Share
## https://sploitus.com/exploit?id=9468DA25-5BAF-5EC8-8534-B104C852E1E7
# cb  - Binary Analysis Toolkit for macOS/iOS Security Research

A command-line toolkit for binary security analysis, vulnerability research, and exploit development on macOS and iOS targets. 30+ commands covering reconnaissance, vulnerability scanning, IPC analysis, crash triage, fuzzer generation, Ghidra/LLDB integration, and more.

Built for security researchers, bug bounty hunters, and red teamers working on Apple platforms.

## Features

**Reconnaissance**
- `cb triage`  - Quick security overview (protections, imports, strings, sections)
- `cb attack`  - Attack surface mapping (IPC endpoints, parsers, entitlements)
- `cb objc`  - Objective-C runtime analysis (classes, selectors, dangerous methods)
- `cb grep`  - Binary content search (disassembly, bytes, strings, ROP/JOP gadgets)

**Vulnerability Analysis**
- `cb vuln`  - Pattern-based vulnerability scanner with optional Ghidra decompilation
- `cb variant`  - Find variant bugs from 12 known vulnerability patterns
- `cb taint`  - Inter-procedural taint tracking (sources to sinks via Ghidra)
- `cb callgraph`  - Call graph recovery and dangerous sink reachability
- `cb audit`  - Full security audit (runs triage + attack + vuln + objc + ipc + sandbox + variant)

**IPC & Sandbox**
- `cb ipc`  - XPC/Mach/MIG handler analysis
- `cb sandbox`  - Sandbox profile and entitlement analysis
- `cb probe`  - Live XPC service probing (compiles ObjC probe binary on first use)

**Dynamic Analysis**
- `cb lldb`  - Scripted LLDB debugging (modules, symbols, memory, breakpoints)
- `cb hook`  - Frida instrumentation harness generation
- `cb verify`  - Run binaries under macOS memory guards (MallocGuardEdges, MallocScribble)

**Exploit Development**
- `cb cache`  - Extract binaries from dyld shared cache
- `cb struct`  - Recover struct field layouts from ARM64 disassembly
- `cb heap`  - macOS heap zone classification and spray planning
- `cb gadget`  - ARM64 ROP/JOP gadget finder and chain builder (PAC-aware)

**Crash Analysis**
- `cb crash`  - Crash report parser with exploitability assessment and PoC generation
- `cb diff`  - Binary version diffing with security-focused mode

**Web Security**
- `cb web`  - Security header, CSP, CORS, cookie, and endpoint auditing

**Workflow**
- `cb plan`  - Generate deterministic audit plans from triage data
- `cb report`  - Structured vulnerability reports (Markdown, HTML, bug bounty templates)
- `cb context`  - Token budget management for AI-assisted workflows

## Install

```bash
# Clone and install
git clone https://github.com/catbyte-security/catbyte-toolkit.git
cd catbyte-toolkit
pip install -e .

# With full Mach-O parsing support
pip install -e ".[full]"
```

**Requirements:** Python 3.10+, macOS (primary target)

**Required dependencies:** pwntools, capstone, pyelftools, ROPGadget

**Optional:** [LIEF](https://lief.re/) (better Mach-O parsing), [Ghidra](https://ghidra-sre.org/) (decompilation/taint/callgraph), [Frida](https://frida.re/) (dynamic hooks), LLDB (debugging)

## Quick Start

```bash
# Security overview of a binary
cb triage /usr/libexec/syspolicyd

# Full audit
cb audit /usr/libexec/syspolicyd

# Attack surface mapping
cb attack /usr/libexec/syspolicyd --depth deep

# Find vulnerabilities with Ghidra decompilation
cb vuln target --decompiled --severity high

# XPC service analysis pipeline
cb ipc target --protocol
cb sandbox target --reachable-from /usr/libexec/sandboxd
cb probe com.apple.securityd --enumerate-messages

# Crash-driven exploit development
cb crash report.ips --generate-poc --poc-output poc.py
cb variant --from-crash report.ips --heuristic

# Exploit chain development
cb cache extract-all --targets exploit
cb struct recover ~/.cb/dsc_extract/*/SkyLight --functions SLSSetWindowLevel,SLSSetWindowAlpha
cb heap plan 288 --spray-count 5000 --language objc
cb gadget chain ~/.cb/dsc_extract/*/WindowServer --template mprotect_shellcode
```

## Pipeline Chaining

All commands output JSON and can be piped together:

```bash
# Triage -> Vulnerability scan
cb triage target | cb vuln --from-triage -

# Crash -> Variant analysis
cb crash report.ips | cb variant --from-crash -

# Full audit -> Report
cb audit target | cb report --from-audit - --template bugbounty --markdown

# Triage -> Plan -> Execute
cb triage target --full | cb plan target --from-triage -
```

## Output Formats

Every command supports structured output:

```bash
cb triage target --format json      # JSON (default, for AI/pipeline)
cb triage target --format text      # Human-readable
cb triage target --summary          # One-line summary
cb triage target --max-results 20   # Cap list lengths
cb triage target -q                 # Suppress progress messages
```

## Configuration

Optional config at `~/.cbconfig.json`:

```json
{
  "ghidra_home": "/Applications/ghidra_11.0",
  "ghidra_project_dir": "~/.cb/ghidra_projects",
  "default_format": "json",
  "default_max_results": 50
}
```

Ghidra is auto-detected from common install locations if not configured.

## Chrome/Chromium Analysis

Includes specialized patterns for Chrome security research:

```bash
cb vuln /path/to/Chromium.app --chrome          # Mojo IPC, V8, sandbox patterns
cb fuzz chrome_helper --mojo --target MyInterface  # Mojo IPC fuzzer (MojoLPM)
cb sandbox /path/to/Chrome.app --chrome          # Chrome sandbox profile analysis
```

## Architecture

```
cb/
  cli.py              # Unified dispatcher: cb 
  output.py           # OutputFormatter (JSON/text/summary)
  config.py           # ~/.cbconfig.json loader
  macho.py            # Mach-O parser (otool/nm/codesign/LIEF)
  disasm.py           # Capstone disassembler + objdump fallback
  ghidra_bridge.py    # Ghidra headless analysis
  lldb_bridge.py      # LLDB scripted debugging
  commands/           # One file per command (30 modules)
  patterns/           # Vulnerability signatures, gadget patterns, Chrome patterns
  ghidra_scripts/     # Java scripts for Ghidra headless
  lldb_scripts/       # Python scripts for LLDB
  probe_scripts/      # ObjC probing tools
```

## Tests

```bash
pip install -e .
pytest tests/ -v
```

## License

MIT