SlideShare a Scribd company logo

The Python in the Apple

Z
zeroSteiner

This document summarizes Spencer McIntyre's presentation on using Python and Meterpreter's Railgun functionality to integrate with and execute code on Apple devices. It discusses how Railgun allows calling native library functions in memory on Windows targets. The presentation demonstrates extending this capability to macOS by using Python ctypes to interface with Objective-C and macOS APIs like Foundation and libobjc, enabling tasks like running AppleScript code directly from memory without writing to disk. Example code is provided and potential issues around memory operations and segmentation faults are addressed.

Technology
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
The Python in the Apple BSides Cleveland 2017 Spencer McIntyre
Agenda • About Me • Python ctypes Review • Integration with Meterpreter (Railgun) • Objective-C from Railgun • Demonstration Time
About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor • Metasploit among others • Python enthusiast
Railgun Pew Pew Pew
Why do we care? • One word: Stealth • Everything here could be accomplished an “easier” way • Writing files (often scripts) to disk • Starting new processes
Meterpreter’s Railgun • Standard API Extension of Metepreter • Remote FFI (Foreign Function Interface) • Only available for Windows (prior to March 2017) • Facilitates in-memory loading and calling of native library code from the target • Used by many Windows post and a few local exploit modules • You’ve probably used it without realizing it
Meterpreter’s Railgun • Exposed through four basic Meterpreter API functions • railgun_api • Core functionality to load an arbitrary function, call it with defined parameters and return results • railgun_api_multi • Execute multiple calls in a single transaction, offers better speed when used • railgun_memread • Read data out of the Meterpreter process, useful when pointers are returned • railgun_memwrite • Write data to in the Meterpreter process
Python Meterpreter • First non-Windows implementation of Railgun • Heavily utilizes ctypes to make all of the native API calls • memread / memwrite were deceptively difficult • Linux version backed with process_vm_(read|write) • ctypes already supported function calls so wrapping that was relatively cross- platform • Error code retrieval is the primary difference • Memory operations on the other hand…
OSX Memory Primitives • Invalid access (read or write) results in segmentation fault when not done safely • Segmentation fault = session closed • Enter the libc’s mach_vm_* • Accessible via standard ctypes methods • Graceful failure will help you have a good time • Error codes are returned for invalid addresses and invalid permissions
OSX APIs From Railgun Less Pew Pew more Segmentation fault
OSX APIs • APIs are provided by frameworks • /System/Library/Frameworks • Mach-O universal binaries • Major ones • Foundation • Accounts • Social • Security • Loadable by Python’s ctypes • Not particularly useful, the interfaces exposed are insufficient by themselves
libobjc • Provides the runtime for Objective-C code • This is accessible via C, ctypes will work as expected • Allows initialization and usage of Objective-C classes • Severe lack of documentation • Apple doesn’t advertise this method • Internet is full of reasons why it’s a Bad Idea™ • Repetitive API to use Objective-C objects this way • objc_getClass objc_msgSend sel_registerName
Bad Idea™
Objective-C Object • Basically chaining calls to objc_msgSend • id objc_msgSend(id self, SEL op, …); • Uses the standard CDECL calling convention • Accepts a variable number of arguments (this is key) • First parameter is the class instance, (or the class itself when you’re first creating an instance) • Second parameter is the “method selector” • This is a string passed to sel_registerName • Contains the method name and parameters by name
Objective-C Object dlopen(‘Foundation.framework/Foundation’, RTLD_LAZY) nsstring = objc_msgSend( objc_msgSend( objc_getClass(‘NSString’), sel_registerName(‘alloc’) ), sel_registerName(‘initWithCString:encoding:’), ‘Hello World’, NSUTF8StringEncoding )
Demonstration Time! • Tying it all together to run an Apple Script in memory • Uses NSAppleScript
Beware Faults
Code is Public • https://github.com/zeroSteiner/metasploit-framework • https://github.com/zeroSteiner/metasploit-payloads • Both branches are pymet-rg-osx
Further Reading & Resources • How Meterpreter’s Railgun works • https://community.rapid7.com/community/metasploit/blog/2017/05/18/recen t-python-meterpreter-improvements • https://warroom.securestate.com/inner-workings-railgun/
• Spencer McIntyre • Twitter: @zeroSteiner Thank You For Your Time!

More Related Content

What's hot (20)

ODP
Funambol C++ API
Funambol
 
PPTX
.Net programming with C#
NguynSang29
 
PPTX
Functional Programming in PHP
Aurimas Niekis
 
PPTX
2014 01-21-mpi-community-feedback
Jeff Squyres
 
PPTX
CPAN Curation
neilbowers
 
PPTX
Use notes objects in memory and other useful java tips for xpages development
Frank van der Linden
 
PPTX
Coding Standard And Code Review
Milan Vukoje
 
PDF
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
Sam Bowne
 
PPTX
LogiLogicless UI prototyping with Node.js | SuperSpeaker@CodeCamp Iasi, 2014
Endava
 
PPTX
.NET and C# Introduction
Siraj Memon
 
PPTX
Robotframework
Ella Sun
 
PDF
A Modeling Editor and Code Generator for AsyncAPI
abgolla
 
PPTX
Code Refactoring
Milan Vukoje
 
PPT
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
Steve Reiner
 
PPTX
Python and web driver
Colm Harrington
 
PPTX
Entity Framework Today (May 2012)
Julie Lerman
 
PDF
O365Con18 - Working with PowerShell, VS Code and GitHub - Thomas Vochten
NCCOMMS
 
PDF
Getting Started with ASP.NET Core 1.0 (formerly ASP.NET 5)
Arrow Consulting & Design
 
PDF
Stealing Chromium: Embedding HTML5 with the Servo Browser Engine (LinuxCon NA...
Samsung Open Source Group
 
PPTX
ASP.NET Core: The best of the new bits
Ken Cenerelli
 
Funambol C++ API
Funambol
 
.Net programming with C#
NguynSang29
 
Functional Programming in PHP
Aurimas Niekis
 
2014 01-21-mpi-community-feedback
Jeff Squyres
 
CPAN Curation
neilbowers
 
Use notes objects in memory and other useful java tips for xpages development
Frank van der Linden
 
Coding Standard And Code Review
Milan Vukoje
 
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
Sam Bowne
 
LogiLogicless UI prototyping with Node.js | SuperSpeaker@CodeCamp Iasi, 2014
Endava
 
.NET and C# Introduction
Siraj Memon
 
Robotframework
Ella Sun
 
A Modeling Editor and Code Generator for AsyncAPI
abgolla
 
Code Refactoring
Milan Vukoje
 
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
Steve Reiner
 
Python and web driver
Colm Harrington
 
Entity Framework Today (May 2012)
Julie Lerman
 
O365Con18 - Working with PowerShell, VS Code and GitHub - Thomas Vochten
NCCOMMS
 
Getting Started with ASP.NET Core 1.0 (formerly ASP.NET 5)
Arrow Consulting & Design
 
Stealing Chromium: Embedding HTML5 with the Servo Browser Engine (LinuxCon NA...
Samsung Open Source Group
 
ASP.NET Core: The best of the new bits
Ken Cenerelli
 

Similar to The Python in the Apple (20)

PDF
NYU Hacknight: iOS and OSX ABI
Mikhail Sosonkin
 
PDF
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
PDF
Introduction to iOS Penetration Testing
OWASP
 
PDF
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
PPTX
iOS Application Exploitation
Positive Hack Days
 
PPTX
A Science Project: Swift Serial Chat
yeokm1
 
PDF
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
PPT
A Life of breakpoint
Hajime Morrita
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
PDF
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
Pôle Systematic Paris-Region
 
PDF
iOS Application Security
Egor Tolstoy
 
PDF
Eusecwest
zynamics GmbH
 
PDF
Find your own iOS kernel bug
Gustavo Martinez
 
PDF
Sniffing Mach Messages
Mikhail Sosonkin
 
PDF
Red Teaming macOS Environments with Hermes the Swift Messenger
Justin Bui
 
ODP
C Types - Extending Python
Priyank Kapadia
 
PDF
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
PDF
iOS Automation Primitives
Synack
 
PDF
Writing a Python C extension
Sqreen
 
NYU Hacknight: iOS and OSX ABI
Mikhail Sosonkin
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
PROIDEA
 
Introduction to iOS Penetration Testing
OWASP
 
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
iOS Application Exploitation
Positive Hack Days
 
A Science Project: Swift Serial Chat
yeokm1
 
Wahckon[2] - iOS Runtime Hacking Crash Course
eightbit
 
A Life of breakpoint
Hajime Morrita
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
Pôle Systematic Paris-Region
 
iOS Application Security
Egor Tolstoy
 
Eusecwest
zynamics GmbH
 
Find your own iOS kernel bug
Gustavo Martinez
 
Sniffing Mach Messages
Mikhail Sosonkin
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Justin Bui
 
C Types - Extending Python
Priyank Kapadia
 
Owasp orlando, april 13, 2016
Mikhail Sosonkin
 
iOS Automation Primitives
Synack
 
Writing a Python C extension
Sqreen
 
Ad

Recently uploaded (20)

PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Ad

The Python in the Apple

  • 1. The Python in the Apple BSides Cleveland 2017 Spencer McIntyre
  • 2. Agenda • About Me • Python ctypes Review • Integration with Meterpreter (Railgun) • Objective-C from Railgun • Demonstration Time
  • 3. About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor • Metasploit among others • Python enthusiast
  • 5. Why do we care? • One word: Stealth • Everything here could be accomplished an “easier” way • Writing files (often scripts) to disk • Starting new processes
  • 6. Meterpreter’s Railgun • Standard API Extension of Metepreter • Remote FFI (Foreign Function Interface) • Only available for Windows (prior to March 2017) • Facilitates in-memory loading and calling of native library code from the target • Used by many Windows post and a few local exploit modules • You’ve probably used it without realizing it
  • 7. Meterpreter’s Railgun • Exposed through four basic Meterpreter API functions • railgun_api • Core functionality to load an arbitrary function, call it with defined parameters and return results • railgun_api_multi • Execute multiple calls in a single transaction, offers better speed when used • railgun_memread • Read data out of the Meterpreter process, useful when pointers are returned • railgun_memwrite • Write data to in the Meterpreter process
  • 8. Python Meterpreter • First non-Windows implementation of Railgun • Heavily utilizes ctypes to make all of the native API calls • memread / memwrite were deceptively difficult • Linux version backed with process_vm_(read|write) • ctypes already supported function calls so wrapping that was relatively cross- platform • Error code retrieval is the primary difference • Memory operations on the other hand…
  • 9. OSX Memory Primitives • Invalid access (read or write) results in segmentation fault when not done safely • Segmentation fault = session closed • Enter the libc’s mach_vm_* • Accessible via standard ctypes methods • Graceful failure will help you have a good time • Error codes are returned for invalid addresses and invalid permissions
  • 10. OSX APIs From Railgun Less Pew Pew more Segmentation fault
  • 11. OSX APIs • APIs are provided by frameworks • /System/Library/Frameworks • Mach-O universal binaries • Major ones • Foundation • Accounts • Social • Security • Loadable by Python’s ctypes • Not particularly useful, the interfaces exposed are insufficient by themselves
  • 12. libobjc • Provides the runtime for Objective-C code • This is accessible via C, ctypes will work as expected • Allows initialization and usage of Objective-C classes • Severe lack of documentation • Apple doesn’t advertise this method • Internet is full of reasons why it’s a Bad Idea™ • Repetitive API to use Objective-C objects this way • objc_getClass objc_msgSend sel_registerName
  • 14. Objective-C Object • Basically chaining calls to objc_msgSend • id objc_msgSend(id self, SEL op, …); • Uses the standard CDECL calling convention • Accepts a variable number of arguments (this is key) • First parameter is the class instance, (or the class itself when you’re first creating an instance) • Second parameter is the “method selector” • This is a string passed to sel_registerName • Contains the method name and parameters by name
  • 15. Objective-C Object dlopen(‘Foundation.framework/Foundation’, RTLD_LAZY) nsstring = objc_msgSend( objc_msgSend( objc_getClass(‘NSString’), sel_registerName(‘alloc’) ), sel_registerName(‘initWithCString:encoding:’), ‘Hello World’, NSUTF8StringEncoding )
  • 16. Demonstration Time! • Tying it all together to run an Apple Script in memory • Uses NSAppleScript
  • 18. Code is Public • https://github.com/zeroSteiner/metasploit-framework • https://github.com/zeroSteiner/metasploit-payloads • Both branches are pymet-rg-osx
  • 19. Further Reading & Resources • How Meterpreter’s Railgun works • https://community.rapid7.com/community/metasploit/blog/2017/05/18/recen t-python-meterpreter-improvements • https://warroom.securestate.com/inner-workings-railgun/
  • 20. • Spencer McIntyre • Twitter: @zeroSteiner Thank You For Your Time!