Monday, February 05, 2007

Warning...Long post on how OSX does not has ASLR.

One of the posters to my “Bill Gates fights back” posted a very intresting statement that I felt deserved an entire blog entry for.

“First off, check the address spaces of the same framework on two different computers crash logs on OS X. Not identical.”

Ok. Because of my job I just happen to have a DoS and a weaponizied version of MoAB #1 lying around. Since popping a shell won’t get me the crash logs I need, we have got to use the DoS. I wrote the exploit based on HDM’s WMF module, its pretty nifty.

msf exploit(MOAB-01-Quicktime_rtsp) > exploit
[*] Started bind handler
[*] Using URL:
[*] Server started.
[*] Exploit running as background job.
msf exploit(MOAB-01-Quicktime_rtsp) >

So going to the URL will get a crash. I do this on my desktop machine (a mac mini) and my test machine (also a mac mini). And I get a crash on each.
So I diff the two.
$ diff testmacmini.log desktop.crash.log
<> Host Name: david-maynors-computer-2
> Date/Time: 2007-02-05 08:55:15.473 -0500
<> Parent: WindowServer [62]
<> PID: 191
<> Thread 4:
> 0 libSystem.B.dylib 0x9001aafc select + 12
> 1 libSystem.B.dylib 0x90024b07 _pthread_body + 84
<> 0x5ae000 - 0x5affff 2.1 /System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode Encodings
> 0x14bc5000 - 0x14bd3fff 7.0.4 /Library/Internet Plug-Ins/QuickTime Plugin.webplugin/Contents/MacOS/QuickTime Plugin
> 0x15092000 - 0x150aefff GLDriver /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLDriver.bundle/GLDriver
> 0x150b5000 - 0x150d6fff GLRendererFloat /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLRendererFloat.bundle/GLRendererFloat
> 0x15169000 - 0x152aafff GLEngine /System/Library/Frameworks/OpenGL.framework/Resources/GLEngine.bundle/GLEngine
> 0x152d2000 - 0x15327fff 1.4.32 (4.3.2) /System/Library/Extensions/AppleIntelGMA950GLDriver.bundle/Contents/MacOS/AppleIntelGMA950GLDriver

Yes indeed there are some differences. This does not mean ASLR has been implemented. In order to take advantage of this vulnerability you need the address of System() to stay static. That is contained in the libSystem library which stays static across machines.

0x90000000 - 0x9016efff libSystem.B.dylib /usr/lib/libSystem.B.dylib

The address of the System() function is at 0x90046c30 on both machines. The libraries containing this never change location, only some of the framework stuff. The fact some of the framework addresses load at different addresses does not provide you with any security benefit.

If you want to see the full crash logs email me and I am happy to send them over.

1 comment:

Roland Dobbins said...

Why did you republish your feed as summary-only? Please bring back the full-text feed!