Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-1757 PoC — Apple iOS和OS X kernel 竞争条件漏洞

Source
https://github.com/gdbinit/mach_race
Associated Vulnerability
Title:Apple iOS和OS X kernel 竞争条件漏洞 (CVE-2016-1757)
Description:Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.
Description
Exploit code for CVE-2016-1757
Readme
Mach Race OS X Local Privilege Escalation Exploit

(c) fG! 2015, 2016, reverser@put.as - https://reverse.put.as

----------------

A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).

----------------

Usage against a SUID binary:

./mach_race_server /bin/ps _compat_mode

for i in `seq 0 1000000`; do ./mach_race_client /bin/ps; done

Against an entitled binary to bypass SIP:

./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid

for i in `seq 0 1000000`; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done

Note: because the service name is not modified you can't chain this exploit from user to root and then use it to bypass SIP since bootstrap_register2 will fail the second time (service is already registered with launchd from the first run). The solution is to add a parameter to use a different service name for example.

Note2: there's no need to make this into two separate apps, a single binary works, you just need to fork a server and client.

----------

References:

https://reverse.put.as/wp-content/uploads/2016/04/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf

http://googleprojectzero.blogspot.pt/2016/03/race-you-to-kernel.html

--------------

Tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3.

Fixed in El Capitan 10.11.4.

Should work with all OS X versions (depends if bootstrap_register2 exists on older versions).

Alternative implementation with bootstrap_create_server possible for older versions.
File Snapshot

 [4.0K]  /data/pocs/596f9880d5453bb03243e65d7f531bb8c71ec7ff
├── [4.0K]  mach_race_client
│   ├── [4.0K]  mach_race_client
│   │   └── [6.3K]  main.c
│   └── [4.0K]  mach_race_client.xcodeproj
│       └── [8.6K]  project.pbxproj
├── [4.0K]  mach_race_server
│   ├── [4.0K]  mach_race_server
│   │   ├── [2.3K]  logging.h
│   │   ├── [ 22K]  main.c
│   │   ├── [2.5K]  simple_ipc_common.h
│   │   ├── [6.0K]  utils.c
│   │   └── [2.2K]  utils.h
│   └── [4.0K]  mach_race_server.xcodeproj
│       └── [8.4K]  project.pbxproj
├── [4.0K]  mach_race.xcworkspace
│   └── [ 275]  contents.xcworkspacedata
└── [1.6K]  README.md

7 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →