Skip to content

Snake & Apple: Dyld
Compare
Choose a tag to compare
@Karmaz95 Karmaz95 released this 18 Feb 21:36
· 96 commits to main since this release
v0.5
d3b1e45

MAJOR

  • Added SnakeV class!
  • Implemented tests

SNAKE I: Mach-O

  • I added the --imported_symbols flag, which prints external symbols grouped, sorted, and in a grepable form. Example:
symbol_name : library1
symbol_name : library1
symbol_name : library2
symbol_name : library3

SNAKE IV: DYLIBS

  • Added --dylib_hijacking_a flag - it prints only possible Dylib Hijacking vectors
❯ CrimsonUroboros --dylib_hijacking_a -p executable
VULNERABLE ROOT BINARY: /Users/karmaz95/t/indirect_dylib_hijacking/executable
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
VULNERABLE DEPENDENCY: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
  • Cosmetic changes to --dylib_hijacking flag. Now it prints if the binary is ROOT and starts from the status, then path:
CrimsonUroboros -p executable --dylib_hijacking
ROOT BINARY NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/executable
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
----------------------------
NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
----------------------------
NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
----------------------------
  • I repaired the prepareRogueDylib function for --prepare_dylib. The option was broken because it works on absolute paths, while DYLIB_ID could contain unresolved paths like @rpath/something.dylib. For this reason, the function now works on dylib names:
--prepare_dylib target_dylib_name

SNAKE III: CHECKSEC

  • Added Library Validation --has_lv.
❯ CrimsonUroboros --has_lv -p executable
LIBRARY VALIDATION: False
  • I added LV (Library Validation) to the --checksec option.
CrimsonUroboros --checksec -p executable
<==== CHECKSEC ======
PIE:            True
ARC:            False
STRIPPED:       False
CANARY:         False
NX STACK:       True
NX HEAP:        False
XN:             True
NOTARIZED:      False
ENCRYPTED:      False
RESTRICTED:     False
HARDENED:       False
APP SANDBOX:    False
FORTIFIED:      False
RPATH:          False
LV:             False
=====================>
  • Added check for CS_RESTRICT (0x800) in --checksec to RESTRICTED; now, it returns True if the __RESTRICT segment is used or the 0x800 flag is set.

MINOR

  • Repaired install section (removed uninstallable requirements)
  • Completed TODO tasks
    • Add check for DYLIB HIJACKING to --checksec
    • Add check for CS_RESTRICT (0x800) in --checksec to RESTRICTED
  • Updated README.md
  • Overall code maintenance for a better reader experience
  • Removed try-except blocks in each Snake class for more verbose error logging.
  • Added args argument to all .process() methods to make the test_CrimsonUroboros.py code simpler. This is just passing the args to the method.
Assets 2
Loading