7cb274b763
6 changes to exploits/shellcodes Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55 Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55
1.3 KiB
rootsh
rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build 14F27. It exploits CVE-2016-1758 and CVE-2016-1828, two vulnerabilities in XNU that were patched in OS X El Capitan 10.11.4 and 10.11.5. rootsh will not work on platforms with SMAP enabled.
CVE-2016-1758
CVE-2016-1758 is an information leak caused by copying out uninitialized bytes of kernel stack to user space. By comparing leaked kernel pointers with fixed reference addresses it is possible to recover the kernel slide.
CVE-2016-1828
CVE-2016-1828 is a use-after-free during object deserialization. By passing a crafted binary-serialized dictionary into the kernel, it is possible to trigger a virtual method invocation on an object with a controlled vtable pointer.
License
The rootsh code is released into the public domain. As a courtesy I ask that if you use any of this code in another project you attribute it to me.
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44239.zip