当前位置:首页 > POC 2017年07月08日
InsomniaX 2.1.8任意内核扩展加载漏洞

struct passwd *pw = getpwuid(getuid());
    
char *homedir = pw->pw_dir;
 
char *supportPath = strcat(homedir, "/Library/Application Support/InsomniaX");
const char *kextPath = strcat(supportPath, "/Insomnia_r11.kext");
    
switch(myCommand->authorizedCommandId)
{
   case kMyAuthorizedLoad: {
      /* Child code. */
      if(fork() == 0) {
#ifdef DEBUG
         fprintf(stderr, "CHOWN\n");
#endif
         dup2(2,1);
         execl("/usr/sbin/chown", "chown", "-R", "root:wheel", kextPath, NULL);
      }
      /* Parent code. */
      else {
         wait(&status);
         /* Child code. */
         if(fork() == 0) {
#ifdef DEBUG
            fprintf(stderr, "KEXTLOAD\n");
#endif
            dup2(2,1);
            execl("/sbin/kextload", "kextload", kextPath, NULL);
         }





发表评论: