-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,55 +55,55 @@ Note: On iOS 12 and higher, use the following procedure to sign the debugserver | |
|
||
2) Connect to the device via SSH and create the file, named entitlements.xml, with the following content: | ||
|
||
```xml | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>platform-application</key> | ||
<true/> | ||
<key>com.apple.private.security.no-container</key> | ||
<true/> | ||
<key>com.apple.private.skip-library-validation</key> | ||
<true/> | ||
<key>com.apple.backboardd.debugapplications</key> | ||
<true/> | ||
<key>com.apple.backboardd.launchapplications</key> | ||
<true/> | ||
<key>com.apple.diagnosticd.diagnostic</key> | ||
<true/> | ||
<key>com.apple.frontboard.debugapplications</key> | ||
<true/> | ||
<key>com.apple.frontboard.launchapplications</key> | ||
<true/> | ||
<key>com.apple.security.network.client</key> | ||
<true/> | ||
<key>com.apple.security.network.server</key> | ||
<true/> | ||
<key>com.apple.springboard.debugapplications</key> | ||
<true/> | ||
<key>com.apple.system-task-ports</key> | ||
<true/> | ||
<key>get-task-allow</key> | ||
<true/> | ||
<key>run-unsigned-code</key> | ||
<true/> | ||
<key>task_for_pid-allow</key> | ||
<true/> | ||
</dict> | ||
</plist> | ||
``` | ||
|
||
3) Type the following command to sign the debugserver binary: | ||
|
||
```bash | ||
ldid -Sentitlements.xml debugserver | ||
``` | ||
```xml | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>platform-application</key> | ||
<true/> | ||
<key>com.apple.private.security.no-container</key> | ||
<true/> | ||
<key>com.apple.private.skip-library-validation</key> | ||
<true/> | ||
<key>com.apple.backboardd.debugapplications</key> | ||
<true/> | ||
<key>com.apple.backboardd.launchapplications</key> | ||
<true/> | ||
<key>com.apple.diagnosticd.diagnostic</key> | ||
<true/> | ||
<key>com.apple.frontboard.debugapplications</key> | ||
<true/> | ||
<key>com.apple.frontboard.launchapplications</key> | ||
<true/> | ||
<key>com.apple.security.network.client</key> | ||
<true/> | ||
<key>com.apple.security.network.server</key> | ||
<true/> | ||
<key>com.apple.springboard.debugapplications</key> | ||
<true/> | ||
<key>com.apple.system-task-ports</key> | ||
<true/> | ||
<key>get-task-allow</key> | ||
<true/> | ||
<key>run-unsigned-code</key> | ||
<true/> | ||
<key>task_for_pid-allow</key> | ||
<true/> | ||
</dict> | ||
</plist> | ||
``` | ||
|
||
3) Type the following command to sign the debugserver binary using @MASTG-TOOL-0111: | ||
Check failure on line 96 in techniques/ios/MASTG-TECH-0084.md GitHub Actions / markdown-lint-checkOrdered list item prefix
|
||
Check failure on line 97 in techniques/ios/MASTG-TECH-0084.md GitHub Actions / markdown-lint-checkTrailing spaces
|
||
```bash | ||
ldid -Sentitlements.xml debugserver | ||
``` | ||
|
||
4) Verify that the debugserver binary can be executed via the following command: | ||
Check failure on line 102 in techniques/ios/MASTG-TECH-0084.md GitHub Actions / markdown-lint-checkOrdered list item prefix
|
||
|
||
```bash | ||
./debugserver | ||
``` | ||
```bash | ||
./debugserver | ||
``` | ||
|
||
You can now attach debugserver to any process running on the device. | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
--- | ||
title: Extracting Entitlements from MachO Binaries | ||
platform: ios | ||
--- | ||
|
||
To extract the entitlements from a MachO binary, the following tools can be used: | ||
|
||
- @MASTG-TOOL-0111 | ||
- @MASTG-TOOL-0105 | ||
- @MASTG-TOOL-0101 | ||
|
||
The different tools are used on the main binary of @MASTG-APP-0028, which contains two architectures. | ||
|
||
# ldid | ||
Check failure on line 14 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkMultiple top-level headings in the same document
|
||
|
||
The entitlements can be extracted using `ldid -e <binary>`. The `-A` flag is added to specify the desired architecture (16777228:0, which is CPU_TYPE_ARM64:CPU_SUBTYPE_ARM64_ALL): | ||
|
||
```bash | ||
$ldid -e -A16777228:0 iGoat-Swift.app/iGoat-Swift | ||
``` | ||
Check failure on line 20 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkFenced code blocks should be surrounded by blank lines
|
||
```xml | ||
Check failure on line 21 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkFenced code blocks should be surrounded by blank lines
|
||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>application-identifier</key> | ||
Check failure on line 26 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkHard tabs
|
||
<string>TNAJ496RHB.OWASP.iGoat-Swift</string> | ||
Check failure on line 27 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkHard tabs
|
||
<key>com.apple.developer.team-identifier</key> | ||
Check failure on line 28 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkHard tabs
|
||
<string>TNAJ496RHB</string> | ||
Check failure on line 29 in techniques/ios/MASTG-TECH-0111.md GitHub Actions / markdown-lint-checkHard tabs
|
||
<key>get-task-allow</key> | ||
<true/> | ||
<key>keychain-access-groups</key> | ||
<array> | ||
<string>TNAJ496RHB.OWASP.iGoat-Swift</string> | ||
</array> | ||
</dict> | ||
</plist> | ||
``` | ||
|
||
|
||
# ipsw | ||
|
||
The entitlements can be extracted using `ipsw macho info -e <binary>`. The `-a` flag is added to specify the desired architecture: | ||
|
||
```bash | ||
$ ipsw macho info -e iGoat-Swift.app/iGoat-Swift -a arm64 | ||
``` | ||
```xml | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict> | ||
<key>application-identifier</key> | ||
<string>TNAJ496RHB.OWASP.iGoat-Swift</string> | ||
<key>com.apple.developer.team-identifier</key> | ||
<string>TNAJ496RHB</string> | ||
<key>get-task-allow</key> | ||
<true/> | ||
<key>keychain-access-groups</key> | ||
<array> | ||
<string>TNAJ496RHB.OWASP.iGoat-Swift</string> | ||
</array> | ||
</dict> | ||
</plist> | ||
``` | ||
|
||
# codesign | ||
|
||
The entitlements can be extracted using `codesign -d --entitlements - <binary>`. Make sure to include the `-` as the argument for the `--entitlements` flag: | ||
|
||
```bash | ||
$ codesign -d --entitlements - iGoat-Swift.app/iGoat-Swift | ||
``` | ||
```code | ||
Executable=/Users/owasp/iGoat/Payload/iGoat-Swift.app/iGoat-Swift | ||
[Dict] | ||
[Key] application-identifier | ||
[Value] | ||
[String] TNAJ496RHB.OWASP.iGoat-Swift | ||
[Key] com.apple.developer.team-identifier | ||
[Value] | ||
[String] TNAJ496RHB | ||
[Key] get-task-allow | ||
[Value] | ||
[Bool] true | ||
[Key] keychain-access-groups | ||
[Value] | ||
[Array] | ||
[String] TNAJ496RHB.OWASP.iGoat-Swift | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
--- | ||
title: IPSW | ||
title: ipsw | ||
platform: ios | ||
source: https://github.com/blacktop/ipsw | ||
host: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
title: ldid | ||
platform: ios | ||
source: https://github.com/ProcursusTeam/ldid | ||
host: | ||
- windows | ||
- linux | ||
- macOS | ||
--- | ||
|
||
ldid is a Link Identity Editor created by Saurik. It allows you to view and update the entitlements of a MachO binary. | ||
|
||
The original source can be found at [https://git.saurik.com/ldid.git](https://git.saurik.com/ldid.git), while precompiled versions are available from the [ProcursusTeam's repo](https://github.com/ProcursusTeam/ldid). |