Posts by opa334@infosec.exchange
(DIR) Post #AS4ZwzDd0rSbH5CjgG by opa334@infosec.exchange
2023-01-27T15:26:41Z
1 likes, 0 repeats
@zhuowei Yep, sandbox extensions aren't *that* powerful. A lot of directories are gated behind specific entitlements unfortunately. Still cool, you should be able to give yourself read access to amfid with this however and use MacDirtyCOW on that.
(DIR) Post #AS4ao423qaf7YE6T3Y by opa334@infosec.exchange
2023-01-27T15:48:09Z
0 likes, 0 repeats
@zhuowei Don't worry, I'm not that smart either. If you really want to neuter amfid it's probably really difficult, you need to find some sort of gadget / chain that you can rebind the libmis verification functions to so that they always return success. Maybe look at the AppSync hooks to get an idea of what needs to be done (Obviously you can't map executable code to amfid so it's much harder). Also I'm unsure what neutering amfid would actually give you, I could be wrong but I think the "CoreEntitlements" iOS 15 feature will restrict things a lot. I'm probably not going to look into this myself, just watching from the side 👀
(DIR) Post #AS4bL3E9rQRSbwUVKS by opa334@infosec.exchange
2023-01-27T15:57:07Z
1 likes, 0 repeats
@zhuowei Yes, but amfid imports libmis functions and there should be pointers to these functions inside the data segment of amfid.I haven't tested or done anything with MacDirtyCOW yet, might do so at some point.
(DIR) Post #AcF6rdprCSKVHuP8hU by opa334@infosec.exchange
2023-11-27T20:19:46Z
1 likes, 0 repeats
@zhuowei Xina gives all binaries the get-task-allow entitlement and then uses ptrace to attach and immediately detach, which gives the process debug flags which allows it to have unsigned executable pages.
(DIR) Post #AcFCaprjokvBOweb3I by opa334@infosec.exchange
2023-11-27T21:12:38Z
1 likes, 0 repeats
@zhuowei Coolstar just wasn't aware of it, I think.
(DIR) Post #AcHn2VWr0Zq36OIdhA by opa334@infosec.exchange
2023-11-29T01:18:37Z
1 likes, 0 repeats
@saagar @zhuowei idk maybe she forgot, also the only reason why xina was able to do it was the CoreTrust bug
(DIR) Post #Acac1UK3UjOmB66WNU by opa334@infosec.exchange
2023-12-06T16:39:19Z
0 likes, 0 repeats
@zhuowei The simple answer is: You don't. Spawning binaries with only kernel r/w is no longer feasible, you need additional bugs.
(DIR) Post #Acac1WYJChzL5smvs8 by opa334@infosec.exchange
2023-12-06T23:28:12Z
0 likes, 0 repeats
@siguza @zhuowei Yeah, but that's because threat actors might not even need to spawn a binary to begin with. For actually spawning your own binary you definitely need a codesign or PPL bypass though, no urbane technique is going to allow you to do that without one. For spawning an already signed binary, I guess there's a lot of ways to do it though.
(DIR) Post #AcsT9yIBfAd4BvnQ1o by opa334@infosec.exchange
2023-12-15T18:35:37Z
1 likes, 0 repeats
@zhuowei @saagar You cannot mlock DSC memory due to the page table being shared across processes. I recently worked on a way to it via KRW but it for once did not solve the issue and secondly introduced another panic (which is really weird and causes me to believe I fucked something up in my attempt but idk :/).All I know the issue happens after you applied memory hooks and it triggers when any process tries to page in some address, the address itself is not part of the panic log afaik, so I can't even say for sure whether it's a DSC page or not.
(DIR) Post #B4haCCL7kYTosejRc8 by opa334@infosec.exchange
2026-03-27T21:35:07Z
1 likes, 0 repeats
Apparently some journalists and youtubers are falsely citing me as the source of DarkSword, I hope this README update should clear it up