POC详情: 2f0cf1f0d751838b700768668b7e99bc2c2693dc

来源
https://github.com/bazad/physmem
关联漏洞
标题: Apple OS X El Capitan IOHIDFamily 缓冲区溢出漏洞 (CVE-2016-1825)
描述:Apple OS X El Capitan是美国苹果(Apple)公司为Mac计算机所开发的一套专用操作系统。IOHIDFamily API是其中的一个内核扩展(人机接口设备的抽象接口)API组件。 Apple OS X El Capitan 10.11.5之前版本的IOHIDFamily中存在安全漏洞。攻击者可借助特制的应用利用该漏洞以内核权限执行任意代码或造成拒绝服务(内存损坏)。
描述
Local privilege escalation through macOS 10.12.1 via CVE-2016-1825 or CVE-2016-7617.
介绍
## physmem

<!-- Brandon Azad -->

physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.

[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825
[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617
[10.11.5]: https://support.apple.com/en-us/HT206567
[10.12.2]: https://support.apple.com/en-us/HT207423

Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a
panic in the tens of thousands of times I've run a program (correctly) exploiting these
vulnerabilities.

### CVE-2016-1825

CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties.
In particular, the privileged property IOUserClientClass can be controlled by an unprivileged
process. I have not tested platforms before Yosemite, but the vulnerability appears in the source
code as early as Mac OS X Leopard.

### CVE-2016-7617

CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This
vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of
Google's Project Zero (issue [974]) and Radu Motspan.

[974]: https://bugs.chromium.org/p/project-zero/issues/detail?id=974

### Building

Build physmem by specifying your deployment target on the command line:

    $ make MACOSX_DEPLOYMENT_TARGET=10.10.5

### Running

You can read a word of physical memory using the read command:

    $ ./physmem read 0x1000
    a69a04f2f59625b3

You can write to physical memory using the write command:

    $ ./physmem write 0x1000 0x1122334455667788
    $ ./physmem read 0x1000
    1122334455667788

You can exec a root shell using the root command:

    $ ./physmem root
    sh-3.2# whoami
    root

### License

The physmem code is released into the public domain. As a courtesy I ask that if you reference or
use any of this code you attribute it to me.
文件快照

 [4.0K]  /data/pocs/2f0cf1f0d751838b700768668b7e99bc2c2693dc
├── [ 497]  fail.c
├── [ 462]  fail.h
├── [4.0K]  kernel_image.c
├── [ 785]  kernel_image.h
├── [2.0K]  kernel_slide.c
├── [ 487]  kernel_slide.h
├── [3.0K]  main.c
├── [ 570]  Makefile
├── [4.9K]  physmem.c
├── [1.2K]  physmem.h
├── [4.4K]  privilege_escalation.c
├── [ 406]  privilege_escalation.h
├── [2.2K]  README.md
├── [ 181]  syscall_code.h
├── [6.1K]  syscall_hook.c
├── [ 991]  syscall_hook.h
└── [1.5K]  syscall_hook.s

0 directories, 17 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。