Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free Exploit

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ; The...

Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free

Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ;...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and...

Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks t...

Yosemite discovered a local privilege escalation vulnerability-vulnerability warning-the black bar safety net

Overview: following the previous research, we for Mac OS X the latest version of Yosemite 10.10.1 on IOBluetoothHCIController services were performed on more test results and found that in addition to 5 security vulnerabilities. We have the related issues submitted to the Apple Security, and, on...

OS X 10.10 Bluetooth DispatchHCICreateConnection - Crash PoC

Exploit for macOS platform in category dos / poc / crash-issue1.c: Written for Mac OS X Yosemite 10.10 by @rpaleari and @joystick. Exploits a missing check in IOBluetoothHCIUserClient::DispatchHCICreateConnection causing a panic. gcc -Wall -o crash-issue1,.c -framework IOKit / include include...

Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation

No description provided by source. / pwn.c, by @rpaleari and @joystick This PoC exploits a missing sign check in IOBluetoothHCIUserClient::SimpleDispatchWL. Tested on Mac OS X Mavericks 10.9.4/10.9.5. Compile with: gcc -Wall -o pwn,.c -framework IOKit / include stdio.h include string.h include...

Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation Exploit

Exploit for iOS platform in category dos / poc / pwn.c, by @rpaleari and @joystick This PoC exploits a missing sign check in IOBluetoothHCIUserClient::SimpleDispatchWL. Tested on Mac OS X Mavericks 10.9.4/10.9.5. Compile with: gcc -Wall -o pwn,.c -framework IOKit / include include include include...

Apple Mac OSX (Mavericks) - 'IOBluetoothHCIUserClient' Privilege Escalation

/ pwn.c, by @rpaleari and @joystick This PoC exploits a missing sign check in IOBluetoothHCIUserClient::SimpleDispatchWL. Tested on Mac OS X Mavericks 10.9.4/10.9.5. Compile with: gcc -Wall -o pwn,.c -framework IOKit / include include include include include uint64t payload / Your payload goes...

Apple Mac OSX (Mavericks) - IOBluetoothHCIUserClient Privilege Escalation

Apple Mac OSX Mavericks - IOBluetoothHCIUserClient Privilege Escalation / pwn.c, by @rpaleari and @joystick This PoC exploits a missing sign check in IOBluetoothHCIUserClient::SimpleDispatchWL. Tested on Mac OS X Mavericks 10.9.4/10.9.5. Compile with: gcc -Wall -o pwn,.c -framework IOKit / includ...