The Mac Hacker’s Handbook by Charlie Miller and myself has just been published and is now shipping from Amazon. I have even spotted it in several bookstores where you can usually find it in the Mac section. The book is all about Mac OS X-specific vulnerability discovery, reverse-engineering, exploitation, and post-exploitation.
For me, this book is a culmination of over 8 years of personal Mac OS X security research. I had bought and restored a NeXTSTATION Turbo Color in college and fell in love with the NeXTSTEP and OpenStep operating systems. When I got a check for my first pen-test, I bought a brand-new iBook 500 Mhz to run OS X 10.0 on and I have used OS X as my primary operating system ever since.
Of course, I started hacking on it immediately. I wrote a monitor-mode wireless packet capture driver for AirPort (Viha) back when the only documentation on IOKit was the Darwin source code and a series of emails on the darwin mailing lists from an Apple kernel developer. And that was just the first part of my WEP cracking project for my Crypto class. I was so stubborn about using my iBook for it that I wrote my own driver, stumbler, and WEP weak RC4 key cracker for it.
There was also very little documentation on shellcode for PowerPC around then. Palante and LSD had both released PowerPC shellcode for Linux and AIX respectively. But there was nothing for OS X. I wrote this in a hotel room in Washington, D.C. a few days after DEFCON 9. As far as I know I was the first one to publish PowerPC shellcode that filled in the unused bits in the ‘sc’ instruction instead of dynamically overwriting them because self-modifying code is pretty tricky on PowerPC. That shellcode is what appears encoded in the hex bytes on the cover of the book.
Alright, enough self-indulgent trips down memory lane. I just presented “Mac OS Xploitation” at SOURCE Boston last week and I’ll be doing a bigger presentation called “Hacking Macs for Fun and Profit” next week at CanSecWest with Charlie Miller. Stay tuned here for some more Mac tool releases.