MAJOR
- Added
SnakeV
class!
- Implemented tests
SNAKE I: Mach-O
- I added the
--imported_symbols
flag, which prints external symbols grouped, sorted, and in a grepable form. Example:
symbol_name : library1
symbol_name : library1
symbol_name : library2
symbol_name : library3
SNAKE IV: DYLIBS
- Added
--dylib_hijacking_a
flag - it prints only possible Dylib Hijacking vectors
❯ CrimsonUroboros --dylib_hijacking_a -p executable
VULNERABLE ROOT BINARY: /Users/karmaz95/t/indirect_dylib_hijacking/executable
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
VULNERABLE DEPENDENCY: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
- Cosmetic changes to
--dylib_hijacking
flag. Now it prints if the binary is ROOT and starts from the status, then path:
CrimsonUroboros -p executable --dylib_hijacking
ROOT BINARY NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/executable
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
----------------------------
NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/lib1.dylib
WRITEABLE EXISTING PATHS: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
----------------------------
NOT PROTECTED: /Users/karmaz95/t/indirect_dylib_hijacking/lib2.dylib
----------------------------
- I repaired the
prepareRogueDylib
function for --prepare_dylib
. The option was broken because it works on absolute paths, while DYLIB_ID
could contain unresolved paths like @rpath/something.dylib
. For this reason, the function now works on dylib names:
--prepare_dylib target_dylib_name
SNAKE III: CHECKSEC
- Added Library Validation
--has_lv
.
❯ CrimsonUroboros --has_lv -p executable
LIBRARY VALIDATION: False
- I added LV (Library Validation) to the --checksec option.
❯ CrimsonUroboros --checksec -p executable
<==== CHECKSEC ======
PIE: True
ARC: False
STRIPPED: False
CANARY: False
NX STACK: True
NX HEAP: False
XN: True
NOTARIZED: False
ENCRYPTED: False
RESTRICTED: False
HARDENED: False
APP SANDBOX: False
FORTIFIED: False
RPATH: False
LV: False
=====================>
- Added check for
CS_RESTRICT
(0x800
) in --checksec
to RESTRICTED
; now, it returns True if the __RESTRICT
segment is used or the 0x800
flag is set.
MINOR
- Repaired install section (removed uninstallable requirements)
- Completed TODO tasks
- Add check for
DYLIB HIJACKING
to --checksec
- Add check for
CS_RESTRICT
(0x800
) in --checksec
to RESTRICTED
- Updated README.md
- Overall code maintenance for a better reader experience
- Removed try-except blocks in each Snake class for more verbose error logging.
- Added
args
argument to all .process()
methods to make the test_CrimsonUroboros.py
code simpler. This is just passing the args
to the method.