
Wrapping Up
9. XPC Attacks
About XPC
The Low-Level C API: XPC Services
The Foundation Framework API
Attacking XPC Services
Apple’s EvenBetterAuthorizationSample
CVE-2019-20057 - Proxyman Change Proxy Privileged Action Vulnerability
CVE-2020-0984 - Microsoft Auto Update Privilege Escalation Vulnerability
CVE-2019-8805 - Apple EndpointSecurity Framework Local Privilege Escalation
CVE-2020-9714 - Adobe Reader Update Local Privilege Escalation
Wrapping Up
10. The macOS Sandbox
Sandbox Internals
The Sandbox Profile Language (SBPL)
Sandbox Escapes
Case Study: QuickLook Plugin SB Escape
Case Study: Microsoft Word Sandbox Escape
Wrapping Up
11. Bypassing Transparency, Consent, and Control (Privacy)
TCC Internals
CVE-2020-29621 - Full TCC Bypass via coreaudiod
Bypass TCC via Spotlight Importer Plugins
CVE-2020-24259 - Bypass TCC with Signal to Access Microphone
Gain Full Disk Access via Terminal
Wrapping Up
12. GateKeeper Internals
File Quarantine
XProtect
GateKeeper
Wrapping Up
13. Bypassing GateKeeper
CVE-2022-42821 GateKeeper Bypass Using AppleDouble Files
CVE-2021-30990 GateKeeper Bypass using Symbolic Links
Wrapping Up
14. Symlink and Hardlink Attacks
The Filesystem Permission Model
Finding Bugs
CVE-2020-3855 - macOS DiagnosticMessages File Overwrite Vulnerability
CVE-2020-3762 - Adobe Reader macOS Installer Local Privilege Escalation
CVE-2019-8802 - macOS Manpages Local Privilege Escalation
Wrapping Up
15. Getting Kernel Code Execution
KEXT Loading Restrictions
Sample KEXT
The KEXT Loading Process
CVE-2020-9939 - Unsigned KEXT Load Vulnerability
CVE-2021-1779 - Unsigned KEXT Load Vulnerability
Changes in Big Sur
Wrapping Up
16. Injecting Code into Electron Applications
Setting up an Electron Development Environment
Creating a Simple Electron App
The Application
Environment Variable Injection
Debug Port Injection
Source Code Modification
Protecting Electron Applications
Wrapping Up
17. Mount(ain) of Bugs (Archived)
The MAC Framework
The mount System Call
Disk Arbitration Service
CVE-2021-1784 - TCC Bypass Via Mounting Over com.apple.TCC
CVE-2021-30782 - TCC Bypass Via AppTranslocation Service
CVE-2021-26089 - Fortinet FortiClient Installer Local Privilege Escalation
Wrapping Up
18. The Art of Crafting Shellcodes (Apple Silicon Edition)
Writing Shellcode in ASM
Executing Custom Shell Commands in Assembly
Making a Bind Shell in Assembly
Writing Shellcode in C
Wrapping Up
19. Mach IPC Exploitation
The Mach Interface Generator (MIG)
CVE-2022-22639 Exploitation Case Study
Wrapping Up
20. Chaining Exploits on macOS Ventura
macOS Ventura Mitigations
Exploit Chain on macOS Ventura
Wrapping Up
21. macOS Penetration Testing
Small Step For Man
The Jail
I am (g)root
CVE-2020-26893 - I Like To Move It, Move It
Private Documents - We Wants It, We Needs It
The Core
Wrapping Up