7.2 Exploitation
After I found the bug, I did the following to gain control over EIP
:
Step 1: Trigger the bug to crash the system (denial of service).
Step 2: Prepare a kernel-debugging environment.
Step 3: Connect the debugger to the target system.
Step 4: Get control over
EIP
.
Step 1: Trigger the Bug to Crash the System (Denial of Service)
Once I had found the bug, it was easy to trigger it and cause a system crash. All I had to do was send a malformed TIOCSETD
IOCTL request to the kernel. Example 7-2 shows the source code of the POC I developed to cause a crash.
Example 7-2. POC code (poc.c) I wrote to trigger the bug I found in the kernel of OS X
01 #include <sys/ioctl.h> 02 03 int 04 main (void) 05 { 06 unsigned long ldisc = 0xff000000; 07 08 ioctl ...
Get A Bug Hunter's Diary now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.