Kali Linux

Boko : Application Hijack Scanner For macOS

Boko.py is an application scanner for macOS that searches for and identifies potential dylib hijacking and weak dylib vulnerabilities for application executables, as well as scripts an application may use that have the potential to be backdoored. The tool also calls out interesting files and lists them instead of manually browsing the file system for analysis. With the active discovery function, there’s no more guess work if an executable is vulnerable to dylib hijacking!

The reason behind creating this tool was because I wanted more control over the data Dylib Hijack Scanner discovered. Most publicly available scanners stop once they discover the first case of a vulnerable dylib without expanding the rest of the rpaths. Since sometimes the first result is expanded in a non-existent file within a SIP-protected area, I wanted to get the rest of those expanded paths. Because of this, there are false positives, so the tool assigns a certainty field for each item.

CertaintyDescription
DefiniteThe vulnerability is 100% exploitable
HighIf the vulnerability is related to a main executable and rpath is 2nd in the load order, there is a good chance the vulnerability is exploitable
PotentialThis is assigned to dylibs and backdoorable scripts, worth looking into but may not be exploitable
LowLow chance this is exploitable because of late load order, but knowledge is power

The backbone of this tool is based off of scan.py from DylibHijack by Patrick Wardle (@synack).

Usage

boko.py [-h] (-r | -i | -p /path/to/app) (-A | -P | -b) [-oS outputfile | -oC outputfile | -oA outputfile] [-s] [-v]

Parameters

ArgumentDescription
-h, –helpShow this help message and exit
-r, –runningCheck currently running processes
-i, –installedCheck all installed applications
-p /file.appCheck a specific application i.e. /Application/Safari.app
-A, –activeExecutes executable binaries discovered to actively identify hijackable dylibs
-P, –passivePerforms checks only by viewing file headers (Default)
-b, –bothPerforms both methods of vulnerability testing
-oS outputfileOutputs standard output to a .log file
-oC outputfileOutputs results to a .csv file
-oA outputfileOutputs results to a .csv file and standard log
-s, –sipdisabledUse if SIP is disabled on the system to search typically read-only paths
-v, –verboseOutput all results in verbose mode while script runs, without this only Definite certainty vulnerabilities are displayed to the console

It is recommended only to use active mode (-A) with the -p flag and selecting a specific program. Also, it’s a good idea to use -v with -oS or -oA, unless you are only looking for definite certainty vulnerabilities.

Warning Note: It is highly discouraged to run this tool with the -i and (-A or –b) flags together. This combination will open every executable on your system for 3 seconds at a time. I do not take any responsibility for your system crashing or slowing down because you ran that. Additionally, if you have dormant malware on your system, this will execute it. I also recommend not scanning the whole /Applications directory if you have Xcode installed because it takes a very long time.

Requirements

  • Python 3
  • python -m pip install psutil

Process Flow

Passive mode
Running
  • Identify all running processes on system
  • Obtain full path of running executable
  • Read executables and identify macho headers
  • Identify dylib relative paths that are loaded and check if files exist in that location
  • Output hijackable dylibs and weak dylibs for running applications
Installed/Application
  • Scan full directory of application for all files
  • Identify executable files, scripts, and other interesting files in application directory
  • Read executables and identify macho headers or if the file is a script
  • Identify dylib relative paths that are loaded and check if files exist in that location
  • Output hijackable dylibs, weak dylibs, backdoorable scripts, and interesting files (verbose only)
Active mode
Running
  • Identify all running processes on system
  • Obtain full path of running executable
  • Read executables and identify macho headers
  • Execute the executable binaries for 3 seconds and analyze rpaths that are attempted to load
  • Output hijackable dylibs and weak dylibs for running applications
Application
  • Scan full directory of application for all files
  • Identify executable files, scripts, and other interesting files in application directory
  • Read executables and identify macho headers or if the file is a script
  • Execute the executable binaries for 3 seconds and analyze rpaths that are attempted to load
  • Output hijackable dylibs, weak dylibs, backdoorable scripts, and interesting files (verbose only)
R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

13 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

13 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago