Shellcoding exercise no.2 MacOS ARM64

Channel:

DoktorCranium

Subscribers:

985

Published on October 28, 2021 10:47:18 PM ● Video Link: https://www.youtube.com/watch?v=7F64-BfC1d4

Duration: 7:22

214 views

2

Here is another scenario which I think is really interesting. We simulate the user executing the shellcode (reverse shell) test binary on the latest MacOS 12.0.1 (arm64)
An interesting privilege escalation was disclosed by Microsoft https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/ which mentions a way how .zshenv gets processed on the MacOS .

- Key points are (as user who executed the payload we can modify the current users .zshenv and plant a backdoor code that would get executed by both the user (every time he opens up the shell or logs in) or when he runs sudo -s and elevates to root. Now the latter is more interesting since we can perform elevated operations like this as you can see in the video.

Credits go to Microsoft's Jonathan Bar Or of course - since this is a really nice LPE attack technique :)