Sierra Had a Little Lamb: A Userland Kit for MacOS
Category: Exploit Development
Summary: Long gone are the days of trivially exploiting services to gain root; these days, multiple exploits are typically strung together to form an exploit chain. If sections of the chain fail, an attacker is left with a situation where they must investigate the target while attempting to remain hidden.
In this talk I introduce LAMB, a multi-stage solution to this scenario which attempts to hide an attacker’s activities without requiring system privileges. This talk will cover how this is accomplished, covering a variety of ways including user-space execve and scheduling, virtual file cache, shadow file descriptor tables and more. I will also discuss ways to mitigate the high system resources of the compromised application and ways to operate within the common sandbox profiles on the system.