Abstract:
Mac OS X is starting to spread among users, as such new exploitation techniques have to be discovered.
Even if a lot of interesting ways of exploitation on OSX were presented in the past, the lack of anti-forensics
techniques is clear.
The talk is focused on an in memory injection technique. Specifically how it is possible to inject into
a victim’s machine any kind of binaries ranging from your own piece of code to real applications like Safari.
This is accomplished without leaving traces on the hard disk and without creating a new process, since the whole
exploitation is performed in memory.
If an attacker is able to execute code in the target machine, it is possible to run this attack instead of a classic shellcode and to use it as a trampoline for higher-lever payloads.
Other similar payloads like meterpreter or meterpretux exist but none of them is able to run on Mac OS X. Besides many of those techniques require to run specific crafted binaries, that way pre-compiled applications are left out from the possible range of payloads.
Slides:
White Paper:
You can also find the proof of concept here and a video of the presentation here. Due to some problems I wasn’t able to snow Safari demo during the presentation, so I wrote a follow-up on a Black Page.
NB: Please notice that I haven’t updated the code since the presentation was given, so it’s unlikely to work on Snow Leopard.
