NYU Hacknight: iOS and OSX ABI
0 likes476 views
The document discusses vulnerabilities in iOS and OS X, highlighting the importance of security measures during the development lifecycle. It addresses various hacking techniques, tools, and approaches for exploiting these platforms, including fuzzing, code reading, and dynamic/static analysis. Additionally, it provides insights into shellcode development, system calls, and resource links for learning about security and the hacking community.
NYU Hacknight: iOS and OSX ABI
- 1. iOS and OS X ABI (Hacking in context) Mikhail Sosonkin
- 2. Security Researcher at SYNACK Working on low level emulation with QEMU and iPhone automation. Graduate of Polytechnic University a.k.a Polytechnic Institute of New York University a.k.a New York University Polytechnic School of Engineering a.k.a New York University Tandon School of Engineering
- 3. СССР 1986 Intel 8080 Clone 1.78MHz CPU 32KB RAM 2KB ROM 450 Rubles Wikipedia-RU
- 4. What’s a vulnerability Just crashes Bugs Vulnerabilities What we are used to Logic errors
- 5. Amazon Apple “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.” - http://www.wired.com/2012/08/apple-amazon-mat- honan-hacking/all/
- 6. It is not enough to just be careful with your interfaces. You must also have have mitigations and continuous analysis that includes “outsiders”. Security considerations and reviews should be part of every step of development lifecycle.
- 7. Where are the vulns?! Memory corruption - just won’t go away! That’s what a lot of CTFs seem to be focusing on. History thereof Memory Errors “Special feature” Backdooring yourself. Someone will eventually discover it.
- 8. Network man on the side http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ web where did I leave that session key again? https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
- 9. Miscommunications The root of all bugs. Don’t be too paranoid It’s not healthy, but always ask: “what do you do if someone compromises this component?”
- 10. Targeting Classic: Browser, Remote, Phishing A little more advanced: Via AWS - managed services (Exploiting external relationships) USB - https://srlabs.de/badusb/ i.e. Stuxnet
- 11. Beg, borrow and steal Finding vulnerabilities Fuzzing (AFL, Many frameworks) Code reading (SourceInsight, Understand) Dynamic/Static analysis (Qira, Panda)
- 12. Exploit Control EIP Doesn’t have to be 100% Gain execution Binary protections like ASLR and DEP
- 13. Infect Run shell code Might have some ROPing to do And, stack pivoting Find the egg Bigger shellcode. Download implant Gain persistence i.e. launch daemon
- 14. No Disclosure Private Communities Full disclosure Responsible Disclosure Coordinated Disclosure Private Bug bounties: Google, Microsoft, Facebook Managed Bug Bounties: Bugcrowd, HackerOne, SYNACK
- 15. Black Market Bug Bounties: Zerodium, Vupen Cosinc (link) HackingTeam (Probably defunct) MitnickSecurity Lots of secretive companies (link) A few not so secretive (link)
- 16. SYNACK Private Targets Think easy targets Fortune 500 Companies Several Categories Host, Web, Mobile Average payout: $690 We provide a cyber platform, Hydra! https://www.synack.com/red-team/
- 17. Requires passing an assessment SYNACK Red Team entry If unable to pass try BugCrowd or HackerOne
- 18. Let’s say you gained execution
- 19. Goals Build shellcode that Downloads a dylib. Injects the dylib into process. Target OS X and iOS
- 20. Get initial info - OSX
- 21. Get initial info - iOS
- 22. Partial source XNU kernel https://opensource.apple.com/tarballs/xnu/ Dyld source https://opensource.apple.com/tarballs/dyld/ Can be compiled
- 23. ARM64 Registers 31 General purpose registers X0 … X30 or W0 … W30 X31 - (zr) The Zero register X30 - (lr) Procedure Link Register (RIP) X29 - (fp) Frame pointer (RBP) X18 - Reserved on iOS
- 24. ARM64 Instructions Conditional Branches B.EQ, B.NE, TBNZ (Test bit and Branch if Nonzero), etc. Unconditional Branches B, RET, SVC Conditional Select CSEL W9, W9, W10, EQ “W9 = EQ?W9:W10”
- 28. Calling Convention On ARM64: X0 … X8 Contain function parameters X16 has the system call number Positive for Posix Negative for Mach Ports 0x80000000 for thread_set_self SVC 0x80; jumps to kernel
- 29. Let’s make a system call
- 31. Syscall numbers OSX: 0x01000000 - mach ports 0x02000000 - Posix 0x03000003 - pthread_set_self IOS 0x00000000 and below - mach ports 0x00000000 and above - Posix 0x80000000 - pthread_set_self
- 32. Loading Mach-O’s
- 33. Who does what? - Kernel: - Maps the main executable - Maps the loader - Passes control to the loader - DYLD: - “Maps” itself and the main executable - Maps and links dependency libraries.
- 35. File Structure: Commands - Follow the header - ‘cmdsize’ is a multiple of 8 bytes.
- 36. Mach-O commands - LC_SEGMENT and LC_SEGMENT_64 - From file to virtual memory: __DATA, __TEXT, etc. - LC_UNIXTHREAD - Sets up initial registers and stack - Entry point - LC_LOAD_DYLINKER - Specifies the loader i.e. /usr/lib/dyld - LC_MAIN - Sets up the stack - etc
- 38. Setting up the stack OSX Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
- 39. Setting up the stack iOS Arguments Environment variables Apple variable Generated by the kernel (LC_UNIXTHREAD)
- 40. Segments
- 41. Let’s build some shellcode. (live exercise) Recorded session
- 42. `xcrun --sdk iphoneos --find gcc` -Os -fno-stack-protector - fomit-frame-pointer -fno-exceptions -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks - F`xcrun --sdk iphoneos --show-sdk- path`/System/Library/PrivateFrameworks -arch arm64 test_syscall.c -o test_syscall otool -t -v test_syscall
- 43. Build it using GCC - Easy to represent complex logic - Excellent way to learn assembly skills - Assist with reverse engineering - Port to different architectures - Optimization hints - Does 90% of the work for you
- 44. Cons of using GCC - Can get hard to make GCC avoid outputting certain bytes. - Give up a level of control - Can get into dependency hell - All the usual problems with C. - Optimizer could get too aggressive
- 45. The Challenge
- 46. ShellCC - https://github.com/nologic/shellcc - shellcode - extractshell.py: Gets the bytecodes from the macho as raw shellcode - Makefile has build commands for shellcode ARM/x86_64 - shellharness - reads a file and executes the buffer.
- 47. The challenge - Understand injectdyld_file.c - Figure out how to dynamically load a dylib - Can use injectdyld_file.c as a base - Hint: you will need to read the DYLD sourcecode.
- 48. Where to learn about security? - https://seccasts.com/ - http://www.opensecuritytraining.info/ - https://www.corelan.be - youtube for conference - Security meetups - Just practice - Read/follow walkthroughs - follow the reddits: - netsec - reverseengineering - malware - lowlevel - blackhat - securityCTF - rootkit - vrd
- 49. Getting started with iOS - Get iPhone 5s - Swappa - Apply Jailbreak - Install OpenSSH via Cydia - Use tcprelay to SSH over USB - Start exploring - debugserver - https://github.com/iosre/iOSAppReverseEngineering - https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/