Cocoa in the Shell

Execute an user program from the kernel mode

In OS X there is an API called KUNC (Kernel-User Notification Center). This API is used by the kernel (typically a kext) when it wants to display notifications to users or launch userland command.

There is a function, KUNCExecute() which does this.

Its prototype can be found in xnu-xxxx.xx.x/osfmk/UserNotification/KUNCUserNotifications.h (available here) and looks like this.

#define kOpenApplicationPath    0
#define kOpenPreferencePanel    1
#define kOpenApplication        2

#define kOpenAppAsRoot          0
#define kOpenAppAsConsoleUser   1

kern_ret_t KUNCExecute(char *executionPath, int openAsUser, int pathExecutionType);

The function is really simple, here is a brief detail of the 3 parameters :

  • executionPath : Path to the program to execute.

  • openAsUser : Flag which takes the value kOpenAppAsConsoleUser to execute the program with the rights of the logged user, or kOpenAppAsRoot to execute the program as root.

  • pathExecutionType : Flag which specifies the type of application to execute, one of the 3 flags defined at the beginning.

  • kOpenApplicationPath : Absolute path to a binary

  • kOpenPreferencePanel : Name of a Preference Pane in /System/Library/PreferencePanes

  • kOpenApplication : Name of an application in /Applications.

For example, if we wished to launch a backdoor located in /tmp, we’ll do :

KUNCExecute("/tmp/backdoor", kOpenAppAsRoot, kOpenApplicationPath);
Tags: ,