Skip to content

Instantly share code, notes, and snippets.

@nkaretnikov

nkaretnikov/readkmem.diff

Created April 26, 2020 01:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nkaretnikov/741dc50a3daa7b013d7f9075a3164b25 to your computer and use it in GitHub Desktop.
Save nkaretnikov/741dc50a3daa7b013d7f9075a3164b25 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
readkmem.diff
diff --git a/readkmem/main.c b/readkmem/main.c
index bd0f398..f8aa47b 100644
--- a/readkmem/main.c
+++ b/readkmem/main.c
@@ -324,7 +324,7 @@ readkmem(void *buffer, mach_vm_address_t target_addr, size_t size)
kern_return_t kr = mach_vm_read_overwrite(g_kmem_source.kernel_port, target_addr, size, (mach_vm_address_t)buffer, &outsize);
if (kr != KERN_SUCCESS)
{
- ERROR_MSG("mach_vm_read_overwrite failed!");
+ ERROR_MSG("mach_vm_read_overwrite failed! kr: %d", kr);
exit(-1);
}
}
@@ -455,6 +455,7 @@ int main(int argc, char ** argv)
kern_return_t kr = 0;
int valid_kernel_port = 0;
+ /*
kr = processor_set_default(host_port, &proc_set_default);
if (kr == KERN_SUCCESS)
{
@@ -470,10 +471,13 @@ int main(int argc, char ** argv)
}
}
}
+ */
+
/* kernel not vulnerable, try to use /dev/kmem */
if (valid_kernel_port == 0)
{
- if((g_kmem_source.fd = open("/dev/kmem",O_RDWR)) == -1)
+ // if((g_kmem_source.fd = open("/dev/kmem",O_RDWR)) == -1)
+ if((g_kmem_source.fd = open("/dev/kmem",O_RDONLY)) == -1)
{
ERROR_MSG("Error while opening /dev/kmem. Is /dev/kmem enabled?");
ERROR_MSG("Add parameter kmem=1 to /Library/Preferences/SystemConfiguration/com.apple.Boot.plist.");
@nkaretnikov
Copy link
Author

nkaretnikov commented Apr 26, 2020
edited

Had to comment out the code for processor_set_tasks() vulnerability because /dev/kmem wasn't getting used otherwise.

System:

boot-args       -v kcsuffix=development keepsyms=1 debug=0x40 -zc zlog=kalloc.192 zrecs=256 kmem=1 slide=0

ProductName:    Mac OS X
ProductVersion: 10.13.6
BuildVersion:   17G66

Darwin test2.local 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/DEVELOPMENT_X86_64 x86_64

Output:

$ sudo ./readkmem/DerivedData/readkmem/Build/Products/Debug/readkmem -a 0xffffff7f80000000 -s 8
 _____           _ _____
| __  |___ ___ _| |  |  |_____ ___ _____
|    -| -_| .'| . |    -|     | -_|     |
|__|__|___|__,|___|__|__|_|_|_|___|_|_|_|
         Readkmem v0.6 - (c) fG!
-----------------------------------------
[ERROR] Error while trying to read from kmem. Asked 8 bytes from offset ffffff7f80000000, returned -1.

osfmk/mach/i386/vm_param.h:

#define VM_MIN_KERNEL_ADDRESS           ((vm_offset_t) 0xFFFFFF8000000000UL)
#define VM_MIN_KERNEL_AND_KEXT_ADDRESS  (VM_MIN_KERNEL_ADDRESS - 0x80000000ULL)
#define VM_MAX_KERNEL_ADDRESS           ((vm_offset_t) 0xFFFFFFFFFFFFEFFFUL)

bsd/dev/mem.c:

			/* Do some sanity checking */
			if ((kaddr > (VM_MAX_KERNEL_ADDRESS - c)) ||
			    (kaddr <= VM_MIN_KERNEL_AND_KEXT_ADDRESS)) {
				goto fault;
			}

https://opensource.apple.com/source/xnu/xnu-4570.71.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment