$hell on Earth
shell-on-earth
shell-on-earth
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
}<br />
if ( !(unsigned __int8)_mthid_isGestureC<strong>on</strong>figurati<strong>on</strong>Valid(v2) )<br />
CFRelease(a1);<br />
v1 = v2;<br />
}<br />
}<br />
return v1;<br />
At this point, the CFData object is freed. Now a thread is created to reclaim the freed memory with<br />
attacker-c<strong>on</strong>trolled values. Shortly after returning from the _mthid_unserializeGestureC<strong>on</strong>figurati<strong>on</strong><br />
functi<strong>on</strong>, another CFRelease call is made <strong>on</strong> this reclaimed memory locati<strong>on</strong>.<br />
0x7fff88ec6ebd : call 0x7fff892c7e88; symbol stub for:<br />
_mthid_unserializeGestureC<strong>on</strong>figurati<strong>on</strong><br />
0x7fff88ec6ec2 : mov r15, rax<br />
0x7fff88ec6ec5 : test r12, r12<br />
0x7fff88ec6ec8 : je 0x7fff88ec6ed2 ; <br />
0x7fff88ec6eca : mov rdi, r12<br />
0x7fff88ec6ecd : call 0x7fff892c7c12 ; symbol stub for: CFRelease<br />
If you are able to reclaim the data in time, you can fake out the method call within objc_msgSend and get<br />
direct code executi<strong>on</strong>.<br />
Exploitati<strong>on</strong> of CVE-2016-1804<br />
The optimal memory layout prior to triggering the vulnerability was achieved by doing the following:<br />
1. QuartzCore has a server that is running within WindowServer.<br />
2. The server port is acquired through calling CGSGetC<strong>on</strong>necti<strong>on</strong>PortById.<br />
3. Spray memory with CFDataCreateWithBytesNoCopy and CGSPropertyListCreateSerializedData.<br />
4. In order to reclaim the memory, call CGSPropertyListCreateSerializedData, which sends to<br />
_XRegisterClientOpti<strong>on</strong>s.<br />
5. Utilize a buffer of size 0x30 and send several times.<br />
6. Buffer c<strong>on</strong>tains the ROP chain and shellcode.<br />
7. Once the race c<strong>on</strong>diti<strong>on</strong> is w<strong>on</strong>, code is running inside of WindowServer, and root executi<strong>on</strong> is<br />
achieved simply by calling setuid(0).<br />
13 | <str<strong>on</strong>g>$hell</str<strong>on</strong>g> <strong>on</strong> <strong>Earth</strong>: From Browser to System Compromise