• Stars
    star
    249
  • Rank 162,987 (Top 4 %)
  • Language
    C
  • Created about 7 years ago
  • Updated about 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

macOS Kernel Fuzzer

macOS Kernel Fuzzer

macOS 10.13 kernel fuzzer using multiple different methods.

System Call Fuzzing

Both the BSD (SYSCALLS) and Mach (MACH_TRAPS) system dispatch tables are defined within the bughunt_syscalls.h file. A sample selection of both system calls and library calls have been provided to demonstrate how to implement additional calls. It is necessary to implement these additional system calls and library calls above the sample calls provided to increase coverage.

macOS Host Configuration

  1. Run host_setup/configure_panic_server.sh to setup the panic server on the host machine.

  2. Create a JSON config file to be used for the vm_manager.py script. An example default config can be found in host_setup/config.json.

  3. Follow the instructions for starting the VM Manager.

macOS Guest Configuration

  1. Deploy the latest macOS to a VM.

  2. Install the latest VMWare tools from https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS1010&productId=491. At the time of writing this is VMware-Tools-10.1.0-other-4449150.

  3. Copy worker_setup/worker_setup.py to the initial VM and execute as follows:

python worker_setup.py -p <panic_server_host_address>

This step requires multiple reboots, to disable SIP and ensure nvram boot flags are set correctly.

  1. Clone the VM when its in its prepared state to scale up. A script is provided to do this and an example is as follows:
python clone_vmx.py --base_vmx "/Users/mwr/Documents/Virtual Machines.localized/macOS 10.12.vmwarevm/macOS 10.12.vmx" --clones 1

Where --base-vmx is the VMX file to use as a template for the clone and --clones is the number of clones to make. Note: the VM needs to be in a powered off state and prepd.

This script will produce a list of VMX files which can then be taken and entered into the config file.

  1. Ensure there is a snapshot of each VM available called the same name as prepd_snapshot_name in the config file to revert back to. This will be automated at a future stage.

  2. Ensure vmx_files path is updated to list all VMX files to be used by the fuzz run.

Usage

Running standalone

There are two methods for running the binary standalone. The first method is using remote network logging, which can be performed as follows:

./OSXFuzz -s 1 -l "192.168.0.1" -p 1337 -b 1,2

Where -s is the seed value. If this is set to 1 then PRNG will generate a new random seed, otherwise the seed value will be used.

-l is the remote logger IP address. -p is the remote logger port. -b is the syscall numbers to blacklist.

It is also possible to run the fuzzer with disk based logging. This can be performed as follows:

./OSXFuzz -s 1 -d - -b 1,2

-d is the directory in which the fuzzer log files will be stored in. If - is passed then the current working directory is used to createt these log files.

-D can be used to enable debug mode which will print all log statements to standard out.

Starting the VM Manager

The VM Manager and remote logger requires the configuration JSON being passed as --config <filename> option to vm_manager.py. If this is not passed the config will default to host_setup/config.json.

An example of a configuration is as follows:

{
	"host_settings" :
	{	
		"vmrun_path"   			:	"/Applications/VMware Fusion.app/Contents/Library/vmrun",
		"bughunt_start_src"		: 	"../start_bughunt.py",
		"bughunt_binary_src"	: 	"/Users/alex/Library/Developer/Xcode/DerivedData/OSXFuzz-aerykphcebbxjpfqusnxkdcbpkou/Build/Products/Debug/OSXFuzz", 
		"crash_path"   			: 	"/Users/alex/Documents/crashes",
		"panic_path"   			: 	"/PanicDumps/",
		"logger_addr"  			: 	"192.168.247.1",
		"logger_port"  			: 	"1337",
		"vmmanager_addr"		: 	"192.168.247.1",
		"vmmanager_port"		: 	"8888",	
		"vmx_files"				:	[
			"/Users/mwr/Documents/Virtual Machines.localized/macOS 10.12.vmwarevm/macOS 10.12.vmx"
		],
		"prepd_snapshot_name"	: "prepd"
	},
	"guest_settings" : 
	{
			"vm_username"  		: 	"alex",
			"launch_path"  		: 	"/tmp/start_bughunt.py"
	}
}

The settings are broken down into host settings (for the host system running VMWare) and guest settings which will be used on the VM guests.

The host settings are as follows:

vmrun_path is the location of the vmrun binary used for VMWare automation.

bughunt_start_src is the location on the host of the start_bughunt.py script which will be copied to the guests.

bughunt_binary_src is the location of the OSXFuzz binary on the host which will be copied to the guests.

crash_path is the location to store local crash data.

panic_path is the location which is used to store kernel panic logs, configured on the host.

logger_addr is the address which the remote log server should listen on. This needs to be exposed to the guest VMs.

logger_port is the port which the remote log server should listen on.

vmmanager_addr is the host ip address which is exposed to the guest VMs where the VM manager HTTP server is running.

vmmanger_port is the port which the VM Manager should listen on. Currently, the VM Manager binds to all interfaces. This also needs to be exposed to the guest VMs.

vmx_files is an array of paths to the VMX files used for each VM. Currently this array has to be configured manually to add new VMs to the fuzzing process.

prepd_snapshot_name is the snapshot name of when the VM is fully setup, which will be used when a revert occurs. This code assumes that all VMs have a snapshot with the same name setup.

The guest settings are as follows:

launch_path is the location of the start_bughunt.py script which is executed within the guest VM to start the deployment and fuzzing process. Currently this is copied to the guest VM and the path created.

vm_username is the username for the guest virtual machines. It is assumed that all VMs are configured using the same username/password combination currently. The vm password will be read in at runtime.

When the VM Manager is configured, host_setup/vm_monitor.py is used to launch it and start the server listening.

Starting a fuzzing run

When the VM Manager is running and all VMs are up and in a ready state a fuzzing run can be initiated by running host_setup/start_vms.py. This will launch the fuzzer on each node and you should see the VMs check-in with the VM Manager and the loggers call back.

Performing library injection

If the config file contains a dylib_path option within guest_settings, this will be deployed to the host and can be used by a fuzzer script for dylib interpose based fuzzing.

Crash Detection and Reproduction

Crash detection is currently being performed using the Panic Server and PanicMonitor python class. Crashes are being stored locally until database management code is created.

In order to reproduce a crash, the repro.py script is ran to convert the log into the correct format to compile. A Makefile is also generated, which can be used to rebuild the repro testcase to binary.

More Repositories

1

SharpGPOAbuse

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
C#
1,017
star
2

dref

DNS Rebinding Exploitation Framework
JavaScript
482
star
3

KernelFuzzer

Cross Platform Kernel Fuzzer Framework
C
440
star
4

win_driver_plugin

A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.
Python
417
star
5

wePWNise

WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
Python
350
star
6

Azurite

Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
PowerShell
247
star
7

Ninjasploit

A meterpreter extension for applying hooks to avoid windows defender memory scans
C
230
star
8

z3_and_angr_binary_analysis_workshop

Code and exercises for a workshop on z3 and angr
Python
209
star
9

SharpClipHistory

SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
C#
188
star
10

XRulez

A command line tool for creating malicious outlook rules
C
156
star
11

drozer-modules

Python
139
star
12

ViridianFuzzer

Kernel driver to fuzz Hyper-V hypercalls
C++
132
star
13

incognito

One Token To Rule Them All https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/
C
129
star
14

CVE-2018-4121

macOS 10.13.3 (17D47) Safari Wasm Exploit
JavaScript
120
star
15

GWTMap

Python
90
star
16

CVE-2016-7255

An exploit for CVE-2016-7255 on Windows 7/8/8.1/10(pre-anniversary) 64 bit
C++
84
star
17

N1QLMap

The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
Python
72
star
18

SharpGPO-RemoteAccessPolicies

A C# tool for enumerating remote access policies through group policy.
C#
71
star
19

defcon25_uac_workshop

UAC 0Day all day!
58
star
20

3d-accelerated-exploitation

3D Accelerated Exploitation
C
55
star
21

Athena

GUI Tool to generate threat intelligence information in various formats
C#
44
star
22

honeypot_recipes

A chef cookbook which can be used to quickly deploy a high interaction honeypot, using the sysdig and falco tools
Ruby
43
star
23

needle-agent

The iOS Agent for the Needle Security Assessment Framework
Objective-C
41
star
24

CalendarPersist

JXA script to allow programmatic persistence via macOS Calendar.app alerts.
JavaScript
41
star
25

coralsun

macOS Cython IOKit Utility Library
Python
40
star
26

avrop

ROP based Movfuscator VM
Assembly
29
star
27

mercury-modules

Extra modules for the Mercury Android Security Assessment Framework.
Python
25
star
28

jASMin

Python
24
star
29

fdpasser

Example of passing file descriptors into a container to perform a privilege escalation on the host
C
23
star
30

tapjacking-poc

Java
23
star
31

fingertec-tool

A tool for communicating with FingerTec access control devices, as well as other ZKTeco based devices
Python
21
star
32

gists

Short handy snippets from the @mwrlabs team
PowerShell
20
star
33

timeinator

Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
Python
20
star
34

weasel

C
19
star
35

veripy

a network-centric compliance testing framework for verifying the operation of network equipment against the RFCs specified in ripe-554
Python
12
star
36

Ellume-COVID-Test_Research-Files

Java
11
star
37

jar-agent

Java
9
star
38

mercury-common

This repository contains Mercury components that are shared between the Agent and the Server/Console.
9
star
39

mwr-tls

A collection of utilities for interacting with SSL and X509 Certificates on Android.
Java
8
star
40

bsides18_breakfree

Example tools and output from BSides 2018 "I Want to Break Free"
Python
7
star
41

Cisco-UCM-SQLi-Scripts

Scripts that can be used to exploit CVE-2019-15972 which was an Authenticated SQLi issue in Cisco Unified Call Manager (UCM).
Python
7
star
42

rogue-agent

Java
5
star
43

ByteConverter

C++
1
star
44

Re-Desk-v2.3-Vulnerabilities

Python
1
star