关联漏洞
标题:
Apple iOS和OS X kernel 竞争条件漏洞
(CVE-2016-1757)
描述:Apple iOS和OS X都是美国苹果(Apple)公司的产品。前者是为移动设备所开发的一套操作系统,后者是为Mac计算机所开发的一套专用操作系统。Kernel是其中的一个内核组件。 Apple iOS 9.3之前版本和OS X 10.11.4之前版本的kernel中存在竞争条件漏洞。攻击者可借助特制的应用程序利用该漏洞以提升的权限执行任意代码。
描述
Exploit code for CVE-2016-1757
介绍
Mach Race OS X Local Privilege Escalation Exploit
(c) fG! 2015, 2016, reverser@put.as - https://reverse.put.as
----------------
A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).
----------------
Usage against a SUID binary:
./mach_race_server /bin/ps _compat_mode
for i in `seq 0 1000000`; do ./mach_race_client /bin/ps; done
Against an entitled binary to bypass SIP:
./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid
for i in `seq 0 1000000`; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done
Note: because the service name is not modified you can't chain this exploit from user to root and then use it to bypass SIP since bootstrap_register2 will fail the second time (service is already registered with launchd from the first run). The solution is to add a parameter to use a different service name for example.
Note2: there's no need to make this into two separate apps, a single binary works, you just need to fork a server and client.
----------
References:
https://reverse.put.as/wp-content/uploads/2016/04/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf
http://googleprojectzero.blogspot.pt/2016/03/race-you-to-kernel.html
--------------
Tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3.
Fixed in El Capitan 10.11.4.
Should work with all OS X versions (depends if bootstrap_register2 exists on older versions).
Alternative implementation with bootstrap_create_server possible for older versions.
文件快照
[4.0K] /data/pocs/596f9880d5453bb03243e65d7f531bb8c71ec7ff
├── [4.0K] mach_race_client
│ ├── [4.0K] mach_race_client
│ │ └── [6.3K] main.c
│ └── [4.0K] mach_race_client.xcodeproj
│ └── [8.6K] project.pbxproj
├── [4.0K] mach_race_server
│ ├── [4.0K] mach_race_server
│ │ ├── [2.3K] logging.h
│ │ ├── [ 22K] main.c
│ │ ├── [2.5K] simple_ipc_common.h
│ │ ├── [6.0K] utils.c
│ │ └── [2.2K] utils.h
│ └── [4.0K] mach_race_server.xcodeproj
│ └── [8.4K] project.pbxproj
├── [4.0K] mach_race.xcworkspace
│ └── [ 275] contents.xcworkspacedata
└── [1.6K] README.md
7 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。